Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Clean Vundo (awvvw.dll)


  • This topic is locked This topic is locked
19 replies to this topic

#1 ladylei

ladylei

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 29 December 2007 - 07:41 PM

I would greatly appreicate any help. I am trying to help out one of my bosses by cleaning up his pc that was infected with a bunch of spyware a some viruses. Something had completely shutdown his Norton antivirus. With the help of AdAware 6, Spyware Doctor Free and AntiVir Antivirus Free Edition, I have it running well and pretty clean but I can't get rid of a vundo infection awvvw.dll in C:\Windows\System32. After search this site and the net, I ran Vundo.exe from Artibune.org but it hasn't been successful either. It did remove the awvvw.exe and the wvvwa.ini file and the from the same folder but the .exe file comes back. Awvvw.exe is also located in the msconfig startup but I think I finally have it where it isn't rechecking itself after reboot.

The system seems to be running normally but any kind of scan causes Antivir to flag the awvvw.exe file as TR/Drop.Agent.dgo.21 and Spyware Doctor shows it as Trojan.Virtumonde (11 infections). I was trying to get this thing clean without any help but that didn't work. Thanks in advance.

Below it a hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:15 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask .exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\MP4 Player\mp4Player .exe
C:\Program Files\Micro Innovations\Optical Scroll\mouse32a .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Digital Media Reader\shwiconem .exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA .EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Microsoft Location Finder\LocationFinder .exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradisepoker.com/promotions/20...liday_seat.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {E9D7C71B-CE7E-4439-A629-DCD2CB4895AE} - C:\WINDOWS\system32\awvvw.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P39 "EPSON Stylus Photo R320 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8351 bytes

BC AdBot (Login to Remove)

 


#2 ladylei

ladylei
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 December 2007 - 12:54 AM

Follow-up: Log from VundoFix


VundoFix V4.2.74

Checking Java version...

Scan started at 11:53:47 AM 5/16/2006

Listing files found while scanning....


No infected files were found.


VundoFix V6.7.7

Checking Java version...

Scan started at 2:13:53 PM 12/28/2007

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Scan started at 2:35:25 PM 12/28/2007

Listing files found while scanning....


Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 4:09:42 PM 12/28/2007

Listing files found while scanning....

C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\system32\ljjigec.dll
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini2
C:\WINDOWS\system32\yayvsqn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\system32\awvvw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjigec.dll
C:\WINDOWS\system32\ljjigec.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\NeroCheck.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini2
C:\windows\system32\wvvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayvsqn.dll
C:\WINDOWS\system32\yayvsqn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 12:49:25 PM 12/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\yayvsqn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yayvsqn.dll
C:\WINDOWS\system32\yayvsqn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yayvsqn.dll
C:\WINDOWS\system32\yayvsqn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 2:45:21 PM 12/29/2007

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Scan started at 3:01:51 PM 12/29/2007

Listing files found while scanning....

C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.exe
C:\windows\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\system32\awvvw.exe Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\system32\awvvw.exe Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 1:11:37 AM 12/30/2007

Listing files found while scanning....

C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.exe
C:\windows\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\system32\awvvw.exe Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 10:56:51 PM 12/30/2007

Listing files found while scanning....

C:\windows\system32\awvvw.dll
C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awvvw.dll
C:\windows\system32\awvvw.dll Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini2
C:\windows\system32\wvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:59 PM

Posted 31 December 2007 - 02:01 PM

Hello ladylei,

Did you have Symantec Anitvirus installed on this computer and recently uninstalled it?
I see Symantec items in your log.

Looks like you a very nasty Vundo variant on this computer. :thumbsup:

We shall run ComboFix.

Disable your AntiVir antivirus and Spyware Doctor as both will prevent ComboFix from working.

To disable AntiVir:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background.
You succesfully disabled the AntiVir Guard.


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not run Combofix more than once.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Edited by SifuMike, 31 December 2007 - 02:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 ladylei

ladylei
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 December 2007 - 04:15 PM

Did you have Symantec Anitvirus installed on this computer and recently uninstalled it

?

Yes, they did but it appears to be disabled and I can't uninstall or reinstall it. In fact it keeps prompting for J:\SAV\10 for the installation files so I guess they started to reinstall and it failed. I'll work on that problem later with Symantec.

I really appreciate all of the help. Below is the ComboFix log and a new Hijackthis log as you requested. All antivirus and antispyware was disabled before scanning.

