Windows XP "Anti-" Virus 2012

[m4rek]

Ooook,

I've got a computer to take care of here and it's acquired yet another of our new favourite malware. It's the fake Windows AV 2012 suite. In this case, Windows XP.

I was able to access Avast before accidentally killing power, and on boot, our malware prevents various programs from running. That's from AV to installers to paint.exe

The process that gets launched instead, our malware, is hdd.exe

hdd.exe can be killed with task manager, but that just gives us some peace and quiet to work, nothing more.

Some users have had success by going into safemode, but the issue persists there.

I'm going to try breaking out the linux live cd, unless anyone has any other ideas.

> Since MBAM, or anything else for that matter, will not run, I have no logs to provide.

[LDTate]

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

Lets try this:

Restart in Safe Mode.

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Open the C: drive.

Open Documents and Settings

Open All Users.

Open Application Data Folder.

Do you see any weird file/folder?

[m4rek]

Hi there.

My situation has changed somewhat since my last post, but due to the 48 hour don't post request, I hadn't posted an update.

I neglected to boot into safe mode for this...

Attempted to scan with Bitdefender online scan: Error - Unable to scan

Tried ESET and that worked. Logs from that:

C:\Documents and Settings\Pavel\Local Settings\Application Data\hdd.exe a variant of Win32/Kryptik.PFE trojan cleaned by deleting - quarantined

C:\Documents and Settings\Pavel\Local Settings\Temporary Internet Files\Content.IE5\0USQYAYH\8365b[1].pdf JS/Exploit.Pdfka.OXB.Gen trojan cleaned by deleting - quarantined

C:\Documents and Settings\Pavel\Local Settings\Temporary Internet Files\Content.IE5\9WS2VYVT\index[1].htm JS/Kryptik.AW.Gen trojan cleaned by deleting - quarantined

C:\Documents and Settings\Pavel\Local Settings\Temporary Internet Files\Content.IE5\RI1AZOT2\45f3a218[1].htm JS/TrojanClicker.FBVid.A.Gen trojan cleaned by deleting - quarantined

I believe the first is the one we'd be looking for in app data. Since this freed up my computer, I took the opportunity to run MBAM:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6911

