virus's - reader_s.exe, winlogon.exe, userinit.exe, etc..

I have what appears to be a number of viruses that I would like to try and resolve - can anyone help me or advise on how to proceed. When booting up I got messages about reader_s.exe, winlogon.exe, userinit.exe, can anyone please point me in the right direction?

Edited by ddirish, 19 April 2010 - 04:23 PM.

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

heres the MBAM report:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4009

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

4/19/2010 9:15:32 PM
mbam-log-2010-04-19 (21-15-32).txt

Scan type: Quick scan
Objects scanned: 119129
Time elapsed: 15 minute(s), 42 second(s)

Memory Processes Infected: 7
Memory Modules Infected: 5
Registry Keys Infected: 14
Registry Values Infected: 36
Registry Data Items Infected: 6
Folders Infected: 2
Files Infected: 56

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\QueryService\queryservice129.exe (Adware.Agent) -> Unloaded process successfully.
C:\Program Files\QueryService\queryservice.exe (Adware.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\ddunn\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\av_md.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\ddunn\av_md.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\QueryService\queryservice.dll (Adware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\fgjk4wvb.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\x61tps8i1r.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
C:\WINDOWS\system32\rdolib.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\queryservice (Adware.OneStep) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Fci (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\QueryService (Adware.OneStep) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\QueryService Service (Adware.OneStep) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tcpsr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsh87r3huiehf89esiudgd (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediasolaris (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\rdolib.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\rdolib.dll -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.SearchPage) -> Bad: (http://join.clonecashsystem.com/track/NjU1ODMuMjYuMzEuMzUuMC4wLjAuMC4w) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\QueryService (Adware.OneStep) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\QueryService (Adware.OneStep) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\x61tps8i1r.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Program Files\QueryService\queryservice.dll (Adware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\fgjk4wvb.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\QueryService\queryservice129.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\QueryService\queryservice.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
C:\WINDOWS\Temp\ch9qr.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\1D.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opear.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmdtc.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PereSvc.exex (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rdolib.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\BtwSvc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSvc.dllx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PowerDes.exe (Trojan.Sopiclick) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRTA.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_342967787946.bk (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_734781121651.bk (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\txpxr_556063303658.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4.tmp (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\6.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9.tmp (Trojan.Dropper.Gen) -> Delete on reboot.
C:\WINDOWS\Temp\txpxr_866030720107.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\QueryService\uninstall.exe (Adware.OneStep) -> Quarantined and deleted successfully.
C:\Clone Cash System.url (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Favorites\Clone Cash System.url (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beeper.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mscert.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Local Settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\ddunn\Local Settings\Temp\services.exe (Password.Stealer) -> Delete on reboot.
C:\WINDOWS\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\av_md.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\av_md.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win16.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Run the Malwarebytes scan again and post the new log.

new log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4009

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

4/19/2010 9:48:26 PM
mbam-log-2010-04-19 (21-48-26).txt

Scan type: Quick scan
Objects scanned: 118675
Time elapsed: 10 minute(s), 15 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 14
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\msxsltsso.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\VRTA.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8.tmp (Trojan.Dropper.Gen) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SO3MCJC9\w[1].bin (Trojan.Sopiclick) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxsltsso.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSvc.dll (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\ddunn\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\ddunn\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Delete on reboot.

Hello, I would like to see if we can verify an infection here as you have recurring Bots.
I would also advise you of this here...
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Please run a BitDefender Online Scan

• Click I Agree to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Click Click here to scan to begin the scan.
• Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
• When the scan is finished, click on Click here to export the scan results.
• Save the report to your desktop so you can post it in your next reply.

interesting - for some reason I can't access bitdefender. When I go to another computer i can get at it easily. Could this bot be blocking me?

Yes... run RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista, right-click on it and Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.

Do not reboot your computer after running rkill as the malware programs will start again.