Note: It is uninstalled now, but I had installed a trial version of Kaspersky Antivirus and it kept flagging the awvvw.exe file and also show several .exe files from miscellaneous programs that were infected and renamed. (Ex. ituneshelper.exe was infected and it looked as though the orginal file was still there but named ituneshelper .exe)

ComboFix 07-12-31.4 - Owner 2007-12-31 14:58:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.267 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\My Documents\WNSXS~1
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\wnscpisv.exe
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymante~1\?ymantec\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 14:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-31 10:58 . 2007-12-31 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-31 09:48 . 2007-12-31 09:48 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-30 22:25 . 2007-12-30 22:28 <DIR> d-------- C:\Documents and Settings\Owner\Pavark
2007-12-30 22:20 . 2007-12-30 22:20 3,937,636 --a------ C:\WINDOWS\system32\YGYOL
2007-12-30 21:02 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-30 20:36 . 2007-12-30 20:36 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 20:21 . 2007-12-30 20:21 <DIR> d-------- C:\Temp\NAV Corporate V9.0.0.338
2007-12-30 20:20 . 2007-12-30 20:20 <DIR> d-------- C:\Temp\navcorp900338client
2007-12-30 20:20 . 2004-05-02 14:00 1,270 --a------ C:\Temp\NAV Corporate V9.0.0.338.zip
2007-12-30 19:54 . 2007-12-30 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 09:47 . 2007-12-30 09:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2007-12-30 09:20 . 2007-12-30 09:49 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-30 00:27 . 2007-12-31 11:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-30 00:27 . 2007-12-30 00:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-30 00:27 . 2007-12-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 16:01 . 2004-08-04 06:00 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-12-29 15:35 . 2007-12-29 15:35 60,416 --a------ C:\WINDOWS\system32\drivers\toqsdgmw.sys
2007-12-29 14:54 . 2007-12-29 14:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 14:24 . 2007-05-23 16:58 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-29 14:24 . 2007-05-23 16:58 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-29 14:24 . 2007-05-23 16:58 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-29 14:24 . 2007-05-23 16:58 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-12-29 14:24 . 2007-05-23 16:58 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-29 14:23 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-29 13:59 . 2007-12-29 14:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 13:34 . 2007-12-31 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-28 14:13 . 2007-12-31 14:33 <DIR> d-------- C:\VundoFix Backups
2007-12-28 09:04 . 2007-12-28 23:50 0 --ahs---- C:\Documents and Settings\Owner\Application Data\3c6c9c2451a99ab11f4fcf4d6afb9f6f.dat
2007-12-28 07:57 . 2007-12-28 14:04 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-28 07:19 . 2007-12-29 13:58 <DIR> d-------- C:\WINDOWS\system32\mr9
2007-12-28 07:19 . 2007-12-28 07:38 <DIR> d-------- C:\WINDOWS\system32\cc9
2007-12-28 07:19 . 2007-12-28 07:19 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2007-12-28 07:19 . 2007-12-28 07:19 <DIR> d-------- C:\Temp\cEeer12
2007-12-09 14:00 . 2007-12-31 11:41 <DIR> d-------- C:\Program Files\MP4 Player
2007-12-09 14:00 . 2007-12-09 14:00 36 --ah----- C:\WINDOWS\system32\swk.ini
2007-12-09 13:57 . 2007-12-09 13:57 911,119 --a------ C:\mp4PlayerSetup.exe
2007-11-27 15:00 . 2007-11-27 15:00 <DIR> d-------- C:\WINDOWS\Setup533
2007-11-27 15:00 . 2002-10-21 11:37 515,803 --a------ C:\WINDOWS\system32\drivers\Ca533av.sys
2007-11-27 15:00 . 2002-01-19 15:33 131,072 --a------ C:\WINDOWS\system32\SP5X_32.DLL
2007-11-27 15:00 . 2000-04-12 12:25 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2007-11-27 15:00 . 2002-05-02 17:26 65,536 --a------ C:\WINDOWS\amcap533.exe
2007-11-27 15:00 . 2002-07-30 19:40 16,384 --a------ C:\WINDOWS\system32\Dext533.ax
2007-11-27 15:00 . 2002-07-25 11:19 10,986 --a------ C:\WINDOWS\system32\drivers\Bulk533.sys
2007-11-27 15:00 . 2003-01-06 13:33 1,325 --a------ C:\WINDOWS\Remove.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 21:01 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-31 19:58 --------- d-----w C:\Program Files\QuickTime
2007-12-31 17:43 --------- d-----w C:\Program Files\iTunes
2007-12-31 17:39 --------- d-----w C:\Program Files\Microsoft Location Finder
2007-12-31 17:38 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-31 07:16 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-31 03:02 --------- d-----w C:\Program Files\Java
2007-12-30 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-29 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 13:29 --------- d-----w C:\Program Files\NoAdware4
2007-12-27 11:52 --------- d-----w C:\Program Files\PokerStars
2007-11-27 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-01 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
.
----a-w			68,856 2007-12-31 20:55:36  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   217,088 2007-12-31 20:50:41  C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 8.0\avp .exe
----a-w		 1,694,208 2007-12-28 14:26:18  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,051,464 2007-12-31 20:54:48  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w		   158,208 2007-12-31 04:33:02  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w		   155,648 2007-12-28 20:04:31  C:\WINDOWS\system32\NeroCheck .exe
----a-w			98,304 2007-12-31 20:35:02  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9FA .EXE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2004-05-17 19:30 543232 C:\WINDOWS\zHotkey.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 13:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 20:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [ ]
"EPSON Stylus Photo R320 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe" [ ]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-08-29 18:21:11]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-12-31 09:45 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 8.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]
C:\Documents and Settings\Owner\Application Data\Awola\Awola.exe /MIN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
C:\WINDOWS\system32\YMANTE~1\dexplore.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ejohwdqq]
C:\otpyxtrv.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
2007-12-31 09:45 356352 --a------ C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-31 09:45 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\awvvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsft Windows Adapter 5.1.3013]
C:\Documents and Settings\Owner\Application Data\opnnqyydmf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2007-12-31 09:45 121640 --a------ C:\Program Files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2007-12-29 15:48 50688 --a------ C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2007-12-31 09:45 53248 --a------ c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
C:\Program Files\MP4 Player\mp4Player.exe hmw

