Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
28 replies to this topic

#1 EJR9779

EJR9779

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 28 April 2010 - 01:32 PM

Hello, a virus took over my computer this morning and I have no idea how it happened. I read a few websites on what to do to correct the problem. I was told to download "rkill" and to run it from the desktop. Well, it seemed to have cleared the problem temporarily but I still can't access the internet. I was then told to download and run Hijack This and these are the results that appeared.

What do I need to do from here?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:31 PM, on 4/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Hbebia.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\program files\acer 3g connection manager\bin\gbxapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\program files\acer 3g connection manager\bin\gbx4log.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\Hjg.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Incomplete\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...09&m=aoa150
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: C:\WINDOWS\system32\unkak6knvh.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\unkak6knvh.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CoreWorks] c:\program files\acer 3g connection manager\bin\gbxapp.exe runatstartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [wevufulupe] Rundll32.exe "pihuzura.dll",s
O4 - HKLM\..\Run: [lsdefrag] C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\sxwemcnaor.tmp
O4 - HKLM\..\Run: [fsgcykbl] C:\Documents and Settings\Eddie Rideau\Local Settings\Application Data\bjtcuhvve\oxgkekxtssd.exe
O4 - HKLM\..\Run: [ezLife] rundll32 "quxgbxjp.dll",,Run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\txoesf.dll, RestoreWindows
O4 - HKCU\..\Run: [hsf87sdhfush87fsufhuie3fddf] C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\j2jttfwo8.exe
O4 - HKCU\..\Run: [newupdate1142C.exe] C:\Documents and Settings\Eddie Rideau\Application Data\328314BC9F64FD92DC34C871EC9E633C\newupdate1142C.exe
O4 - HKCU\..\Run: [fsgcykbl] C:\Documents and Settings\Eddie Rideau\Local Settings\Application Data\bjtcuhvve\oxgkekxtssd.exe
O4 - HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\Hjg.exe
O4 - HKCU\..\Run: [sysmon64x.exe] C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\sysmon64x.exe
O4 - HKUS\S-1-5-19\..\Run: [wevufulupe] Rundll32.exe "pihuzura.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wevufulupe] Rundll32.exe "pihuzura.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ccagent.exe] C:\Documents and Settings\Eddie Rideau\Application Data\ACommander\ccagent.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ccagent.exe] C:\Documents and Settings\Eddie Rideau\Application Data\ACommander\ccagent.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://aol.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} (BejeweledTwist Control) - http://www.worldwinner.com/games/v51/bejew...eweledtwist.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41B6BE3B-8E92-4DCE-8939-429BF688D2A3}: NameServer = 93.188.165.131,93.188.161.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{5771FC90-1D47-4EE5-A98E-A3807B7A491B}: NameServer = 93.188.165.131,93.188.161.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{57BF06B9-DD8A-4C53-A793-81EEE194039C}: NameServer = 93.188.165.131,93.188.161.132
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.131,93.188.161.132
O17 - HKLM\System\CS2\Services\Tcpip\..\{41B6BE3B-8E92-4DCE-8939-429BF688D2A3}: NameServer = 93.188.165.131,93.188.161.132
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.165.131,93.188.161.132
O17 - HKLM\System\CS3\Services\Tcpip\..\{41B6BE3B-8E92-4DCE-8939-429BF688D2A3}: NameServer = 93.188.165.131,93.188.161.132
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.131,93.188.161.132
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: puhepayo.dll
O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\unkak6knvh.dll
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9e208b21178b8) (gupdate1c9e208b21178b8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe

--
End of file - 12301 bytes


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:49 PM

Posted 03 May 2010 - 10:07 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %appdata%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    sfcfiles.dll
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    beep.sys
    iaStor.sys
    nvstor.sys
    atapi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    iastorv.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 EJR9779

EJR9779
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 May 2010 - 11:18 AM

I did all that you said, however, when I click the Run Scan button I do not receive any reports. It is like the scan did not run. Anything else I should do before I run the scan?