^^

If you get an alert that Rkill is "infected", ignore it. The alert is just a fake warning given by the rogue software which tries to terminate programs that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.


Now try BitDefender.

i tried all 4 rkills to no avail. I appreciate your help. I have to head out for tonight. If you have any additional thoughts please let me know and I can attack it again in the morning.

Edited by ddirish, 19 April 2010 - 09:37 PM.

Ok, try them several times in a row (each one)

Have youtried booting in safe mode and running FixeXe Reg RKill and a MBAM quick scan?

whew! finally got bdefender to work here's the report:

QuickScan Beta 32-bit v0.9.9.18
-------------------------------

Scan date: Wed Apr 21 09:59:42 2010
Machine ID: 349D24FD



Found 46 infected files!
------------------------

C:\WINDOWS\system32\sessmgr.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\RDSessMgr\"ImagePath"

C:\WINDOWS\System32\imapi.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\ImapiService\"ImagePath"

C:\WINDOWS\system32\clipsrv.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\ClipSrv\"ImagePath"

C:\WINDOWS\System32\wbem\unsecapp.exe --> Win32.Virtob.Gen.12
--> Process unsecapp.exe (2948)

C:\WINDOWS\system32\mnmsrvc.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\mnmsrvc\"ImagePath"

C:\WINDOWS\system32\cmd.exe --> Win32.Virtob.Gen.12
--> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell"

C:\WINDOWS\System32\6224.exe --> Win32.Virtob.Gen.12
--> Process 6224.exe (4132)

C:\WINDOWS\System32\PereSvc.exe --> Win32.Virtob.Gen.12
--> Process PereSvc.exe (3248)

C:\WINDOWS\system32\tlntsvr.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\TlntSvr\"ImagePath"

C:\WINDOWS\System32\ups.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\UPS\"ImagePath"

C:\WINDOWS\System32\vssvc.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\VSS\"ImagePath"

C:\WINDOWS\System32\Rundll32.exe --> Win32.Virtob.Gen.12
--> Process Rundll32.exe (2260)

C:\WINDOWS\Explorer.EXE --> Win32.Virtob.Gen.12
--> Process Explorer.EXE (1480)

C:\WINDOWS\System32\dllhost.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\COMSysApp\"ImagePath"

C:\WINDOWS\System32\wbem\wmiprvse.exe --> Win32.Virtob.Gen.12
--> Process wmiprvse.exe (2980)

C:\WINDOWS\System32\inetsrv\inetinfo.exe --> Win32.Virtob.Gen.12
--> Process inetinfo.exe (1016)

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe --> Win32.Virtob.Gen.12
--> Process mdm.exe (1072)

C:\WINDOWS\System32\WLTRYSVC.EXE --> Win32.Virtob.Gen.12
--> Process WLTRYSVC.EXE (240)

C:\WINDOWS\System32\rsvp.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\RSVP\"ImagePath"

C:\WINDOWS\system32\smlogsvc.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\SysmonLog\"ImagePath"

C:\WINDOWS\System32\msiexec.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\MSIServer\"ImagePath"

C:\WINDOWS\system32\netdde.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\NetDDEdsdm\"ImagePath"

C:\WINDOWS\TEMP\xq8i.exe --> Win32.Virtob.Gen.12
--> \Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"zh5l"

C:\WINDOWS\System32\alg.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\ALG\"ImagePath"

C:\WINDOWS\System32\svchost.exe --> Win32.Virtob.Gen.12
--> Process svchost.exe (224)

C:\WINDOWS\System32\wbem\wmiapsrv.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\WmiApSrv\"ImagePath"

c:\windows\system32\userinit.exe --> Win32.Virtob.Gen.12
--> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit"

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\OKI OPHC DCS Loader\"ImagePath"

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe --> Win32.Virtob.Gen.12
--> HKLM\Software\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}\"Exec"

