Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Browser


  • This topic is locked This topic is locked
19 replies to this topic

#1 DC-Rager

DC-Rager

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 25 May 2010 - 08:46 AM

Hello, I just finished reviewing the Preparation guide and need to give you some history. A few days ago my browser was hijacked. It typically occured when i clicked on a link from a google search where it would take me to either some odd directory page or to a page that was selling stopzilla. Note- I can avoid the redirect when I open a link in a new tab.

I attempted to remove this malware via the usually programs- Spy Bot Search & Destroy, MalwareBytes, my Antivirus software (Avira), Spyware Doctor and I even attempted a system restore 2 or 3 times. A system restore has worked previously when my pc was infected with something, but not this time. Spyware Doctor seemed to find and remove the most stuff. I believe it found 5 different infections, one being high, two being medium and two being low threats.

Then things got worse a couple days ago- All of a sudden my work pc couldn't get to the internet. I work from home and the work pc is hard wired into a wireless router. Both my laptops could get to the internet wirelessly and my other pc could as well which is hard wired. So just my work pc was infected. After doing some google searches, I was able to get my interenet working again by starting the DHCP client, which for some reason was set to automatly start on start ups, but was disabled. I came to this remedy when I got an error when trying to renew my ip that said the DHCP client server wasn't available.

But now when I reboot, it looks like my pc struggles for a minute or two to get connected to my network, but eventually it does so it appears something is still messing with it.

So I followed all the steps through step 7, but I ran into issues with gamer.exe. The first time I ran it, my pc auto-rebooted a couple minutes into the scan. The second time I ran it, my PC locked up (froze) so I had to hold the power button down to force a power down. The 3rd time I ran it, it took at least 8 hours...ran through the night. When I hit save this morning to save it as .ark.txt, once again, my computer froze. But it did appear to finish running this time. Is there a way I can access the log still so I don't have to lock my pc up for 8 hours again? Very frustrating! Any how, I attached the rest of the files and will patiently wait for your response. Thanks in advance for taking this on.

Rob
Update- I rebooted and could not get an internet connection again until I started the DHCP Client from the control pannel. I just tried running GMER.exe again. After about two hours, i decided to stop the scan and try to save the log file to that point, but my pc locked up for the 4th time. I never got the "do you want to do a full scan" option that the Prep Guide mentions so I think it just does a full scan each time. Is there another diagnostic program that someone can recommend besides GMER? I 've seen 50+ thread views so far, but noone has been willing to help yet.

Also, now the hijacker can redirect links opened in a new tab. In my earlier description, this did not occur. Some times the page that it redirects to is a news 6 or news 11 page. freewareplus.com/search and theabcsmart.info/search.php are other sites that it redirects to.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Robert Davies at 14:07:55.85 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.738 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Vertex Communications Group\Vertex Scheduler\Vertex.BH.SystemService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmpad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Robert Davies\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vertexcommunication.com/
uDefault_Page_URL = hxxp://www.dell.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: ShowBarObj Class: {012c9e99-5d0e-44fb-9362-67cc3f9bfa6a} - c:\program files\fireclick site explorer\fire_bho.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [SetIcon] \Program Files\WDC\SetIcon.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [PestPatrol Control Center] c:\progra~1\pestpa~1\PPControl.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startw~1.lnk - c:\windows\downlo~1\mywebex\419\mwmpad.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {AA3F90CE-7267-4953-BA86-7545BD4035D0} - {E64D64F2-68C8-471B-8A6D-9F254E8A82F4} - c:\program files\fireclick site explorer\fire_bnd.dll
IE: {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - c:\windows\downlo~1\mywebex\419\mwmie.dll
Trusted Zone: adobe.com\www
Trusted Zone: bluehornet.com\echo7
Trusted Zone: mcafee.com
Trusted Zone: salesforce.com\na1
Trusted Zone: salesforce.com\na5
Trusted Zone: vertexcommunication.com\emessaging
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5125/mcfscan.cab
Notify: fccbaxy - fccbaxy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SecurityProviders: msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll
LSA: Authentication Packages = msv1_0 c:\\windows\\system32\\ddcyw
Hosts: 127.0.0.0 localhost