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:49 PM

Posted 03 May 2010 - 11:39 AM

How long did you wait for OTL to do a scan? it can take some time, along the bottom of the OTL screen it should show you what it is scanning, does this show it scanning anything or is it frozen?

unite.jpg


#5 EJR9779

EJR9779
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 May 2010 - 11:46 AM

It is not even showing that it is scanning. Should I try to run it in safe mode instead?

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:49 PM

Posted 03 May 2010 - 11:57 AM

No it's ok, lets try and run something else instead.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 EJR9779

EJR9779
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 May 2010 - 01:28 PM

ComboFix 10-05-03.01 - Eddie Rideau 05/03/2010 13:06:37.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.623 [GMT -5:00]
Running from: c:\documents and settings\Eddie Rideau\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\EDDIER~1\LOCALS~1\Temp\csrss.exe
c:\docume~1\EDDIER~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\EDDIER~1\LOCALS~1\Temp\svchost.exe
c:\docume~1\EDDIER~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Eddie Rideau\Application Data\328314BC9F64FD92DC34C871EC9E633C
c:\documents and settings\Eddie Rideau\Application Data\328314BC9F64FD92DC34C871EC9E633C\enemies-names.txt
c:\documents and settings\Eddie Rideau\Application Data\328314BC9F64FD92DC34C871EC9E633C\hookdll.dll
c:\documents and settings\Eddie Rideau\Application Data\328314BC9F64FD92DC34C871EC9E633C\lsrslt.ini
c:\documents and settings\Eddie Rideau\Application Data\328314BC9F64FD92DC34C871EC9E633C\newupdate1142C.exe
c:\documents and settings\Eddie Rideau\Local Settings\Application Data\ave.exe
c:\documents and settings\Eddie Rideau\Local Settings\Application Data\Windows Server
c:\documents and settings\Eddie Rideau\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Eddie Rideau\Local Settings\Application Data\Windows Server\rhhlty.dll.vir
c:\documents and settings\Eddie Rideau\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Eddie Rideau\Local Settings\Temporary Internet Files\10b61w.jpg
c:\documents and settings\Eddie Rideau\Local Settings\Temporary Internet Files\27sq0Myx.jpg
c:\documents and settings\Eddie Rideau\Local Settings\Temporary Internet Files\c200W2p8c.jpg
c:\documents and settings\Eddie Rideau\Local Settings\Temporary Internet Files\uyfmU5f.jpg
C:\feed.txt
c:\program files\adb9_32.exe
c:\program files\adC32.dll
c:\program files\alggui.exe
c:\program files\Digital Protection
c:\program files\ezLife
c:\program files\ezLife\ezLife\1.5.2.0\uninstall.exe
c:\program files\Mozilla Firefox\components\ffxShot.dll
c:\program files\Mozilla Firefox\components\nsFFxSHot.xpt
c:\program files\Smart-Ads-Solutions
c:\program files\Smart-Ads-Solutions\SmartAds\1.5.2.0\uninstall.exe
c:\program files\svchost.exe
c:\program files\WindowsUpdate
c:\program files\wp3.dat
c:\program files\wp4.dat
c:\windows\Hbebia.exe
c:\windows\PRAGMAuymbpxxtpd
c:\windows\PRAGMAuymbpxxtpd\PRAGMAc.dll
c:\windows\PRAGMAuymbpxxtpd\PRAGMAcfg.ini
c:\windows\PRAGMAuymbpxxtpd\PRAGMAd.sys
c:\windows\system32\bozuneyi.exe
c:\windows\system32\driVERs\nivcpg.sys
c:\windows\system32\gibijayu.exe
c:\windows\system32\gipidiwu.exe
c:\windows\system32\hehewora.exe
c:\windows\system32\higalepo.exe
c:\windows\system32\hovutale.dll
c:\windows\system32\lenisako.exe
c:\windows\system32\nehakite.exe
c:\windows\system32\net.net
c:\windows\system32\pihuzura.dll
c:\windows\system32\pragmabbr.dll
c:\windows\system32\pragmaserf.dll
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\puhepayo.dll
c:\windows\system32\qqyggkkm.dll
c:\windows\system32\quxgbxjp.dll
c:\windows\system32\spool\prtprocs\w32x86\00005d26.tmp
c:\windows\system32\unkak6knvh.dll
c:\windows\system32\wegagolu.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