C:\WINDOWS\system32\msmesslb.dll --> Trojan.PWS.Onlinegames.KDDP
--> Process bcmwltry.exe (504)

C:\WINDOWS\system32\spoolsv.exe --> Win32.Virtob.Gen.12
--> Process spoolsv.exe (408)

C:\WINDOWS\system32\w.exe --> Win32.Virtob.Gen.12
--> Process w.exe (1248)

C:\WINDOWS\system32\msdtc.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\MSDTC\"ImagePath"

C:\WINDOWS\system32\StacSV.exe --> Win32.Virtob.Gen.12
--> Process StacSV.exe (1320)

C:\DOCUME~1\ddunn\LOCALS~1\Temp\xq8i.exe --> Win32.Virtob.Gen.12
--> Process xq8i.exe (2920)

C:\Program Files\Internet Explorer\iexplore.exe --> Win32.Virtob.Gen.12
--> Process iexplore.exe (6108)

C:\WINDOWS\system32\msxsltsso.dll --> Rootkit.33442
--> Process svchost.exe (4472)

C:\WINDOWS\System32\locator.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\RpcLocator\"ImagePath"

C:\WINDOWS\stsystra.exe --> Win32.Virtob.Gen.12
--> Process stsystra.exe (3684)

C:\WINDOWS\System32\drivers\NDIS.sys --> Rootkit.Kobcka.Patched.Gen
--> HKLM\System\ControlSet002\services\NDIS

C:\WINDOWS\System32\dmadmin.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\dmadmin\"ImagePath"

C:\WINDOWS\system32\cisvc.exe --> Win32.Virtob.Gen.12
--> HKLM\System\ControlSet002\services\CiSvc\"ImagePath"

C:\WINDOWS\system32\mswyrwzq.dll --> Trojan.PWS.Onlinegames.KDDP
--> Process wcescomm.exe (1408)

C:\WINDOWS\System32\SCardSvr.exe --> Win32.Virtob.Gen.12
--> Process SCardSvr.exe (1176)

C:\WINDOWS\system32\logonui.exe --> Win32.Virtob.Gen.12
--> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"UIHost"

C:\WINDOWS\System32\ctfmon.exe --> Win32.Virtob.Gen.12
--> Process ctfmon.exe (3648)



Processes
---------
<unsigned> 2940 C:\Documents and Settings\ddunn\Local Settings\Temp\xq8i.exe
<unsigned> 2920 C:\Documents and Settings\ddunn\Local Settings\Temp\xq8i.exe
<unsigned> C-Major Audio 3684 C:\WINDOWS\stsystra.exe
<unsigned> C-Major Audio 1320 C:\WINDOWS\system32\StacSV.exe
<unsigned> Dell Wireless WLAN Card Wireless Networ 504 C:\WINDOWS\System32\bcmwltry.exe
<unsigned> ebkmans nglw almdwjdltd 4132 C:\WINDOWS\System32\6224.exe
<unsigned> ensure app 3248 C:\WINDOWS\System32\PereSvc.exe
<unsigned> Internet Information Services 1016 C:\WINDOWS\System32\inetsrv\inetinfo.exe
<unsigned> Microsoft® Visual Studio .NET 1072 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
<unsigned> Microsoft® Windows® Operating System 6108 C:\Program Files\Internet Explorer\iexplore.exe
<unsigned> Microsoft® Windows® Operating System 1480 C:\WINDOWS\Explorer.EXE
<unsigned> Microsoft® Windows® Operating System 3648 C:\WINDOWS\System32\ctfmon.exe
<unsigned> Microsoft® Windows® Operating System 2260 C:\WINDOWS\System32\Rundll32.exe
<unsigned> Microsoft® Windows® Operating System 3696 C:\WINDOWS\System32\RUNDLL32.EXE
<unsigned> Microsoft® Windows® Operating System 3636 C:\WINDOWS\System32\RUNDLL32.EXE
<unsigned> Microsoft® Windows® Operating System 1176 C:\WINDOWS\System32\SCardSvr.exe
<unsigned> Microsoft® Windows® Operating System 408 C:\WINDOWS\system32\spoolsv.exe
<unsigned> Microsoft® Windows® Operating System 224 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 2340 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 3328 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 4472 C:\WINDOWS\system32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 1164 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 4592 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 2004 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 1556 C:\WINDOWS\system32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 1740 C:\WINDOWS\system32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 1832 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 2528 C:\WINDOWS\System32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 2096 C:\WINDOWS\system32\svchost.exe
<unsigned> Microsoft® Windows® Operating System 2948 C:\WINDOWS\System32\wbem\unsecapp.exe
<unsigned> Microsoft® Windows® Operating System 2980 C:\WINDOWS\System32\wbem\wmiprvse.exe
<unsigned> Project1 3564 C:\Documents and Settings\ddunn\Local Settings\Temp\794046998023987.exe
<unsigned> w.exe 1248 C:\WINDOWS\system32\w.exe
<unsigned> WLTRYSVC.EXE 240 C:\WINDOWS\System32\WLTRYSVC.EXE