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PO579B~1.EXE -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwfzgpof]
C:\Documents and Settings\Owner\My Documents\W?nSxS\w?wexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\Program Files\Registry Cleaner Trial\Regclean .exe -startminimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2007-12-31 09:45 135168 --a------ C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2007-12-31 09:45 1318912 --a------ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.6\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"SavRoam"=3 (0x3)
"avp "=2 (0x2)
"AVP"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 01:40:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 15:03:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 15:05:12 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 21:05:04
.
2007-12-31 03:14:37 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:23 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradisepoker.com/promotions/20...liday_seat.html
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series (Copy 1)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" /P39 "EPSON Stylus Photo R320 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4190 bytes

Edited by ladylei, 31 December 2007 - 04:17 PM.


#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:59 PM

Posted 31 December 2007 - 04:48 PM

Hi ladylei,

I can see from you log you have a very nasty vundo variant on this computer.


Open NOTEPAD.exe and copy/paste the text in the code box below into it:

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 8.0\avp .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9FA .EXE


Save this as Log.txt

Please download this tool to your Desktop: http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
Place the tool next to Log.txt


Posted Image


Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 ladylei

ladylei
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 December 2007 - 05:03 PM

I appreciate the prompt response. Here is the requested log from RenV.

Ran on Mon 12/31/2007 - 15:58:22.35

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0


#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:59 PM

Posted 31 December 2007 - 05:27 PM

Hi ladylei,


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\otpyxtrv.bat
C:\WINDOWS\system32\awvvw.exe
C:\WINDOWS\mrofinu572.exe 
C:\Documents and Settings\Owner\Application Data\opnnqyydmf.exe

Folder:: 
C:\Program Files\Web Buying
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ejohwdqq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsft Windows Adapter 5.1.3013]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 ladylei

ladylei
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 December 2007 - 05:44 PM

SifuMike, once again, I sincerely appreciate the help and the prompt reply.

It did not ask me to reboot. Below is the new ComboFix log.

ComboFix 07-12-31.4 - Owner 2007-12-31 16:37:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.260 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner\Application Data\opnnqyydmf.exe
C:\otpyxtrv.bat
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\awvvw.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\awvvw.dll.bad
C:\VundoFix Backups\awvvw.exe.bad
C:\VundoFix Backups\mrofinu572.exe.bad
C:\VundoFix Backups\MSConfig .exe.bad
C:\VundoFix Backups\MSConfig.exe.bad
C:\VundoFix Backups\NeroCheck.exe.bad
C:\VundoFix Backups\prfcwmdb.dll.bad
C:\VundoFix Backups\swdvsyli.dll.bad
C:\VundoFix Backups\wvvwa.ini.bad
C:\VundoFix Backups\wvvwa.ini2.bad