----- BITS: Possible infected sites -----

hxxp://217.23.14.74
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAuymbpxxtpd
-------\Legacy_PRAGMAuymbpxxtpd
-------\Legacy_ADBUPD
-------\Service_AdbUpd
-------\Legacy_nivcpg
-------\Service_nivcpg


((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 17:51 . 2010-05-03 17:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-03 16:45 . 2010-05-03 16:45 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-30 14:53 . 2010-04-30 14:53 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\Malwarebytes
2010-04-30 14:36 . 2010-04-30 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 14:36 . 2010-04-30 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-29 16:39 . 2010-04-29 16:39 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-04-29 03:43 . 2010-04-29 03:43 -------- d-----w- c:\program files\scdata
2010-04-29 02:12 . 2010-04-29 02:12 -------- d-sh--w- c:\documents and settings\Eddie Rideau\IECompatCache
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-28 17:02 . 2010-04-28 17:21 -------- d-----w- c:\program files\EMDADLIBEYRTIEDS
2010-04-28 16:34 . 2010-04-28 16:37 -------- d-----w- c:\documents and settings\Rideau Family\Local Settings\Application Data\Google
2010-04-28 16:34 . 2010-04-28 16:34 -------- d-sh--w- c:\documents and settings\Rideau Family\PrivacIE
2010-04-28 16:33 . 2010-04-28 16:33 -------- d-sh--w- c:\documents and settings\Rideau Family\IETldCache
2010-04-28 15:45 . 2010-04-28 15:45 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2010-04-28 14:02 . 2010-04-28 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-28 13:58 . 2010-04-28 13:58 -------- d-----w- c:\documents and settings\Eddie Rideau\Local Settings\Application Data\bjtcuhvve
2010-04-14 23:46 . 2010-04-14 23:46 766 ----a-r- c:\documents and settings\Eddie Rideau\Application Data\Microsoft\Installer\{F1B58743-123D-4748-9FDD-F1FA0E463662}\_6FEFF9B68218417F98F549.exe
2010-04-14 23:46 . 2010-04-14 23:46 -------- d-----w- c:\program files\West Corporation
2010-04-06 16:34 . 2010-04-06 16:37 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 03:02 . 2009-01-20 19:22 -------- d-----w- c:\program files\Google
2010-04-29 00:56 . 2010-01-04 16:08 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\Skype
2010-04-28 20:41 . 2010-01-04 16:10 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\skypePM
2010-04-28 16:35 . 2010-04-28 16:32 99488 ----a-w- c:\documents and settings\Rideau Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 21:00 . 2009-01-20 18:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-15 15:10 . 2009-01-20 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-08 03:44 . 2010-02-02 01:37 -------- d-----w- c:\program files\Finale 2003
2010-04-06 16:34 . 2010-04-06 16:33 99488 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-01 03:43 . 2010-01-27 23:16 -------- d-----w- c:\program files\Finale 2009
2010-03-27 03:55 . 2009-12-28 05:01 -------- d-----w- c:\program files\Yahoo SiteBuilder
2010-03-24 11:58 . 2010-03-24 11:58 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-24 01:26 . 2010-03-24 01:26 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-24 01:26 . 2010-03-24 01:26 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-24 01:26 . 2010-03-24 01:26 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-24 01:26 . 2010-03-24 01:26 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-24 01:26 . 2010-03-24 01:26 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-24 01:26 . 2009-05-31 16:00 -------- d-----w- c:\program files\Common Files\Real
2010-03-24 01:25 . 2009-05-31 16:00 -------- d-----w- c:\program files\Real
2010-03-24 01:25 . 2010-03-24 01:25 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-24 01:24 . 2009-05-31 16:00 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-17 04:52 . 2010-03-17 04:52 -------- d-----w- c:\program files\TweetDeck
2010-03-10 06:15 . 2008-05-09 10:53 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 18:12 . 2010-03-05 18:12 83359 -c--a-w- c:\program files\VelvetRope(hs).MUS
2010-02-25 06:24 . 2008-10-16 20:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-10-24 11:21 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-08-14 10:09 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-08-14 09:33 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 20:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 20:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 21:31 . 2010-04-29 01:41 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:31 . 2010-04-28 16:32 38784 ----a-w- c:\documents and settings\Rideau Family\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:31 . 2010-04-06 16:33 38784 ----a-w- c:\documents and settings\Guest\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:31 . 2010-02-04 07:27 38784 ----a-w- c:\documents and settings\Eddie Rideau\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:28 . 2010-02-07 21:28 2850032 -c--a-w- c:\program files\TweetDeck_0_32.6.air
2010-01-28 15:05 . 2010-01-28 15:05 1970296 --sha-w- c:\windows\system32\nowuvaku.exe
2010-01-29 17:31 . 2010-01-29 17:31 1970296 --sha-w- c:\windows\system32\pufuyada.exe
2010-01-30 13:42 . 2010-01-30 13:42 48136 --sha-w- c:\windows\system32\rugujape.exe
2010-01-30 13:42 . 2010-01-30 13:42 86722 --sha-w- c:\windows\system32\sayawoha.exe
2010-01-28 15:06 . 2010-01-28 15:06 48136 --sha-w- c:\windows\system32\tazahodi.exe
2010-01-29 03:06 . 2010-01-29 03:06 1970296 --sha-w- c:\windows\system32\vopereso.exe
2010-01-29 17:31 . 2010-01-29 17:31 48136 --sha-w- c:\windows\system32\wiyirive.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-30 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoreWorks"="c:\program files\acer 3g connection manager\bin\gbxapp.exe" [2008-11-26 805352]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-09-04 425984]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/18/2008 1:43 PM 93320]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/10/2008 1:43 AM 345336]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/26/2009 10:58 AM 151936]
R3 QCFilterGAD;Gobi AD USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterGAD.sys [5/26/2009 10:56 AM 5248]
R3 qcusbnetGAD;Gobi AD USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetGAD.sys [5/26/2009 10:56 AM 115200]
R3 qcusbserGAD;Gobi AD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserGAD.sys [2/21/2009 3:18 PM 103680]
S2 gupdate1c9e208b21178b8;Google Update Service (gupdate1c9e208b21178b8);c:\program files\Google\Update\GoogleUpdate.exe [5/31/2009 10:58 AM 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/20/2009 2:22 PM 30192]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [7/8/2008 12:16 PM 96856]
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 15:58]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 15:58]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-10 15:53]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-10 15:53]