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

21/06/2011 20:29:06

mbam-log-2011-06-21 (20-29-06).txt

Scan type: Quick scan

Objects scanned: 179237

Time elapsed: 21 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 25

Files Infected: 237

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

c:\program files\internet saving optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500 (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\Data (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\chrome (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\chrome\content (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\components (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900 (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\Data (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\chrome (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\chrome\content (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\components (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500 (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900 (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2} (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\Data (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins (Adware.DoubleD) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\productinfo.dll (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\unins000.dat (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\Data\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\install.rdf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\chrome\NPAddOn.jar (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\chrome\content\NPAddOn.js (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\chrome\content\NPAddOn.xul (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\components\npffaddon.xpt (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\internet saving optimizer\3.6.3.4500\FF\components\npffhelpercomponent.js (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\unins000.dat (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\Data\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\install.rdf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\chrome\HPAddOn.jar (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\chrome\content\HPAddOn.js (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\chrome\content\HPAddOn.xul (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\components\hpffaddon.xpt (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\program files\media access startup\1.5.5.900\FF\components\hpffhelpercomponent.js (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\ipdata.md (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090817-035320.234.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090817-124016.937.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090817-152733.234.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090817-152957.140.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090817-185220.718.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090818-100533.343.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090818-100533.359.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090818-100533.375.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090818-115633.796.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090818-192701.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090818-192701.109.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090818-192701.125.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090819-014102.406.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090819-122334.718.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090819-122745.312.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090819-232604.265.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090820-212826.218.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090820-214913.203.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090820-223325.500.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090821-093842.343.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090821-104234.890.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090821-130504.312.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090821-133413.375.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090821-133442.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090821-133442.109.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090821-161836.593.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090822-054756.500.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090822-224124.937.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090816-121550.937.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090816-171829.140.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090816-222149.437.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090817-015223.890.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090822-225131.984.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090822-230700.531.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090822-230717.578.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-122640.843.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-124033.984.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-124034.000.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-124034.046.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-124633.218.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-132258.718.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-132258.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-132259.000.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-132259.328.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-134853.437.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-135741.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090817-035307.843.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090819-122523.203.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090822-225131.953.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-172917.203.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-212951.156.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-230601.078.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-230601.109.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-230609.218.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-234452.250.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090823-234506.546.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090824-002339.296.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090824-003318.796.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090824-003318.828.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090824-003319.140.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090824-125111.296.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\np_20090825-031941.125.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\internet saving optimizer\3.6.3.4500\rstatus.md (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090817-015223.546.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090817-035307.718.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090817-035320.171.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090817-124013.187.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090817-152733.171.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090817-152957.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090817-185219.593.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090818-100529.578.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090818-115633.625.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090818-192655.156.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090818-192657.515.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090818-192657.656.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090818-192657.671.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090819-014102.046.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090819-122330.500.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090819-122330.656.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090819-122512.515.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090819-122745.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090819-232603.984.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090820-212823.343.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090820-214903.078.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090820-223325.359.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090821-093841.203.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090821-104234.734.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090821-130503.906.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090821-133413.109.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090816-121459.531.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090816-121548.968.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090816-171828.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090816-171828.921.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090816-222149.156.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090818-192657.796.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090821-133442.046.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-124033.984.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090821-133442.062.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090821-161835.984.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090822-054756.250.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090822-224123.453.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090822-225131.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090822-225131.187.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090822-230700.031.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090822-230717.515.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-122640.234.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-124033.687.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-124033.703.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-124033.718.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-124033.812.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-124633.171.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-132258.546.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-132258.593.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-132258.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-132258.984.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-134852.484.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-135740.968.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-135740.984.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-172917.125.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-212950.187.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-230559.687.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-230559.812.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-230609.187.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-234452.046.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090823-234506.500.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090824-002336.843.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090824-003318.609.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090824-003318.625.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090824-003318.640.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090824-003319.093.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090824-125110.875.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\application data\media access startup\1.5.5.900\hjhp_20090825-031938.671.log (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\bg.jpg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\currentversion.xml (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\extractzipfile.zip (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\icon.ico (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\tdf.dat (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\Data\productinfo.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache\248d6576afce4ee94af42d7350131106.gif (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache\24a70fb875fab686b6b3c217612bc07c.gif (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache\2afcf6f3f2e19cc42d7f72f3b18b26ef.gif (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache\50bffa6936b3e661971a58e3c8bdf4cb.gif (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache\default1.dat (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache\loading.dat (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Cache\loading.gif (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_screensaver.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_cursor.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_dailyvideo.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_game.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_glitter.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_logo.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_option.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_recipe.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_ringtone.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_search.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_smiley.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_smiley_config.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_smiley_tellafriend.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_wallpaper.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\module_web.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\pixel.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\productinfo.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\profile.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\searchenginelist.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\tbcore.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\toolbarlayout.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\updatecentre.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\updatecentrebk.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\urldynamic.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Data\urlstatic.mx (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_recipe.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\About.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\component_combobox.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_cursor.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_cursor.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_dailyvideo.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_game.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_glitter.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_glitter.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_logo.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_option.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_ringtone.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_screensaver.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_search.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_smiley.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_smiley.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_wallpaper.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\module_web.mg (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtndefault.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtndisplay.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtndisplay.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtndisplay18.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtndisplay20.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnglitters.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnglitters.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnglitters18.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnglitters20.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnoption.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnsmiley.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnsmiley.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnsmiley18.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnsmiley20.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtntellfd.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtntellfd.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtntellfd18.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtntellfd20.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnwink.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnwink.png (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnwink18.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Icons\tbbtnwink20.bmp (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins\myskin1.skf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins\myskin2.skf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins\myskin3.skf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins\myskin4.skf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins\tellafriendskin.skf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins\tellafriendskin_s.skf (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\documents and settings\Pavel\local settings\temporary internet files\{5617eca9-488d-4ba2-8562-9710b9ab78d2}\TDF\Skins\toastskin.skf (Adware.DoubleD) -> Quarantined and deleted successfully.