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 15:57 . 2007-12-30 22:33 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-12-31 14:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-31 10:58 . 2007-12-31 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-31 09:48 . 2007-12-31 09:48 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-30 22:25 . 2007-12-30 22:28 <DIR> d-------- C:\Documents and Settings\Owner\Pavark
2007-12-30 22:20 . 2007-12-30 22:20 3,937,636 --a------ C:\WINDOWS\system32\YGYOL
2007-12-30 21:02 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-30 20:36 . 2007-12-30 20:36 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 20:21 . 2007-12-30 20:21 <DIR> d-------- C:\Temp\NAV Corporate V9.0.0.338
2007-12-30 20:20 . 2007-12-30 20:20 <DIR> d-------- C:\Temp\navcorp900338client
2007-12-30 20:20 . 2004-05-02 14:00 1,270 --a------ C:\Temp\NAV Corporate V9.0.0.338.zip
2007-12-30 19:54 . 2007-12-30 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 09:47 . 2007-12-30 09:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2007-12-30 09:20 . 2007-12-30 09:49 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-30 00:27 . 2007-12-31 15:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-30 00:27 . 2007-12-30 00:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-30 00:27 . 2007-12-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 15:35 . 2007-12-29 15:35 60,416 --a------ C:\WINDOWS\system32\drivers\toqsdgmw.sys
2007-12-29 14:54 . 2007-12-29 14:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 14:24 . 2007-05-23 16:58 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-29 14:24 . 2007-05-23 16:58 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-29 14:24 . 2007-05-23 16:58 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-29 14:24 . 2007-05-23 16:58 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-12-29 14:24 . 2007-05-23 16:58 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-29 14:23 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-29 13:59 . 2007-12-29 14:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 13:34 . 2007-12-31 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-28 09:04 . 2007-12-28 23:50 0 --ahs---- C:\Documents and Settings\Owner\Application Data\3c6c9c2451a99ab11f4fcf4d6afb9f6f.dat
2007-12-28 07:19 . 2007-12-29 13:58 <DIR> d-------- C:\WINDOWS\system32\mr9
2007-12-28 07:19 . 2007-12-28 07:38 <DIR> d-------- C:\WINDOWS\system32\cc9
2007-12-28 07:19 . 2007-12-28 07:19 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2007-12-28 07:19 . 2007-12-28 07:19 <DIR> d-------- C:\Temp\cEeer12
2007-12-09 14:00 . 2007-12-31 11:41 <DIR> d-------- C:\Program Files\MP4 Player
2007-12-09 14:00 . 2007-12-09 14:00 36 --ah----- C:\WINDOWS\system32\swk.ini
2007-12-09 13:57 . 2007-12-09 13:57 911,119 --a------ C:\mp4PlayerSetup.exe
2007-11-27 15:00 . 2007-11-27 15:00 <DIR> d-------- C:\WINDOWS\Setup533
2007-11-27 15:00 . 2002-10-21 11:37 515,803 --a------ C:\WINDOWS\system32\drivers\Ca533av.sys
2007-11-27 15:00 . 2002-01-19 15:33 131,072 --a------ C:\WINDOWS\system32\SP5X_32.DLL
2007-11-27 15:00 . 2000-04-12 12:25 118,784 --a------ C:\WINDOWS\ShowBmp.exe
2007-11-27 15:00 . 2002-05-02 17:26 65,536 --a------ C:\WINDOWS\amcap533.exe
2007-11-27 15:00 . 2002-07-30 19:40 16,384 --a------ C:\WINDOWS\system32\Dext533.ax
2007-11-27 15:00 . 2002-07-25 11:19 10,986 --a------ C:\WINDOWS\system32\drivers\Bulk533.sys
2007-11-27 15:00 . 2003-01-06 13:33 1,325 --a------ C:\WINDOWS\Remove.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 21:58 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-31 19:58 --------- d-----w C:\Program Files\QuickTime
2007-12-31 17:43 --------- d-----w C:\Program Files\iTunes
2007-12-31 17:39 --------- d-----w C:\Program Files\Microsoft Location Finder
2007-12-31 17:38 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-31 07:16 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-31 04:33 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2007-12-31 03:02 --------- d-----w C:\Program Files\Java
2007-12-30 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-29 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 13:29 --------- d-----w C:\Program Files\NoAdware4
2007-12-27 11:52 --------- d-----w C:\Program Files\PokerStars
2007-11-27 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-01 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2004-05-17 19:30 543232 C:\WINDOWS\zHotkey.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 13:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 20:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [ ]
"EPSON Stylus Photo R320 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe" [2007-12-30 22:33 158208]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-08-29 18:21:11]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-12-31 09:45 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 8.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]
C:\Documents and Settings\Owner\Application Data\Awola\Awola.exe /MIN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
C:\WINDOWS\system32\YMANTE~1\dexplore.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
2007-12-31 09:45 356352 --a------ C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-31 09:45 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2007-12-31 09:45 121640 --a------ C:\Program Files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2007-12-29 15:48 50688 --a------ C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2007-12-31 09:45 53248 --a------ c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
C:\Program Files\MP4 Player\mp4Player.exe hmw

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PO579B~1.EXE -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwfzgpof]
C:\Documents and Settings\Owner\My Documents\W?nSxS\w?wexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\Program Files\Registry Cleaner Trial\Regclean .exe -startminimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2007-12-31 09:45 135168 --a------ C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2007-12-31 09:45 1318912 --a------ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"SavRoam"=3 (0x3)
"avp "=2 (0x2)
"AVP"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 01:40:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 16:38:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 16:39:17
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 22:39:08
C:\qoobox\ComboFix2.txt 2007-12-31 21:05:12
.
2007-12-31 03:14:37 --- E O F ---

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:59 PM

Posted 31 December 2007 - 06:07 PM

Hi ladylei,

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.