2010-05-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-571105930-2950289801-1572518764-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-04-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-571105930-2950289801-1572518764-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{9b614725-ac99-4d6d-a1db-060be11d4574} - hovutale.dll
Toolbar-Locked - (no file)
HKLM-Run-wevufulupe - pihuzura.dll
HKU-Default-Run-ccagent.exe - c:\documents and settings\Eddie Rideau\Application Data\ACommander\ccagent.exe
HKU-Default-Run-Adobe Loader - c:\program files\adb9_32.exe
SharedTaskScheduler-{A2BA40A0-74F1-52BD-F411-00B15A2C8953} - (no file)
AddRemove-ezLife - c:\program files\ezLife\ezLife\1.5.2.0\uninstall.exe
AddRemove-FrostWire - d:\frostwire\Uninstall.exe
AddRemove-HijackThis - d:\incomplete\HijackThis.exe
AddRemove-Smart-Ads-Solutions - c:\program files\Smart-Ads-Solutions\SmartAds\1.5.2.0\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 13:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1556)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\acer 3g connection manager\bin\gbx4log.exe
.
**************************************************************************
.
Completion time: 2010-05-03 13:24:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 18:24

Pre-Run: 134,028,693,504 bytes free
Post-Run: 134,076,878,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 91F5038048A0F1F438F4BBE4625CAAF5

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:49 PM

Posted 03 May 2010 - 01:47 PM

Can you tell me how the computer is running now and if you are still having any problems?


