Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advice to clean one user on XP SP3 (sending spam)


  • This topic is locked This topic is locked
78 replies to this topic

#1 BostonDriver

BostonDriver

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:10:46 AM

Posted 16 June 2009 - 08:29 AM

Is there something like HiJack This which will look at a different users settings?

I think I have the accounts not logged in when the virus/trojans arrived to the point where they can be used to run tools to find the rest (if any). At least one account, when it logs on, spams the net with bogus email.

This account is one of several used on an XP SP3 system which had McAfee detect dozens of Trojans, Spybot removed malware. MalwareBytes did not run successfully. The screen was taken over by some fake virus removal program.

I removed the disk and put it into a USB adapter and plugged this into another system and ran McAfee. McAfee detected 44 more items.

I also removed hidden files (and the directory)

C:\program Files\Manson\liser.exe
C:\program Files\Manson\liser.dll
C:\program Files\Manson

Anything in C:\Windows\System32 that had todays date on it was deleted. The same for any C:\Program Files\ suddenly created. C:\Windows\System32\Temp was emptied as it contained most of the trojans.


The disk was placed back into the original system. I booted my user account, not the one which caught the virus. Spybot complained about lots of registry entry attempts, all denied. I ran hijack this and removed some obvious entries.

It looks like my user account is "working". Another the other account now boots, but never gets to the point where I can open anything. It' turns out that it's too busy sending spam email. I noticed TONS of SMTP traffic to random sites on the net looking at the traffic going through my router.

As far as I can tell, only this account has this issue. I'll check the others when I get a chance.

So, right now, I'm at least trying to get the spam to stop. After that, I'll see where I am and troubleshoot further.

Thanks for any suggestions.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2009 - 09:16 AM

Hi,

Can you try the following in Safe Mode.

1.
  • Start MalwareBytes' Anti-Malware
  • MBAM will start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2. Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
If you need a tutorial, see here

Edited by superbird, 16 June 2009 - 09:30 AM.


#3 TSalarek

TSalarek

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky and Florida, USA

Posted 16 June 2009 - 09:25 AM

Hey Superbird, they already said MBAM wouldn't run and "The screen was taken over by some fake virus removal program."

http://www.bleepingcomputer.com/forums/t/405/antivirus-antimalware-and-antispyware-resources/ Overview of Good Products

http://www.bleepingcomputer.com/forums/t/171335/spyware-and-malware-removal-guides-index/ Scamware Removal Index (by name)

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2009 - 09:30 AM

Sorry, read over it the first time, edited my post. :thumbsup:

#5 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:11:46 AM

Posted 16 June 2009 - 09:37 AM

Thanks. Does it matter which account should I log into? I doubt that the infected (well, obviously infected) account will let me do anything except spam the world, so I don't think I I have much of a choice. But does this matter? Will e.g. Malwarebytes find problem in accounts that are not logged in?

Malwarebytes is already on the system. Can I use it (updating first of course)? Should I remove it first and download again?

In case it helps, one other thing I just remembered. For my user account, "tools->folder options" works so that account can toggle the viewing of hidden files. In the account which started all this, "tools->folder options" isn't available. The same with Control Panel, there is no "Folder Options" icon.

This problem account also gets "Registry Editing has been disabled by your administrator" when Hijact This tried to remove some entries which pointed to the removed "Manson" files I mentioned in the initial post.

If it matters, both Spybot and Teatime are installed/running (or should be) as well.


I'm curious if it is it possible to put this disk in another (known good) system and run these (or other) tools on the disk? Can Malwarebytes, Hijack This, Spybot etc. be told to look at a different disk?

Again, thanks.

#6 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston

Posted 16 June 2009 - 09:52 AM

Sorry, read over it the first time, edited my post. :thumbsup:


I'll use safe mode (with networking so I can get the updates)

#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2009 - 10:03 AM

Hi,

MBAM scans all user profiles, so just choose one.
Yes, you can just update MBAM, and run it.

Disable TeaTimer for now.