Do not post the Hijackthis log yet, I will ask for it later.

***************************

Launch Notepad, and copy/paste the code box below into a new text file.
Save it as FindFile.bat, file type as all files and save it on your Desktop.

dir C:\Documents and Settings\Owner\My Documents\W?nSxS\w?wexec.exe /a h > files.txt
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it.
Post up the text file here when you are done

***************************

Disable your AVG antivirus before running this scan.


Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As HTML" Give the Report a name and save it to your desktop. If you have any problem saving the report, copy its text to the clipboard, then paste it into an empty Notepad and save it to your desktop.
9. Post the Kaspersky scan results in your next reply.

Edited by SifuMike, 31 December 2007 - 06:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 ladylei

ladylei
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 December 2007 - 06:30 PM

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure


Msconfig will not run from the Start, Run. I had to go to it's directory to run it.
And yes, I had disabled some trying to stablize the system. All are enabled now.

Locate FindFile.bat on your Desktop and double-click on it.
Post up the text file here when you are done


I created the FindFile.bat that you required and ran it but the Files.txt it created was empty. Just a blank notepad file. Did I do something wrong?

This infected computer is not connected to the internet but I will do so and run the online scan and post back. I know the scan will take a little time and I will also be away from the pc for a while. Will post back as soon as possible. Thanks.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:59 PM

Posted 31 December 2007 - 06:54 PM

Hi LadyLei,

See if this works. I have changed it slighty look for the folder. :thumbsup:

Launch Notepad, and copy/paste the code box below into a new text file.
Save it as FindFile.bat.
Save the file type as all files and save it on your Desktop.

dir C:\Documents and Settings\Owner\My Documents\W?nSxS /a h > files.txt
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it.
Post up the text file here when you are done

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

If it dose not find it then do a search for the file and folder.
Note that the ? is a wild card and can be any letter or number. May my find two files that are very similar.
If you find them, Rt. click on the file(s) and look at the properties and tell me what it says.

Edited by SifuMike, 31 December 2007 - 08:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 ladylei

ladylei
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 January 2008 - 12:53 AM

See if this works. I have changed it slighty look for the folder


Still get a blank notepad file as a result.

I searched the whole user folder and don't see any folders that even start with a w other than a windows folder under Owner.

All files and operating system files were already set to show.

Here is the result from the online scan. I guess you want it posted as text and not an attachment.


KASPERSKY ONLINE SCANNER REPORT
Monday, December 31, 2007 11:31:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/12/2007
Kaspersky Anti-Virus database records: 500929


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 52933
Number of viruses found 5
Number of infected objects 400
Number of suspicious objects 8
Duration of the scan process 00:31:01

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\NoAdware4\NoAdwareBackup\12,28,2007_13,17,59.zip/!update.exe Suspicious: Password-protected-EXE skipped

C:\Program Files\NoAdware4\NoAdwareBackup\12,28,2007_13,17,59.zip ZIP: suspicious - 1 skipped

C:\Program Files\NoAdware4\NoAdwareBackup\12,28,2007_15,53,27.zip/!update.exe Suspicious: Password-protected-EXE skipped

C:\Program Files\NoAdware4\NoAdwareBackup\12,28,2007_15,53,27.zip ZIP: suspicious - 1 skipped

C:\Program Files\NoAdware4\NoAdwareBackup\12,28,2007_8,47,19.zip/!update.exe Suspicious: Password-protected-EXE skipped

C:\Program Files\NoAdware4\NoAdwareBackup\12,28,2007_8,47,19.zip ZIP: suspicious - 1 skipped

C:\Program Files\Trend Micro\HijackThis\backups\backup-20071229-145617-940.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\QooBox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\QooBox\Quarantine\C\Program Files\Spyware Doctor\SDTrayApp.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\QooBox\Quarantine\C\VundoFix Backups\awvvw.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\QooBox\Quarantine\C\VundoFix Backups\awvvw.exe.bad.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\QooBox\Quarantine\C\VundoFix Backups\mrofinu572.exe.bad.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\QooBox\Quarantine\C\VundoFix Backups\MSConfig .exe.bad.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\QooBox\Quarantine\C\VundoFix Backups\MSConfig.exe.bad.vir/data0000.bin Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\QooBox\Quarantine\C\VundoFix Backups\MSConfig.exe.bad.vir EmbeddedEXE: infected - 1 skipped