Restart required, performed.

After this I registered Avast and updated the database (someone had been neglecting it) and ran a quick scan. One infected file, quarantined. Unfortunately this didn't generate a log file, and a thorough scan is currently running so I can't tell you what that was. Thorough scan also picked up and quarantined an infected item.

All in all things appear to be working, but I've yet to check all the programs - I intend to finish scanning first, and see if you guys can spot anything amiss.

As I noticed in the other threads about the same virus, cleaning it usually results in everything going dead. If this hasn't happened here, I assume something is wrong. ^^

[LDTate]

Good job...

I'd run another MBAM scan and make sure it doesn't find anything.

[LDTate]

BTW, it's usually best to run in Normal Mode

[m4rek]

The thorough scan has finished with only one infected file found, but the logs contain a lot of unable to scan: file locked / passworded etc. Ran MBAM again.

Avast's quick scan picked up:

Win32:Rootkit-gen [Rtk]

in C:\System Volume Information\_restore{...

Thorough Scan Logs: (Not actually going to post the lot unless requested)

C:\Documents and Settings\Pavel\Local Settings\Temp\Acr24.tmp [L] JS:Pdfka-gen [Expl] (0)

File was successfully moved to chest...

(the rest of the logs consist of [E] Archive is password protected. (42056))

MBAM reports clean.

A few issues floating around:

Windows Security Center reports auto-update is disabled. Unable to re-enable. Go to Control Panel and enable manually.

Control Panel reports it is enabled.

(Probably something to do with the registry keys that got nuked...)

The only other thing I've encountered so far that didn't work was Start>Internet

Which reported that the file it was supposed to launch is non-existent... Not quite sure what's up with that. Launching IE directly works.

[LDTate]

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

[m4rek]

ATF cleaner took a while, thought it died. Nope, just 2 gig of temp files...

Goored apparently found nothing.

TDSSKiller seems to show the same story...

2011/06/22 12:55:00.0609 0280 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15

2011/06/22 12:55:01.0015 0280 ================================================================================

2011/06/22 12:55:01.0015 0280 SystemInfo:

2011/06/22 12:55:01.0015 0280

2011/06/22 12:55:01.0015 0280 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/22 12:55:01.0015 0280 Product type: Workstation

2011/06/22 12:55:01.0015 0280 ComputerName: YOUR-535327FB2D

2011/06/22 12:55:01.0015 0280 UserName: Pavel

2011/06/22 12:55:01.0015 0280 Windows directory: C:\WINDOWS

2011/06/22 12:55:01.0015 0280 System windows directory: C:\WINDOWS

2011/06/22 12:55:01.0015 0280 Processor architecture: Intel x86

2011/06/22 12:55:01.0015 0280 Number of processors: 2

2011/06/22 12:55:01.0015 0280 Page size: 0x1000

2011/06/22 12:55:01.0015 0280 Boot type: Normal boot

2011/06/22 12:55:01.0015 0280 ================================================================================

2011/06/22 12:55:03.0031 0280 Initialize success

2011/06/22 12:55:11.0390 0536 ================================================================================

2011/06/22 12:55:11.0390 0536 Scan started

2011/06/22 12:55:11.0390 0536 Mode: Manual;

2011/06/22 12:55:11.0390 0536 ================================================================================