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/313296/hijackthis-log-please-help-diagnose/

Collect::
c:\windows\system32\nowuvaku.exe
c:\windows\system32\pufuyada.exe
c:\windows\system32\rugujape.exe
c:\windows\system32\sayawoha.exe
c:\windows\system32\tazahodi.exe
c:\windows\system32\vopereso.exe
c:\windows\system32\wiyirive.exe
Folder::
c:\documents and settings\Eddie Rideau\Local Settings\Application Data\bjtcuhvve
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=""


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 EJR9779

EJR9779
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 May 2010 - 02:10 PM

The computer is running fine! It seems like it is back to how it was before the virus.

I did what you ask me to in your previous post. Is there anything else I need to do from here?

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:49 PM

Posted 03 May 2010 - 02:16 PM

Yes, please post the log that combofix produced when you did the last steps.

unite.jpg


#11 EJR9779

EJR9779
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 May 2010 - 02:35 PM

ComboFix 10-05-03.01 - Eddie Rideau 05/03/2010 13:56:25.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.601 [GMT -5:00]
Running from: c:\documents and settings\Eddie Rideau\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eddie Rideau\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\system32\nowuvaku.exe
file zipped: c:\windows\system32\pufuyada.exe
file zipped: c:\windows\system32\rugujape.exe
file zipped: c:\windows\system32\sayawoha.exe
file zipped: c:\windows\system32\tazahodi.exe
file zipped: c:\windows\system32\vopereso.exe
file zipped: c:\windows\system32\wiyirive.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eddie Rideau\Local Settings\Application Data\bjtcuhvve
c:\documents and settings\Eddie Rideau\Local Settings\Application Data\bjtcuhvve\oxgkekxtssd.exe
c:\windows\system32\nowuvaku.exe
c:\windows\system32\pufuyada.exe
c:\windows\system32\rugujape.exe
c:\windows\system32\sayawoha.exe
c:\windows\system32\tazahodi.exe
c:\windows\system32\vopereso.exe
c:\windows\system32\wiyirive.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 17:51 . 2010-05-03 17:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-03 16:45 . 2010-05-03 16:45 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-30 14:53 . 2010-04-30 14:53 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\Malwarebytes
2010-04-30 14:36 . 2010-04-30 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 14:36 . 2010-04-30 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-29 16:39 . 2010-04-29 16:39 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-04-29 03:43 . 2010-04-29 03:43 -------- d-----w- c:\program files\scdata
2010-04-29 02:12 . 2010-04-29 02:12 -------- d-sh--w- c:\documents and settings\Eddie Rideau\IECompatCache
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-28 17:02 . 2010-04-28 17:21 -------- d-----w- c:\program files\EMDADLIBEYRTIEDS
2010-04-28 16:34 . 2010-04-28 16:37 -------- d-----w- c:\documents and settings\Rideau Family\Local Settings\Application Data\Google
2010-04-28 16:34 . 2010-04-28 16:34 -------- d-sh--w- c:\documents and settings\Rideau Family\PrivacIE
2010-04-28 16:33 . 2010-04-28 16:33 -------- d-sh--w- c:\documents and settings\Rideau Family\IETldCache
2010-04-28 15:45 . 2010-04-28 15:45 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2010-04-28 14:02 . 2010-04-28 14:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-14 23:46 . 2010-04-14 23:46 766 ----a-r- c:\documents and settings\Eddie Rideau\Application Data\Microsoft\Installer\{F1B58743-123D-4748-9FDD-F1FA0E463662}\_6FEFF9B68218417F98F549.exe
2010-04-14 23:46 . 2010-04-14 23:46 -------- d-----w- c:\program files\West Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 03:02 . 2009-01-20 19:22 -------- d-----w- c:\program files\Google
2010-04-29 00:56 . 2010-01-04 16:08 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\Skype
2010-04-28 20:41 . 2010-01-04 16:10 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\skypePM
2010-04-28 16:35 . 2010-04-28 16:32 99488 ----a-w- c:\documents and settings\Rideau Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 21:00 . 2009-01-20 18:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-15 15:10 . 2009-01-20 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-08 03:44 . 2010-02-02 01:37 -------- d-----w- c:\program files\Finale 2003
2010-04-06 16:34 . 2010-04-06 16:33 99488 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-01 03:43 . 2010-01-27 23:16 -------- d-----w- c:\program files\Finale 2009
2010-03-27 03:55 . 2009-12-28 05:01 -------- d-----w- c:\program files\Yahoo SiteBuilder
2010-03-24 11:58 . 2010-03-24 11:58 -------- d-----w- c:\documents and settings\Eddie Rideau\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-24 01:26 . 2010-03-24 01:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-24 01:26 . 2010-03-24 01:26 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-24 01:26 . 2010-03-24 01:26 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-24 01:26 . 2010-03-24 01:26 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-24 01:26 . 2010-03-24 01:26 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-24 01:26 . 2010-03-24 01:26 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-24 01:26 . 2009-05-31 16:00 -------- d-----w- c:\program files\Common Files\Real
2010-03-24 01:25 . 2009-05-31 16:00 -------- d-----w- c:\program files\Real
2010-03-24 01:25 . 2010-03-24 01:25 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-24 01:24 . 2009-05-31 16:00 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-17 04:52 . 2010-03-17 04:52 -------- d-----w- c:\program files\TweetDeck
2010-03-10 06:15 . 2008-05-09 10:53 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 18:12 . 2010-03-05 18:12 83359 -c--a-w- c:\program files\VelvetRope(hs).MUS
2010-02-25 06:24 . 2008-10-16 20:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-10-24 11:21 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-08-14 10:09 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-08-14 09:33 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 20:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 20:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 21:31 . 2010-04-29 01:41 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:31 . 2010-04-28 16:32 38784 ----a-w- c:\documents and settings\Rideau Family\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:31 . 2010-04-06 16:33 38784 ----a-w- c:\documents and settings\Guest\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:31 . 2010-02-04 07:27 38784 ----a-w- c:\documents and settings\Eddie Rideau\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 21:28 . 2010-02-07 21:28 2850032 -c--a-w- c:\program files\TweetDeck_0_32.6.air
.