C:\QooBox\Quarantine\C\VundoFix Backups\NeroCheck.exe.bad.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\awvvw.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\QooBox\Quarantine\catchme2007-12-31_150342.50.zip/awvvw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\QooBox\Quarantine\catchme2007-12-31_150342.50.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075157.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075159.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075160.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075161.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075162.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075163.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075164.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075165.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075166.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075185.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075187.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075188.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075189.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075190.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075191.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075192.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075193.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075194.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP615\A0075195.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075217.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075218.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075219.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075220.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075221.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075222.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075223.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075224.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075225.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP616\A0075226.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075257.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075335.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075337.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075338.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075339.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075340.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075341.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075342.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075343.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP617\A0075344.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075359.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075367.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075369.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075370.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075372.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075373.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075374.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075375.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075376.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP618\A0075377.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0075393.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077398.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077400.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077401.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077403.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077404.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077405.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077406.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077407.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077408.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077409.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077427.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077429.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077430.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077431.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077432.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077433.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077434.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077435.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077436.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077437.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077452.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077453.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077454.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077456.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077458.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077459.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077460.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077461.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077462.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077463.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077464.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077471.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077472.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077473.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077474.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077475.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077476.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077477.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077478.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077479.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077480.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077481.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077501.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077503.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077504.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077505.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077506.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077507.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077508.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077509.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077510.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077511.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077512.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077514.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077536.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077537.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077538.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077539.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077540.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077541.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077542.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077543.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077544.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077545.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP619\A0077546.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077590.rbf Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077599.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077600.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077601.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077603.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077604.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077605.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077606.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077607.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077608.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077609.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP621\A0077610.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077656.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077657.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077658.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077659.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077660.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077661.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077662.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077663.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077664.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077665.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077666.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP622\A0077667.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077838.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077839.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077840.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077842.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077843.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077844.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077845.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077846.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077847.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077848.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077850.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077855.bat Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077857.exe Infected: not-a-virus:FraudTool.Win32.AwolaAntiSpyware.b skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077866.bat Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077873.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077888.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077889.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077890.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077893.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077894.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077895.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077896.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077897.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077898.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077899.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077900.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077924.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077926.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077927.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077928.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077929.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077930.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077931.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077932.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077933.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077934.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077942.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077943.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077944.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077945.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077946.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077947.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077948.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077949.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077950.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077951.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077970.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077986.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077987.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077988.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077989.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077990.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077991.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077992.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077993.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077994.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0077995.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078003.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078023.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078025.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078026.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078027.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078028.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078029.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078030.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078031.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078032.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078033.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078072.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078074.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078075.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078076.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078077.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078078.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078079.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078080.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078081.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078082.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078083.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078107.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078109.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078110.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078111.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078112.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078113.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078114.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078115.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078116.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078117.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP625\A0078118.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078139.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078141.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078142.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078143.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078144.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078145.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078146.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078147.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078148.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078149.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078151.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078163.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078169.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078171.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078172.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078173.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078174.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078175.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078176.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078177.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078178.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078179.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078180.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078181.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078183.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078184.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078190.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078193.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078196.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078197.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078198.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078204.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078207.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078209.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078210.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078211.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078212.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078213.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078214.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078215.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078216.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078217.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078218.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078219.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078226.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078228.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078229.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP626\A0078230.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP627\A0079227.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP627\A0079231.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP627\A0079232.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP627\A0080226.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP627\A0080227.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080233.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080234.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080235.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080239.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080240.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080302.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080305.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080306.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080307.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080308.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080309.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080310.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080311.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080312.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080313.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080314.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080327.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080328.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080329.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080330.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080331.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080332.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080333.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080334.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080335.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080336.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080346.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080347.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080352.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0080353.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081353.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081354.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081356.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081367.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081368.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081371.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081373.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081377.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081378.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081379.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081380.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081381.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081382.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081383.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081384.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081385.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081386.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081396.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081397.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081398.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081399.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081400.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081401.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081402.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081403.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081404.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081405.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081406.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081407.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081408.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081409.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081410.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081411.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081412.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081413.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081414.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081415.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081416.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081417.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081418.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081419.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081420.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081421.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP628\A0081422.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081424.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081425.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081426.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081427.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081428.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081429.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081432.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081760.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081776.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081783.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081785.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081786.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081787.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081788.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081792.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081799.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081800.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081801.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081808.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP629\A0081809.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP630\A0081862.rbf Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP630\A0081919.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP630\A0081921.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP630\A0081922.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP631\A0081932.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP631\A0081933.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP632\A0081936.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP632\A0081937.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP632\A0081938.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP632\A0081943.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP632\A0081954.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP633\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:59 PM

Posted 01 January 2008 - 12:48 PM

Hi ladylei,

Kaspersky scan looks clean. :thumbsup:


How many antivirus programs do you now have on this computer?
I see traces of AntiVir PersonalEdition, Kaspersky Anti-Virus 8.0, Symantec, and TrendMicro.
Did you install these recently and then uninstall them?