<verified> Apple Mobile Device Service 808 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<verified> Bonjour 864 C:\Program Files\Bonjour\mDNSResponder.exe
<verified> Cisco Systems VPN Client 944 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
<verified> Client and Host Security Platform 896 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
<verified> Digital Line Detection 2296 C:\Program Files\Digital Line Detect\DLG.exe
<verified> Firefox 7604 C:\Program Files\Mozilla Firefox\firefox1.exe
<verified> FlipShare 984 C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
<verified> Intel® Common User Interface 3544 C:\WINDOWS\system32\hkcmd.exe
<verified> Intel® Common User Interface 3628 C:\WINDOWS\system32\igfxpers.exe
<verified> Intel® Common User Interface 3464 C:\WINDOWS\system32\igfxsrvc.exe
<verified> Microsoft ActiveSync 2460 C:\Program Files\Microsoft ActiveSync\rapimgr.exe
<verified> Microsoft ActiveSync 1408 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
<verified> Microsoft® Windows® Operating System 1272 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 1360 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 1344 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 1216 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 1300 C:\WINDOWS\system32\winlogon.exe
<verified> RealPlayer (32-bit) 2972 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<verified> Symantec AntiVirus 956 C:\Program Files\Symantec AntiVirus\DefWatch.exe
<verified> Windows Defender 1792 C:\Program Files\Windows Defender\MsMpEng.exe


Autoruns and critical files
---------------------------
<unsigned> C:\WINDOWS\TEMP\xq8i.exe
<unsigned> C-Major Audio C:\WINDOWS\stsystra.exe
<unsigned> Microsoft® Windows® Operating System C:\WINDOWS\System32\ctfmon.exe
<unsigned> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<unsigned> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<unsigned> msmesslb.dll C:\WINDOWS\system32\msmesslb.dll
<unsigned> mswyrwzq.dll C:\WINDOWS\system32\mswyrwzq.dll
<unsigned> msxsltsso.dll C:\WINDOWS\system32\msxsltsso.dll
<unsigned> QuickTime C:\Program Files\QuickTime\qttask.exe

<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified> Cisco Systems VPN Client C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
<verified> Digital Line Detection C:\Program Files\Digital Line Detect\DLG.exe
<verified> Google Update C:\Documents and Settings\ddunn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\hkcmd.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxpers.exe
<verified> Intel® Common User Interface C:\WINDOWS\system32\igfxtray.exe
<verified> Microsoft ActiveSync C:\Program Files\Microsoft ActiveSync\wcescomm.exe
<verified> Microsoft Genuine Advantage C:\WINDOWS\system32\KB905474\wgasetup.exe
<verified> Microsoft Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\upnpui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\webcheck.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
<verified> Microsoft® Windows® Operating System D:\setup.exe
<verified> RealPlayer (32-bit) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<verified> Symantec AntiVirus C:\WINDOWS\system32\NavLogon.dll
<verified> Windows Defender C:\Program Files\Windows Defender\MpCmdRun.exe
<verified> Windows Defender c:\program files\windows defender\mpshhook.dll