2011/06/22 12:55:12.0765 0536 Aavmker4 (2ccfa74242741ca22a4267cce9b586f4) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/06/22 12:55:12.0984 0536 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/06/22 12:55:13.0031 0536 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/06/22 12:55:13.0203 0536 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/06/22 12:55:13.0390 0536 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/06/22 12:55:13.0593 0536 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/06/22 12:55:13.0765 0536 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/06/22 12:55:13.0937 0536 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/06/22 12:55:13.0984 0536 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/06/22 12:55:14.0140 0536 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/06/22 12:55:14.0187 0536 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/06/22 12:55:14.0218 0536 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/06/22 12:55:14.0390 0536 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/06/22 12:55:14.0546 0536 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/06/22 12:55:14.0671 0536 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/06/22 12:55:14.0796 0536 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/06/22 12:55:14.0921 0536 AR5523 (92637b97f57c1669d521a54482c4579c) C:\WINDOWS\system32\DRIVERS\WG11TND5.sys

2011/06/22 12:55:15.0140 0536 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/06/22 12:55:15.0203 0536 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/06/22 12:55:15.0375 0536 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/06/22 12:55:15.0421 0536 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/06/22 12:55:15.0625 0536 aswFsBlk (b4079a98f294a3e262872cb76f4849f0) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys

2011/06/22 12:55:15.0796 0536 aswMon2 (dbee7b5ecb50fc2cf9323f52cbf41141) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/06/22 12:55:15.0968 0536 aswRdr (8080d683489c99cbace813f6fa4069cc) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/06/22 12:55:16.0046 0536 aswSP (2e5a2ad5004b55df39b7606130a88142) C:\WINDOWS\system32\drivers\aswSP.sys

2011/06/22 12:55:16.0218 0536 aswTdi (d4c83a37efadfa2c398362e0776e3773) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/06/22 12:55:16.0375 0536 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/06/22 12:55:16.0531 0536 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/06/22 12:55:16.0921 0536 ati2mtag (9cf018b4d7a31f7ae0bd386d491e6dbf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/06/22 12:55:17.0156 0536 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/06/22 12:55:17.0328 0536 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/06/22 12:55:17.0421 0536 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/06/22 12:55:17.0578 0536 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

2011/06/22 12:55:17.0734 0536 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/06/22 12:55:17.0796 0536 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/06/22 12:55:17.0937 0536 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/06/22 12:55:18.0031 0536 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/06/22 12:55:18.0156 0536 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/06/22 12:55:18.0250 0536 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/06/22 12:55:18.0484 0536 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/06/22 12:55:18.0687 0536 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/06/22 12:55:18.0875 0536 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/06/22 12:55:19.0046 0536 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/06/22 12:55:19.0093 0536 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/06/22 12:55:19.0328 0536 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/06/22 12:55:19.0531 0536 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/06/22 12:55:19.0687 0536 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/06/22 12:55:19.0765 0536 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/06/22 12:55:19.0953 0536 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/06/22 12:55:20.0000 0536 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/06/22 12:55:20.0406 0536 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/06/22 12:55:20.0593 0536 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/06/22 12:55:20.0671 0536 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/06/22 12:55:20.0875 0536 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/06/22 12:55:20.0937 0536 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/06/22 12:55:21.0109 0536 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/06/22 12:55:21.0156 0536 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/06/22 12:55:21.0375 0536 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/06/22 12:55:21.0609 0536 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/06/22 12:55:21.0671 0536 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/06/22 12:55:21.0875 0536 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/06/22 12:55:21.0937 0536 HSFHWBS2 (f3e718604c5a8a28003280d861d96c19) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2011/06/22 12:55:22.0140 0536 HSF_DPV (4290713b7c3289ef87ee5ca474b21221) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2011/06/22 12:55:22.0343 0536 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/06/22 12:55:22.0593 0536 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/06/22 12:55:22.0671 0536 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/06/22 12:55:22.0843 0536 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/06/22 12:55:22.0937 0536 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\IASTOR.SYS