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
Save it to your desktop.
Press Save. Save it your desktop.
A notepad file will open.
If no notepad opens then it will be on your desktop (where you saved it)
Post the content here in your reply.
Close HijackThis.

************************

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\YMANTE~1\dexplore.exe 
C:\Documents and Settings\Owner\Application Data\Awola\Awola.exe 

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwfzgpof]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt, a Hijackthis log and the uninstall manager listing.

Edited by SifuMike, 01 January 2008 - 12:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 ladylei

ladylei
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 January 2008 - 01:32 PM

How many antivirus programs do you now have on this computer?
I see traces of AntiVir PersonalEdition, Kaspersky Anti-Virus 8.0, Symantec, and TrendMicro.
Did you install these recently and then uninstall them?


Symantec was orignally on here but was corrupted -- Manually uninstalled this morning with help from Symantec.

Installed AntiVir Free a few days ago and after the virus infection shut down AntiVir Free, Install Kaspersky trial version. Both are still in installed but were disabled in msconfig.

TrendMirco is showing only because of Hijackthis 2.02. No TrendMirco virusscan.

.................

Below are the log files you requested (ininstall_list.txt, combofix.txt, and hijackthis.log) I rechecked all the items I disabled but did not reboot with them checked before running the latest hijackthis scan. Should I leave all the bad items enabled?

ComboFix 07-12-31.4 - Owner 2008-01-01 12:18:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.282 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner\Application Data\Awola\Awola.exe
C:\WINDOWS\system32\YMANTE~1\dexplore.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-31 17:33 . 2007-12-31 17:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-31 17:33 . 2007-12-31 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-31 15:57 . 2007-12-30 22:33 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-12-31 14:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-31 10:58 . 2007-12-31 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-31 09:48 . 2007-12-31 09:48 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-30 22:25 . 2007-12-30 22:28 <DIR> d-------- C:\Documents and Settings\Owner\Pavark
2007-12-30 22:20 . 2007-12-30 22:20 3,937,636 --a------ C:\WINDOWS\system32\YGYOL
2007-12-30 21:02 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-30 20:36 . 2007-12-30 20:36 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 20:21 . 2007-12-30 20:21 <DIR> d-------- C:\Temp\NAV Corporate V9.0.0.338
2007-12-30 20:20 . 2007-12-30 20:20 <DIR> d-------- C:\Temp\navcorp900338client
2007-12-30 20:20 . 2004-05-02 14:00 1,270 --a------ C:\Temp\NAV Corporate V9.0.0.338.zip
2007-12-30 19:54 . 2007-12-30 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 09:47 . 2007-12-30 09:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2007-12-30 09:20 . 2007-12-30 09:49 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-30 00:27 . 2008-01-01 09:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-30 00:27 . 2007-12-30 00:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-30 00:27 . 2007-12-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 15:35 . 2007-12-29 15:35 60,416 --a------ C:\WINDOWS\system32\drivers\toqsdgmw.sys
2007-12-29 14:54 . 2007-12-29 14:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 14:24 . 2007-05-23 16:58 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-29 14:24 . 2007-05-23 16:58 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-29 14:24 . 2007-05-23 16:58 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-29 14:24 . 2007-05-23 16:58 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-12-29 14:24 . 2007-05-23 16:58 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-29 14:23 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-29 13:59 . 2007-12-29 14:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 13:34 . 2007-12-31 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-28 09:04 . 2007-12-28 23:50 0 --ahs---- C:\Documents and Settings\Owner\Application Data\3c6c9c2451a99ab11f4fcf4d6afb9f6f.dat
2007-12-28 07:19 . 2007-12-29 13:58 <DIR> d-------- C:\WINDOWS\system32\mr9
2007-12-28 07:19 . 2007-12-28 07:38 <DIR> d-------- C:\WINDOWS\system32\cc9
2007-12-28 07:19 . 2007-12-28 07:19 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2007-12-28 07:19 . 2007-12-28 07:19 <DIR> d-------- C:\Temp\cEeer12
2007-12-09 14:00 . 2007-12-31 11:41 <DIR> d-------- C:\Program Files\MP4 Player
2007-12-09 14:00 . 2007-12-09 14:00 36 --ah----- C:\WINDOWS\system32\swk.ini
2007-12-09 13:57 . 2007-12-09 13:57 911,119 --a------ C:\mp4PlayerSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-01 18:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 21:58 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-31 19:58 --------- d-----w C:\Program Files\QuickTime
2007-12-31 17:43 --------- d-----w C:\Program Files\iTunes
2007-12-31 17:39 --------- d-----w C:\Program Files\Microsoft Location Finder
2007-12-31 17:38 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-31 07:16 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-31 04:33 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2007-12-31 03:02 --------- d-----w C:\Program Files\Java
2007-12-30 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-29 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 13:29 --------- d-----w C:\Program Files\NoAdware4
2007-12-27 11:52 --------- d-----w C:\Program Files\PokerStars
2007-11-27 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-01 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-31_15.04.49.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2004-05-17 19:30 543232 C:\WINDOWS\zHotkey.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 13:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 20:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [ ]
"EPSON Stylus Photo R320 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 16:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe" [2007-12-30 22:33 158208]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-08-29 18:21:11]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-12-31 09:45 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 8.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
2007-12-31 09:45 356352 --a------ C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-31 09:45 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2007-12-31 09:45 121640 --a------ C:\Program Files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2007-12-29 15:48 50688 --a------ C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2007-12-31 09:45 53248 --a------ c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
C:\Program Files\MP4 Player\mp4Player.exe hmw