Browser plugins
---------------
<unsigned> Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> Cooliris for Firefox C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
<unsigned> coolirisstub.dll C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
<unsigned> DreamFactory Netscape Plugin C:\Program Files\Mozilla Firefox\plugins\NPdfac.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> LaunchCooliris.exe C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
<unsigned> Messenger C:\Program Files\Messenger\msmsgs.exe
<unsigned> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<unsigned> npcoolirisplugin.dll C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
<unsigned> PicLensHelper.exe C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> TeaLeaf Client-Side Capture C:\Program Files\TeaLeaf\TLCSC.dll

<verified> ActiveTouch General Plugin Container C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
<verified> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> Adobe PDF Toolbar for IE C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
<verified> atcliun C:\Program Files\Mozilla Firefox\plugins\atcliun.exe
<verified> AtMcCli Module C:\Program Files\Mozilla Firefox\plugins\atmccli.dll
<verified> AtMgr Module C:\Program Files\Mozilla Firefox\plugins\atmgr.exe
<verified> bdoscandel.exe C:\WINDOWS\bdoscandel.exe
<verified> bdscanonline C:\WINDOWS\Downloaded Program Files\oscan82.ocx
<verified> BitDefender QuickScan C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
<verified> ipsupd.dll C:\WINDOWS\Downloaded Program Files\ipsupd.dll
<verified> Microsoft Office 2003 C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
<verified> Microsoft® Windows Live OneCare C:\WINDOWS\Downloaded Program Files\wlscBase.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shdocvw.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> msdxm.ocx c:\windows\system32\msdxm.ocx
<verified> MWMCli Module C:\Program Files\Mozilla Firefox\plugins\mwmcli.dll
<verified> mwmStd Module C:\Program Files\Mozilla Firefox\plugins\mwmstd.exe
<verified> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<verified> nppdf32.DEU C:\Program Files\Mozilla Firefox\plugins\nppdf32.DEU
<verified> nppdf32.FRA C:\Program Files\Mozilla Firefox\plugins\nppdf32.FRA
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Picasa C:\Program Files\Google\Picasa3\npPicasa3.dll
<verified> Pixomatic C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
<verified> RealJukebox NS Plugin C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<verified> RealJukebox NS Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<verified> RealPlayer Version Plugin C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<verified> RealPlayer Version Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<verified> RealPlayer™ G2 LiveConnect-Enabled P C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
<verified> RealPlayer™ G2 LiveConnect-Enabled P C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<verified> Shockwave for Director C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
<verified> Shockwave for Director C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
<verified> Silverlight Plug-In C:\Program Files\Microsoft Silverlight\3.0.40818.0\npctrl.dll
<verified> WebEx Download Module C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
<verified> WebEx Download Module C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
<verified> WebEx Download Module C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
<verified> Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll


Missing files
-------------
File not found: C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeBridge"

File not found: C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Search Protection"

File not found: C:\WINDOWS\system32\C.tmp.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"11745"