Try a full scan with MBAM in Safe Mode, and give me the logfile. :thumbsup:

#8 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:10:46 AM

Posted 16 June 2009 - 01:40 PM

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


If asked to reboot, should I reboot into safe mode again?

Edited by BostonDriver, 16 June 2009 - 01:41 PM.


#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2009 - 01:46 PM

Yes. :thumbsup:

#10 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:10:46 AM

Posted 16 June 2009 - 02:32 PM

Yes. :thumbsup:


That's what I expected. MBAM is running now, in safe more with networking.

Should there be any network traffic once the MBAM updates have been done? tcpdump shows a small amount of tcp traffic (html).

One example:

From my PC to  ev1s-209-62-7-253.theplanet.com.http

0x0020   5018 ffff bb9e 0000 504f 5354 202f 6861	P.......POST./ha
0x0030   626c 2f67 6174 652e 7068 7020 4854 5450	bl/gate.php.HTTP
0x0040   2f31 2e31 0d0a 4163 6365 7074 3a20 2a2f	/1.1..Accept:.*/
0x0050   2a0d 0a55 7365 722d 4167 656e 743a 204d	*..User-Agent:.M
0x0060   6f7a 696c 6c61 2f34 2e30 2028 636f 6d70	ozilla/4.0.(comp
0x0070   6174 6962 6c65 3b20 4d53 4945 2037 2e30	atible;.MSIE.7.0
0x0080   3b20 5769 6e64 6f77 7320 4e54 2035 2e31   ;.Windows.NT.5.1
0x0090   3b20 4754 4236 3b20 2e4e 4554 2043 4c52   ;.GTB6;..NET.CLR
0x00a0   2031 2e31 2e34 3332 3229 0d0a 486f 7374	.1.1.4322)..Host
0x00b0   3a20 6b65 7263 686f 6e2e 636f 6d0d 0a43	:.kerchon.com..C
0x00c0   6f6e 7465 6e74 2d4c 656e 6774 683a 2032	ontent-Length:.2
0x00d0   3730 0d0a 436f 6e6e 6563 7469 6f6e 3a20	70..Connection:.
0x00e0   4b65 6570 2d41 6c69 7665 0d0a 5072 6167	Keep-Alive..Prag


A GET example:

From my PC to  > ev1s-209-62-7-253.theplanet.com.http: P 1\


0x0020   5018 ffff 7b9e 0000 4745 5420 2f68 6366	P...{...GET./hcf
0x0030   672f 6861 626c 2e62 696e 2048 5454 502f	g/habl.bin.HTTP/
0x0040   312e 310d 0a41 6363 6570 743a 202a 2f2a	1.1..Accept:.*/*
0x0050   0d0a 5573 6572 2d41 6765 6e74 3a20 4d6f	..User-Agent:.Mo
0x0060   7a69 6c6c 612f 342e 3020 2863 6f6d 7061	zilla/4.0.(compa
0x0070   7469 626c 653b 204d 5349 4520 372e 303b	tible;.MSIE.7.0;
0x0080   2057 696e 646f 7773 204e 5420 352e 313b	.Windows.NT.5.1;
0x0090   2047 5442 363b 202e 4e45 5420 434c 5220	.GTB6;..NET.CLR.
0x00a0   312e 312e 3433 3232 290d 0a48 6f73 743a	1.1.4322)..Host:
0x00b0   206b 6572 6368 6f6e 2e63 6f6d 0d0a 5072	.kerchon.com..Pr
0x00c0   6167 6d61 3a20 6e6f 2d63 6163 6865 0d0a	agma:.no-cache..
0x00d0   0d0a									   ..


I may redo everything overnight, this time with safe mode and no network (since I have the latest MBAM now) and also with the Ethernet cable removed.

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2009 - 02:43 PM

Hi,

You can MBAM without an internet connection. :thumbsup:
Only for the update you need an internet connection.