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PO579B~1.EXE -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\Program Files\Registry Cleaner Trial\Regclean .exe -startminimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2007-12-31 09:45 135168 --a------ C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2007-12-31 09:45 1318912 --a------ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avp "=2 (0x2)
"AVP"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"sdcoreservice"=3 (0x3)
"sdauxservice"=3 (0x3)


.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 01:40:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 12:19:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 12:20:00
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 18:19:51
C:\qoobox\ComboFix2.txt 2007-12-31 22:39:17
C:\qoobox\ComboFix3.txt 2007-12-31 21:05:12
.
2007-12-31 03:14:37 --- E O F ---

................
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:54 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradisepoker.com/promotions/20...liday_seat.html
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series (Copy 1)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" /P39 "EPSON Stylus Photo R320 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PO579B~1.EXE" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] "C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 8.0\avp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean .exe" -startminimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} (CoxFastConnect20 Control) - https://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6395 bytes
..................
Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Toolbar
AOL Uninstaller
AOL You've Got Pictures Screensaver
Apple Software Update
Backyard Basketball
BigFix
Blue's 123 Time Activities
Blues Clues
Blue's Treasure Hunt
CCleaner (remove only)
Danger Zone!
Digital Camera
Digital Media Reader
EPSON CardMonitor
EPSON PhotoStarter3.0
EPSON Print CD
EPSON Printer Software
ESPR320 Reference Guide
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Adapters and Drivers
iTunes
Java™ 6 Update 3
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Micro Innovations Optical Scroll Mouse
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Location Finder
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Picture It! Photo Premium 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MP4 Player
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Keyboard Driver
MUSICMATCH® Jukebox
Nero BurnRights
Nero OEM
NickToons Racing
NoAdware v4.0
Paradise Poker
PhotoParade Player
Pinball Panic
PITFALL The Lost Expedition
PokerStars
PowerDVD
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
SUPERAntiSpyware Professional
Texas Hold'em 3D XP Championship
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
URGE
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Xfire (remove only)
Yahoo! Toolbar

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:59 PM

Posted 01 January 2008 - 01:58 PM

Hi ladylei,

Symantec was orignally on here but was corrupted -- Manually uninstalled this morning with help from Symantec.


Good. :blink:

Installed AntiVir Free a few days ago and after the virus infection shut down AntiVir Free, Install Kaspersky trial version. Both are still in installed but were disabled in msconfig.


I am not seeing any antivirus program running on this computer. :thumbsup: You need to enable one of them immediately or will get reinfected.
Uninstall the other one. Running two antivirus program will cause program conflict and slow your computer.


I see Viewpoint installed and old versios of Spybot and Ad-aware.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Spybot - Search & Destroy 1.4
Ad-Aware SE Personal



If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

Please download, update and run (one at a time of course!)
Spybot 1.5 and Ad-Aware 2007 Free


I strongly recommend you uninstall the trial "Registry Cleaner" you downloaded.
I do not recommend them because some may damage rather than clean your registry.
You should use it ONLY if you have a knowledge of registry and if the certain key/value is safe to remove or not.
Cleaning registry will not improve performance even though there are a lot of orphaned keys. If registry cleaning were really required, then MicroSoft would have included a registry clean with XP.

Should I Use a Registry Cleaner? http://aumha.net/viewtopic.php?t=28099

Just some minor clean up left to do.

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean .exe" -startminimize
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Filter: text/plain - (no CLSID) - (no file)
O24 - Desktop Component 0: (no name) - (no file)



Reboot and post a fresh Hijackthis log and tell me how your computer is running.

Edited by SifuMike, 01 January 2008 - 02:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users