Scan
----
<unsigned> MD5: 2ed8842e75198a94802fa56eb12157e1 C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
<unsigned> MD5: 96ff82f0f9b03d4fcb8db9768573d5e8 C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
<unsigned> MD5: 6d610dbe1decee0cfb5d905c21b578d7 C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
<unsigned> MD5: 47634adeb0e42512a3da3e2b8af42f56 C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
<unsigned> MD5: 500d43fd21d9b0b90d56b5f7c044779e C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
<unsigned> MD5: c0b06038925bac3d7c996bb240007c88 C:\Documents and Settings\ddunn\Local Settings\Temp\794046998023987.exe
<unsigned> MD5: c39b33282da13e317e6a7c2b54815f05 C:\Documents and Settings\ddunn\Local Settings\Temp\xq8i.exe
<unsigned> MD5: c0b06038925bac3d7c996bb240007c88 C:\DOCUME~1\ddunn\LOCALS~1\Temp\794046998023987.exe
<unsigned> MD5: c39b33282da13e317e6a7c2b54815f05 C:\DOCUME~1\ddunn\LOCALS~1\Temp\xq8i.exe
<unsigned> MD5: 292f92469efb2fd402e00742c06d539d C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> MD5: 922a5ba95a0e5113b671d8ffce27e109 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
<unsigned> MD5: 813a6badd6214f1dd2e33606c0a7ee9f C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
<unsigned> MD5: 8f31dbab32761d4beb028596db8fcbb0 C:\Program Files\Internet Explorer\iexplore.exe
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: c0af8b13edd39f2fec8c534f68aa2641 C:\Program Files\Messenger\msmsgs.exe
<unsigned> MD5: 9df996acd9c55795f3f43df548a14174 C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: 4bb65df89915a8bc342ed7c7c1626795 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: 8a73444ad0a14d8a2c1d73e0820de8af C:\Program Files\Mozilla Firefox\plugins\NPdfac.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: c58807b4cc5e4a6e445ec3818ad8646c C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> MD5: 7e8027043fae242f0a3d60322151dfc5 C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: c406e19f08b087eb01e26365b0f50558 C:\Program Files\Pure Digital Technologies\FlipShare\QtCore4.dll
<unsigned> MD5: c04ac49aea00658757c8e1f8934c994e C:\Program Files\QuickTime\qttask.exe
<unsigned> MD5: b6cd711fa63c0af070cfdb44dfea2378 C:\Program Files\TeaLeaf\TLCSC.dll
<unsigned> MD5: 76a00442d6bfc66e754ac2ed427d0010 C:\Program Files\Windows Media Player\WMPNetwk.exe
<unsigned> MD5: 11e968c7a4a06c8ccd0b246dabb32142 C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> MD5: 0a1ee7d5734895e237ee873cffc62e5b C:\WINDOWS\Explorer.EXE
<unsigned> MD5: 392e0408c775a686977dca4a9af2ee6d C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<unsigned> MD5: 74ef1a3f6dcd033d4d3dd90a667d4586 C:\WINDOWS\stsystra.exe
<unsigned> MD5: ef28bfc410c9015b5269cee53c16ec34 C:\WINDOWS\System32\6224.exe
<unsigned> MD5: e754325eb2dafac8d710403250935505 C:\WINDOWS\System32\alg.exe
<unsigned> MD5: 9d2dce0d5ea6023e6d4f2d5851564782 C:\WINDOWS\System32\bcmwltry.exe
<unsigned> MD5: 5bae807bda31278c4165e9cc1639ed7d C:\WINDOWS\system32\BtwSvc.dll
<unsigned> MD5: 4b6b13e0be04efd570c76688b9402723 C:\WINDOWS\system32\cisvc.exe
<unsigned> MD5: 0aeb3d4805b44e7053994e4527ec97e9 C:\WINDOWS\system32\clipsrv.exe
<unsigned> MD5: e56ca8866b973ffad068c67e14bd7ede C:\WINDOWS\system32\cmd.exe
<unsigned> MD5: 0e47cd6e5392fd3d3f9041bdd0770200 C:\WINDOWS\System32\ctfmon.exe
<unsigned> MD5: 2016022d8ffca989544d27654f064583 C:\WINDOWS\System32\dllhost.exe
<unsigned> MD5: 3e1d049642d52f9a4cb63a94467c4ed7 C:\WINDOWS\System32\dmadmin.exe
<unsigned> MD5: 4a2a552c4d1dec844a165b90ce4ac7aa C:\WINDOWS\System32\drivers\CVPNDRVA.sys
<unsigned> MD5: fa790949011c3b84a78af9117a6c9f8b C:\WINDOWS\system32\DRIVERS\lknuhst.sys
<unsigned> MD5: 2a53142439b320d461faae34dc5abffc C:\WINDOWS\system32\DRIVERS\lknuhub.sys