#12 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston

Posted 16 June 2009 - 05:51 PM

Here is the log from mbam:


Malwarebytes' Anti-Malware 1.37
Database version: 2288
Windows 5.1.2600 Service Pack 3

6/16/2009 6:37:56 PM
mbam-log-2009-06-16 (18-37-56).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 336745
Time elapsed: 57 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 193

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\isadisk (Rootkit.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\isadisk (Rootkit.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\isadisk (Rootkit.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DhcpSrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b035261-40f9-11d1-aaec-00805fc1270e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\documents and settings\stephanie\local settings\Temp\zjhufhdfe.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\stephanie\local settings\temporary internet files\Content.IE5\2V6YP0Z2\molivjw[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\stephanie\local settings\temporary internet files\Content.IE5\ZT1LXVLS\wmijaaffs[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0101714.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0101718.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0101725.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0102733.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0103732.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0105737.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0105764.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049432.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049433.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049434.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049436.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049437.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049438.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049439.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049440.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049441.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049442.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049443.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049444.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049445.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049446.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049447.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049448.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049449.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049450.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049451.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049452.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049453.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049454.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049455.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049456.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049457.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049458.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049459.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049460.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049461.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049462.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049463.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049464.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049465.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049466.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049467.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049468.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049469.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049470.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049471.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049472.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049473.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049474.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049475.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049480.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049486.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049488.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049489.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049490.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049491.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049492.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049493.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049494.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049495.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049496.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049497.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049498.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049500.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049501.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049502.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049503.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049505.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049506.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049507.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049508.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049509.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049510.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049511.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049512.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049513.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049514.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049515.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049516.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049517.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049518.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049519.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049520.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049521.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049522.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049523.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049524.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049525.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049526.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049527.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049528.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049530.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049532.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049534.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049536.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049537.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049539.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049540.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049542.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049543.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049546.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049547.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049548.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049549.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049550.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049551.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049552.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049553.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049554.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049555.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049556.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049557.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049558.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049559.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049560.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049561.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049562.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049564.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049565.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049566.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049568.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049569.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049570.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049571.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049572.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049573.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049574.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049575.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049576.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049577.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049578.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049579.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049580.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049581.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049583.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049584.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049586.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049589.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049591.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049592.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049593.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049594.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049596.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049597.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049598.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049599.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049600.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049601.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049602.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049603.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049604.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049605.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049606.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049607.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049608.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049609.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049610.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049611.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049612.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049613.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049614.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049616.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049617.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049618.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049619.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049620.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049621.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049623.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049624.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049625.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049627.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049633.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049634.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049636.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049643.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\system volume information\_restore{79541317-4d72-4a64-9e7b-d8b65fd6f9d1}\RP250\A0049644.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\isadisk.sys (Rootkit.GamesThief) -> Quarantined and deleted successfully.
c:\program files\microsoft common\mikec-I-renamed-svchost-2009jan16-3am.txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\microsoft common\old-svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
c:\documents and settings\Stephanie\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Stephanie\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Stephanie\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Stephanie\Local Settings\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netcfgx.dll:Zone.Identifier (Spyware.OnlineGames) -> Quarantined and deleted successfully.

#13 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:10:46 AM

Posted 16 June 2009 - 05:54 PM

I needed to reboot to clean a few up. As discussed, I rebooted into safe mode, with no networking this time. I'm running mbam again.

#14 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston

Posted 16 June 2009 - 07:00 PM

That second MBAW turned up 2 items. Here is the log. It requested that I reboot to complete. I did so, back into safe mode.

Malwarebytes' Anti-Malware 1.37
Database version: 2288
Windows 5.1.2600 Service Pack 3

6/16/2009 7:49:44 PM
mbam-log-2009-06-16 (19-49-44).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 336311
Time elapsed: 57 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP673\A0107741.sys (Rootkit.GamesThief) -> Quarantined and deleted successfully.

#15 BostonDriver

BostonDriver
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:10:46 AM

Posted 16 June 2009 - 08:03 PM

The last run did not detect any problems. I shut the machine off.

Let me know what you suggest as the next step.

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users