((((((((((((((((((((((((((((( SnapShot@2010-05-03_18.19.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-20 20:20 . 2010-05-03 18:09 72978 c:\windows\system32\perfc009.dat
+ 2009-01-20 20:20 . 2010-05-03 18:22 72978 c:\windows\system32\perfc009.dat
+ 2009-01-20 20:20 . 2010-05-03 18:22 445938 c:\windows\system32\perfh009.dat
- 2009-01-20 20:20 . 2010-05-03 18:09 445938 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoreWorks"="c:\program files\acer 3g connection manager\bin\gbxapp.exe" [2008-11-26 805352]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-09-04 425984]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/18/2008 1:43 PM 93320]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/10/2008 1:43 AM 345336]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/26/2009 10:58 AM 151936]
R3 QCFilterGAD;Gobi AD USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterGAD.sys [5/26/2009 10:56 AM 5248]
R3 qcusbnetGAD;Gobi AD USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetGAD.sys [5/26/2009 10:56 AM 115200]
R3 qcusbserGAD;Gobi AD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserGAD.sys [2/21/2009 3:18 PM 103680]
S2 gupdate1c9e208b21178b8;Google Update Service (gupdate1c9e208b21178b8);c:\program files\Google\Update\GoogleUpdate.exe [5/31/2009 10:58 AM 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/20/2009 2:22 PM 30192]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [7/8/2008 12:16 PM 96856]
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 15:58]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 15:58]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-10 15:53]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-10 15:53]