<unsigned> MD5: fcc1a40e2e65d58d255c267102917b86 C:\WINDOWS\System32\drivers\NDIS.sys
<unsigned> MD5: 904571ee28f8f7d98b3ef1635a77c6d4 C:\WINDOWS\System32\drivers\WPSNUIO.sys
<unsigned> MD5: cbd342ccf5eb0a021883417a243db650 C:\WINDOWS\System32\imapi.exe
<unsigned> MD5: 4d67c0e8462afcb3f7f207ff10017182 C:\WINDOWS\System32\inetsrv\inetinfo.exe
<unsigned> MD5: 5841180105616991bca29f0a4e11e4bd C:\WINDOWS\System32\locator.exe
<unsigned> MD5: 4e2eeb4982efb56ada7afd3f95ae70eb C:\WINDOWS\system32\logonui.exe
<unsigned> MD5: d90ee2408fd2aea9b45efed2cfc825e6 C:\WINDOWS\system32\mnmsrvc.exe
<unsigned> MD5: a10db333504bc2d1625eebaa39692d1f C:\WINDOWS\system32\msdtc.exe
<unsigned> MD5: 3ee4981523ee6199372d76f25792122d C:\WINDOWS\System32\msiexec.exe
<unsigned> MD5: dab9323d1286464e379f7f0a0291fd40 C:\WINDOWS\system32\msmesslb.dll
<unsigned> MD5: e42e7bdf776e28cb3b21ffdc5d96ecae C:\WINDOWS\system32\mswyrwzq.dll
<unsigned> MD5: 3fdc8ea99760efbbe231313bd14878dc C:\WINDOWS\system32\msxsltsso.dll
<unsigned> MD5: 6384c98c08cdb517dbd4b240dd37dad0 C:\WINDOWS\system32\netdde.exe
<unsigned> MD5: 9d8ac7cfd986a2c2fc113c567e187df6 C:\WINDOWS\System32\PereSvc.exe
<unsigned> MD5: f02d1c37c0e812432e17a3ae260219d9 C:\WINDOWS\System32\rsvp.exe
<unsigned> MD5: d228d05eea82726d7f7834bde1e7b30b C:\WINDOWS\System32\Rundll32.exe
<unsigned> MD5: a8a954d8f9fdc6fa686be6fc6661981d C:\WINDOWS\System32\SCardSvr.exe
<unsigned> MD5: e253845782c6e855a4d2b234f84f0486 C:\WINDOWS\system32\sessmgr.exe
<unsigned> MD5: aeef2819a399b414953d88cb2450b0d3 C:\WINDOWS\system32\smlogsvc.exe
<unsigned> MD5: 6c9d0d9a0576831d58853b50e618114b C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
<unsigned> MD5: 2a98865adf57732db5069702249ec7d4 C:\WINDOWS\system32\spoolsv.exe
<unsigned> MD5: 87aa49811356df533193e8001b2fcec0 C:\WINDOWS\system32\StacSV.exe
<unsigned> MD5: 2390ba8ff3259c157171f82c9b56df52 C:\WINDOWS\System32\svchost.exe
<unsigned> MD5: c3803ee823adf62c981cbcd3d2539a27 C:\WINDOWS\system32\tlntsvr.exe
<unsigned> MD5: 245279bbd48df82f4dd261ad390dc212 C:\WINDOWS\System32\ups.exe
<unsigned> MD5: cc0bfe7c46e36e609339ce2cb28aee9f c:\windows\system32\userinit.exe
<unsigned> MD5: 83e2fdbbbb5d29d083daaadaf3aea703 C:\WINDOWS\System32\vssvc.exe
<unsigned> MD5: 0f1a545f197a30f401f4943f66060cfd C:\WINDOWS\system32\w.exe
<unsigned> MD5: f4208ec74d3ab2f8f1332d2804dba38f C:\WINDOWS\System32\wbem\unsecapp.exe
<unsigned> MD5: 452a4d976e6c42d7cc155596833175c7 C:\WINDOWS\System32\wbem\wmiapsrv.exe
<unsigned> MD5: 2aad1f6a79d1f74c6b00bd0a558297e4 C:\WINDOWS\System32\wbem\wmiprvse.exe
<unsigned> MD5: 841ce60497b580cb8d8582176a73debd C:\WINDOWS\System32\WLTRYSVC.EXE
<unsigned> MD5: 972168f52d0a7c95b6830d6e2f7071ef C:\WINDOWS\TEMP\xq8i.exe
<unsigned> MD5: 4721ab485e0c29cd1617a5f296b9cc47 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\ddunn\Application Data\Mozilla\Firefox\Profiles\x926htb7.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
C:\WINDOWS\System32\PereSvc.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\BtwSvc.dll
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\system32\smlogsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Downloaded Program Files\dwusplay.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\TeaLeaf\TLCSC.dll
C:\WINDOWS\TEMP\xq8i.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\ddunn\Local Settings\Temp\xq8i.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\system32\StacSV.exe
C:\DOCUME~1\ddunn\LOCALS~1\Temp\xq8i.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\drivers\NDIS.sys
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Mozilla Firefox\plugins\NPdfac.dll
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\logonui.exe