2011/06/22 12:55:23.0140 0536 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/06/22 12:55:23.0218 0536 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/06/22 12:55:23.0593 0536 IntcAzAudAddService (6d6b57808c923a4d79cc8f47307753c9) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/06/22 12:55:23.0875 0536 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/06/22 12:55:23.0937 0536 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/06/22 12:55:24.0093 0536 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/06/22 12:55:24.0171 0536 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/06/22 12:55:24.0343 0536 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/06/22 12:55:24.0515 0536 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/06/22 12:55:24.0687 0536 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/06/22 12:55:24.0875 0536 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/06/22 12:55:25.0031 0536 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/06/22 12:55:25.0109 0536 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/06/22 12:55:25.0296 0536 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/06/22 12:55:25.0390 0536 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/06/22 12:55:25.0562 0536 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/06/22 12:55:25.0843 0536 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/06/22 12:55:25.0921 0536 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2011/06/22 12:55:26.0093 0536 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/06/22 12:55:26.0156 0536 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/06/22 12:55:26.0328 0536 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/06/22 12:55:26.0531 0536 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/06/22 12:55:26.0703 0536 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/06/22 12:55:26.0765 0536 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/06/22 12:55:26.0937 0536 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/06/22 12:55:27.0125 0536 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/06/22 12:55:27.0328 0536 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/06/22 12:55:27.0390 0536 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/06/22 12:55:27.0578 0536 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/06/22 12:55:27.0625 0536 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/06/22 12:55:27.0781 0536 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/06/22 12:55:27.0843 0536 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/06/22 12:55:28.0031 0536 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/06/22 12:55:28.0203 0536 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/06/22 12:55:28.0250 0536 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/06/22 12:55:28.0437 0536 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/06/22 12:55:28.0578 0536 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/06/22 12:55:28.0718 0536 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/06/22 12:55:28.0843 0536 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/06/22 12:55:29.0046 0536 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/06/22 12:55:29.0125 0536 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/06/22 12:55:29.0312 0536 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/06/22 12:55:29.0531 0536 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/06/22 12:55:29.0640 0536 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/06/22 12:55:29.0843 0536 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/06/22 12:55:29.0906 0536 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/06/22 12:55:30.0062 0536 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/06/22 12:55:30.0171 0536 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/06/22 12:55:30.0312 0536 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/06/22 12:55:30.0484 0536 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/06/22 12:55:30.0671 0536 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/06/22 12:55:30.0937 0536 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/06/22 12:55:31.0109 0536 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/06/22 12:55:31.0546 0536 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/06/22 12:55:31.0609 0536 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/06/22 12:55:31.0796 0536 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/06/22 12:55:31.0984 0536 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/06/22 12:55:32.0140 0536 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/06/22 12:55:32.0203 0536 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/06/22 12:55:32.0390 0536 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/06/22 12:55:32.0437 0536 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/06/22 12:55:32.0468 0536 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/06/22 12:55:32.0515 0536 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/06/22 12:55:32.0546 0536 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/06/22 12:55:32.0718 0536 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/06/22 12:55:32.0796 0536 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/06/22 12:55:32.0968 0536 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/06/22 12:55:33.0031 0536 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/06/22 12:55:33.0203 0536 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/06/22 12:55:33.0375 0536 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/06/22 12:55:33.0562 0536 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/06/22 12:55:33.0734 0536 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/06/22 12:55:33.0937 0536 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/06/22 12:55:34.0140 0536 RTL8023xp (8e34400ffc7d647946d9c820678775af) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

2011/06/22 12:55:34.0203 0536 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/06/22 12:55:34.0609 0536 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/06/22 12:55:35.0078 0536 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/06/22 12:55:35.0375 0536 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/06/22 12:55:35.0609 0536 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/06/22 12:55:36.0250 0536 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/06/22 12:55:36.0687 0536 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS

2011/06/22 12:55:37.0093 0536 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/06/22 12:55:37.0468 0536 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/06/22 12:55:37.0859 0536 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/06/22 12:55:38.0375 0536 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/06/22 12:55:38.0843 0536 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/06/22 12:55:39.0218 0536 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/06/22 12:55:39.0671 0536 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/06/22 12:55:40.0093 0536 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/06/22 12:55:40.0546 0536 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/06/22 12:55:40.0921 0536 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/06/22 12:55:41.0312 0536 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/06/22 12:55:41.0546 0536 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/06/22 12:55:41.0750 0536 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/06/22 12:55:41.0921 0536 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/06/22 12:55:42.0078 0536 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/06/22 12:55:42.0312 0536 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/06/22 12:55:42.0500 0536 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/06/22 12:55:42.0671 0536 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/06/22 12:55:42.0859 0536 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/06/22 12:55:43.0062 0536 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/06/22 12:55:43.0234 0536 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/06/22 12:55:43.0406 0536 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/06/22 12:55:43.0578 0536 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/06/22 12:55:43.0750 0536 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/06/22 12:55:43.0921 0536 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/06/22 12:55:44.0375 0536 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/06/22 12:55:44.0796 0536 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/06/22 12:55:45.0062 0536 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/06/22 12:55:45.0203 0536 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/06/22 12:55:45.0296 0536 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/06/22 12:55:45.0500 0536 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/06/22 12:55:45.0625 0536 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/06/22 12:55:45.0843 0536 winachsf (cb2dc26de2c815fc2309566f92d22ed4) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/06/22 12:55:46.0156 0536 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/06/22 12:55:46.0343 0536 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/06/22 12:55:46.0437 0536 MBR (0x1B8) (b20939cd98b7710036274839082ae757) \Device\Harddisk0\DR0

2011/06/22 12:55:46.0437 0536 ================================================================================

2011/06/22 12:55:46.0437 0536 Scan finished

2011/06/22 12:55:46.0453 0536 ================================================================================

2011/06/22 12:55:46.0468 1720 Detected object count: 0

2011/06/22 12:55:46.0468 1720 Actual detected object count: 0

[LDTate]

No RootKit.

How's it running?

We can run combofix if you like.

[LDTate]

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have XP SP3, use the XP SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[m4rek]

Appears to be running fine. Security Center and Control Panel still showing conflicting information... can we fix that or just ignore it?

As far as I can tell, all (most) is in order, and the scans seem to agree.

[LDTate]

You can try a Google search for that issue.

[m4rek]

Apologies for the late response; I hadn't noticed your CF post.

CF required a reboot, after which the on-access protection was auto-enabled; don't know if that could cause an issue with CF. I assume only the log generation took place at this point but I wouldn'tknow for sure.

Here are the logs:

ComboFix 11-06-22.01 - Pavel 22/06/2011 17:40:57.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.383.60 [GMT 1:00]

Running from: c:\documents and settings\Pavel\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 110622-0] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Application Data\547eq3ocsl3hy386t8e2jfnolihd7c85p8h837815

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Pavel\Local Settings\Application Data\547eq3ocsl3hy386t8e2jfnolihd7c85p8h837815

c:\documents and settings\Pavel\Local Settings\Temporary Internet Files\_tmB.tmp

c:\documents and settings\Pavel\Local Settings\Temporary Internet Files\_tmC.tmp

c:\documents and settings\Pavel\Local Settings\Temporary Internet Files\_tmE.tmp

c:\documents and settings\Pavel\Local Settings\Temporary Internet Files\_tmF.tmp

c:\documents and settings\Pavel\Local Settings\Temporary Internet Files\stb06759.tmp

c:\documents and settings\Pavel\Templates\547eq3ocsl3hy386t8e2jfnolihd7c85p8h837815

c:\documents and settings\Pavel\WINDOWS

c:\program files\Fast Browser Search

c:\program files\SGPSA

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\Update.bat

D:\Autorun.inf

.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))

.

.