2010-05-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-571105930-2950289801-1572518764-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-04-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-571105930-2950289801-1572518764-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 14:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-03 14:04:49
ComboFix-quarantined-files.txt 2010-05-03 19:04
ComboFix2.txt 2010-05-03 18:24

Pre-Run: 134,047,784,960 bytes free
Post-Run: 134,012,981,248 bytes free

- - End Of File - - A5AEDACF90480AEA1183E6166FA43333
Upload was successful


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:49 PM

Posted 03 May 2010 - 04:50 PM

Hi,

I would like to do one more check to make sure we haven't missed anything, please try to run OTL again now
and post both logs if it runs.


Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

Thanks

unite.jpg


#13 EJR9779

EJR9779
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 May 2010 - 05:58 PM

OLT still is not working for me. After I click run scan, there is no response. I will run the ESET OnlineScan now.


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:49 PM

Posted 03 May 2010 - 06:06 PM

Ok that's fine, please run Rsit aswell then, after the online scan, and post both the logs with the ESET report, thanks.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Edited by syler, 05 May 2010 - 04:20 PM.

unite.jpg


#15 EJR9779

EJR9779
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 May 2010 - 09:58 PM

ESETscan results

C:\Program Files\scdata\dbsinit.exe Win32/Adware.WinAntiVirus application deleted - quarantined
C:\Program Files\scdata\wispex.html Win32/Adware.WinAntiVirus application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\[4]-Submit_2010-05-03_13.55.58.zip multiple threats deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Eddie Rideau\Application Data\328314BC9F64FD92DC34C871EC9E633C\newupdate1142C.exe.vir a variant of Win32/Kryptik.EBN trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Eddie Rideau\Local Settings\Application Data\ave.exe.vir probably a variant of Win32/Kryptik.EAQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Eddie Rideau\Local Settings\Application Data\bjtcuhvve\oxgkekxtssd.exe.vir Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Eddie Rideau\Local Settings\Application Data\Windows Server\rhhlty.dll.vir.vir Win32/Bamital.AV trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\adb9_32.exe.vir a variant of Win32/Adware.PCProtector.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\adc32.dll.vir probably a variant of Win32/Adware.PCProtector.A application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\alggui.exe.vir a variant of Win32/Adware.PCProtector.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\svchost.exe.vir a variant of Win32/Adware.PCProtector.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\ffxShot.dll.vir Win32/Lifze.B trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Hbebia.exe.vir Win32/TrojanDownloader.FakeAlert.AQI trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\PRAGMAuymbpxxtpd\PRAGMAc.dll.vir a variant of Win32/Kryptik.EAS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\PRAGMAuymbpxxtpd\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\bozuneyi.exe.vir a variant of Win32/Injector.BCP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\gipidiwu.exe.vir a variant of Win32/Injector.BCP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hehewora.exe.vir a variant of Win32/Injector.BCP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\pragmabbr.dll.vir a variant of Win32/Kryptik.EAS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\pragmaserf.dll.vir a variant of Win32/Kryptik.EAS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\qqyggkkm.dll.vir Win32/Lifze.C trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\quxgbxjp.dll.vir Win32/Lifze.D trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\unkak6knvh.dll.vir Win32/TrojanDownloader.Small.NFD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wegagolu.exe.vir a variant of Win32/Injector.BCP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir Win32/Patched.EQ trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\nivcpg.sys.vir Win32/Rootkit.Kryptik.BB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_nivcpg_.sys.zip Win32/Rootkit.Kryptik.BB trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00005d26.tmp.vir Win32/Olmarik.YE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67C4541F-D3F2-450D-8BA3-DE79D55388CD}\RP1\A0000023.exe Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\System Volume Information\_restore{67C4541F-D3F2-450D-8BA3-DE79D55388CD}\RP2\A0000150.exe Win32/Adware.WinAntiVirus application deleted - quarantined





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users