Upload started - 36 file(s)
PereSvc.exe (64512)
spoolsv.exe (71168)
xq8i.exe (78848)
xq8i.exe (78848)
msiexec.exe (84480)
tlntsvr.exe (87552)
locator.exe (88064)
w.exe (89088)
stllssvr.exe (94208)
smlogsvc.exe (102912)
StacSV.exe (110592)
iexplore.exe (111104)
SCardSvr.exe (113152)
netdde.exe (125952)
wmiapsrv.exe (137216)
imapi.exe (143872)
sessmgr.exe (148992)
rsvp.exe (152576)
dwusplay.exe (217088)
wmiprvse.exe (223744)
dmadmin.exe (224768)
vssvc.exe (295424)
stsystra.exe (323584)
mdm.exe (356352)
LaunchCooliris.exe (364544)
cmd.exe (395776)
qttask.exe (438272)
logonui.exe (524288)
xpnetdiag.exe (578048)
WMPNetwk.exe (933376)
PicLensHelper.exe (969820)
Explorer.EXE (1024000)
BtwSvc.dll (44544)
NDIS.sys (192256)
TLCSC.dll (565248)
Upload speed - 21 KB/s
Upload finished - 36 uploaded, 0 failed

Scan finished - communication took 427 sec
Total traffic - 9.14 MB sent, 1.74 KB recvd
Scanned 790 files and modules - 432 seconds

I'm afraid I have very bad news.

Your system is infected with a nasty variant of the Virut virus, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. See Threat aliases for Win32.Virtob.Gen.12

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

• miekiemoes' Blog on Virut.
• Virut and other File infectors - Throwing in the Towel?

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change all passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Hello, Unfortunately my suspicion of a Viirut infection are confirmed.
You'll see in the Bitdefender scan Win32.Virtob..This is VIRUT.
Virus Total resullts
http://www.virustotal.com/analisis/7130468...6029-1265051957

Thanks Q7, we were repling at the same time.

Edited by boopme, 21 April 2010 - 09:52 AM.

Not a problem boopme. reader_s.exe posted in the topic's title drew my attention to the thread. Its a common virut related file.

Looks like it is time to reformat the hard drive. Thank you very much for the assistance!