2011-06-21 19:06 . 2011-06-21 19:06 -------- d-----w- c:\documents and settings\Pavel\Application Data\Malwarebytes

2011-06-21 19:05 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-21 19:05 . 2011-06-21 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-21 19:05 . 2011-05-29 08:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-21 19:05 . 2011-06-21 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-21 17:17 . 2011-06-21 17:17 -------- d-----w- c:\program files\ESET

2011-06-21 17:03 . 2011-06-21 17:09 -------- d-----w- c:\windows\BDOSCAN8

2011-06-15 23:49 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-14 09:37 . 2011-06-14 09:40 -------- d-----w- c:\program files\ICQ7.5

2011-06-14 09:35 . 2011-06-15 00:05 -------- d-----w- c:\program files\ICQ6Toolbar

2011-06-14 09:34 . 2011-06-14 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 15:31 . 2009-02-28 01:22 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2009-02-28 01:24 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2009-02-28 01:27 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2009-02-28 01:24 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2009-02-28 01:22 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2009-02-28 01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2009-02-28 01:25 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"ICQ"="c:\program files\ICQ7.5\ICQ.exe" [2011-06-14 124216]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-11 16267776]

"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-14 344064]

"CHotkey"="zHotkey.exe" [2004-12-08 550912]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-25 202256]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\ICQ7.5\\ICQ.exe"=

.

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 136176]

R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 136176]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]

S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2010-11-21 247608]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 13:29]

.

2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 13:29]

.

2011-06-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1433994217-3981827411-2528831835-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

.

2011-06-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1433994217-3981827411-2528831835-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/firefox

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe

TCP: DhcpNameServer = 10.0.1.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-22 17:59

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(592)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1864)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\RTHDCPL.EXE

c:\windows\zHotkey.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2011-06-22 18:19:50 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-22 17:19

.

Pre-Run: 3,923,435,520 bytes free

Post-Run: 4,510,781,440 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - B6055B3C44FDFF8DF53E7194A183BB12

Appears to have fixed the security center conflict, and may have fixedthe internet issue.

Will run a few scans in the meantime; just in case...

[LDTate]

That looks really good now.

Be sure to uninstall CF.

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

• Click START run
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

For Vista / Windows 7

• Click START Search
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
     
  2. Click once on the Security tab
     
  3. Click once on the Internet icon so it becomes highlighted.
     
  4. Click once on the Custom Level button.
     
  5. Change the Download signed ActiveX controls to Prompt
     
  6. Change the Download unsigned ActiveX controls to Disable
     
  7. Change the Initialize and script ActiveX controls not marked as safe to Disable
     
  8. Change the Installation of desktop items to Prompt
     
  9. Change the Launching programs and files in an IFRAME to Prompt
     
  10. Change the Navigate sub-frames across different domains to Prompt
      
  11. When all these settings have been made, click on the OK button.
      
  12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      
  13. Next press the Apply button and then the OK to exit the Internet Properties page.
      

  [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

  Without a firewall your computer is succeptible to being hacked and taken over.

  I am very serious about this and see it happen almost every day with my clients.

  Simply using a Firewall in its default configuration can lower your risk greatly.

  [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

[m4rek]

All clean!

Woop =D

Thank you for your time and assistance.

Just a few closing questions about securing the computer now that it's all nice and clean...

I've upgraded the computer to Firefox 5.0, and the M86 plugin is not compatible with that at this time. Do you have a similar, compatible, plugin you could recommend?

If not I can search for another, or wait for an update (if one is likely)...

I've installed the ZoneAlarm Firewall, and it appears to be functioning correctly (that is to say, there isn't smoke billowing out of the back of the machine). The computer is connected to a wireless router by cable, and the network does not currently have any file or printer sharing to speak of. Should I set the firewall to Internet zone for this? (Currently set to trusted zone)

I believe that's everything. Thanks again for helping me out, and feel free to close and archive the thread at your leisure.

Regards,

m4

[LDTate]

I've upgraded the computer to Firefox 5.0, and the M86 plugin is not compatible with that at this time. Do you have a similar, compatible, plugin you could recommend?

If not I can search for another, or wait for an update (if one is likely)...

I can't think of any

I've installed the ZoneAlarm Firewall, and it appears to be functioning correctly (that is to say, there isn't smoke billowing out of the back of the machine). The computer is connected to a wireless router by cable, and the network does not currently have any file or printer sharing to speak of. Should I set the firewall to Internet zone for this? (Currently set to trusted zone)

I'd leave it at trusted

[m4rek]

Ok, thank you.

Thanks again for your time and assistance.

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.