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\yxlbzz20.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\robert davies\application data\mozilla\firefox\profiles\yxlbzz20.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\robert davies\application data\mozilla\firefox\profiles\yxlbzz20.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-23 218592]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-2 11608]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-10 214664]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-2 56816]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-5-23 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-5-23 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-5-23 1142224]
R2 Vertex.BH.Server;Vertex Scheduler;c:\program files\vertex communications group\vertex scheduler\Vertex.BH.SystemService.exe [2007-2-19 20480]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
S3 PacketNTx;Packet helper driver;c:\windows\system32\drivers\PacketNTx.sys [2003-11-28 24544]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-05-24 18:05:49 0 ----a-w- c:\documents and settings\robert davies\defogger_reenable
2010-05-23 14:53:57 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-23 14:53:56 882 ----a-w- c:\windows\RegSDImport.xml
2010-05-23 14:53:56 879 ----a-w- c:\windows\RegISSImport.xml
2010-05-23 14:53:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-23 14:53:56 131 ----a-w- c:\windows\IDB.zip
2010-05-23 14:53:56 1152444 ----a-w- c:\windows\UDB.zip
2010-05-23 14:53:55 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-23 14:53:55 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-23 14:52:35 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-05-23 14:52:35 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-23 14:52:23 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-23 14:52:23 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-05-23 14:52:23 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-05-23 14:52:23 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-23 14:52:04 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-05-23 14:52:04 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-23 14:51:31 0 dc----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-05-23 14:51:31 0 d-----w- c:\docume~1\robert~1\applic~1\PC Tools
2010-05-22 23:19:06 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-04-08 18:01:44 72080 -c--a-w- c:\documents and settings\robert davies\g2mdlhlpx.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2003-12-12 23:20:08 47 -c--a-w- c:\program files\Default.PLS
2003-12-12 22:40:00 208173056 -c--a-w- c:\program files\en_office_2003_frontpage.iso
2007-09-23 12:22:39 1983737 --sh--w- c:\windows\system32\wycdd.bak1
2007-09-25 13:06:35 2001634 --sh--w- c:\windows\system32\wycdd.bak2
2008-09-04 15:20:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 14:10:29.50 ===============

Attached Files


Edited by DC-Rager, 25 May 2010 - 01:46 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:16 AM

Posted 26 May 2010 - 11:02 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Gmer is the best but can be hard to get a log lets try this and see what we get.

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 DC-Rager

DC-Rager
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 27 May 2010 - 02:22 PM

I may have done this incorrectly because it said my post was too long so I am attaching it. It's call report.txt. Let me know if this helps you.

Thanks.

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:16 AM

Posted 27 May 2010 - 04:53 PM

Hello DC-Rager

It is long but found the info I need.

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 DC-Rager

DC-Rager
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 28 May 2010 - 09:57 PM

Thanks, Gringo. I'll follow your instructions and let you know how it turns out.

Rob

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:16 AM

Posted 28 May 2010 - 10:30 PM

ok I will be waiting

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:16 AM

Posted 31 May 2010 - 02:53 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 DC-Rager

DC-Rager
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 31 May 2010 - 06:42 PM

Sorry, I was out of town for a couple days. Attached is the log file from combofix. I'll do a reboot and let you know how it is running later tonight. Thanks and sorry for the delay in getting back to you.

Attached Files

  • Attached File  log.txt   17.36KB   7 downloads


#9 DC-Rager

DC-Rager
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 31 May 2010 - 08:07 PM

Gringo, my PC seems to be running normally again. Spyware Doctor did find about a dozen instances of medium and high risk infections though. The medium infection was called Generic.Tojan and the high was called Trojan-Dowloader.Murlo. They were quarantined and cleaned so I suspect they could pop up again.

I have not experienced any redirects tonight. Let me know if you think I need to do anything else after you have looked at my log.txt file from combofix.
If anything acts up tomorrow, I'll re-post to let you know. Thanks again for you help.

Rob

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:16 AM

Posted 31 May 2010 - 11:16 PM

Greetings

can you tell me about this program I am not finding out much about it - "Fireclick Site Explorer"

:upload files to jotti:
    Please upload a file for scanning:
    • Open virusscan.jotti
    • Copy/paste this file and path into the white box at the top:
    c:\windows\system32\WS2_32.dll

    Press Submit - this will submit the file for testing.
    Please wait for all the scanners to finish then copy and paste the results in your next response.

    please do this with each of these files one at a time

    c:\windows\system32\WS2HELP.dll

    save the reports and send with your next reply
    Note: If Jotti is busy, you can use VirusTotal instead.

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 DC-Rager

DC-Rager
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 01 June 2010 - 08:21 AM

Fireclick is a web analytics company that was bought by Digital River. My company is a reseller for Digital River so this program is safe. That particular program is used to update or remove the analytics service.

Filename: ws2_32.dll
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Fri 16 Apr 2010 02:02:55 (CET) Permalink

Filename: ws2help.dll
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 20 Aug 2009 11:06:29 (CET) Permalink

Edited by DC-Rager, 01 June 2010 - 08:27 AM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:16 AM

Posted 01 June 2010 - 05:50 PM

Hello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 6.0.1
    Coupon Printer for Windows
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic


"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 DC-Rager

DC-Rager
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 01 June 2010 - 09:22 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4162

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/1/2010 10:03:53 PM
mbam-log-2010-06-01 (22-03-53).txt

Scan type: Quick scan
Objects scanned: 126784
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET seems to be taking a while so I'll just let it run tonight and update this post in the morning. I'll be out of town until Sunday evening, so please don't close this thread if you don't here from me until then. I'll definitely check in with you on Sunday evening.

The PC seems to be running better- no browser redirects and no issues with not getting internet connection on reboots, so it seems we're trending in the right direction. Thanks and I'll have an update with the ESET log tomorrow around 7:30AM EST.

Rob

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:16 AM

Posted 02 June 2010 - 12:07 AM

ok I will be waiting


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 DC-Rager

DC-Rager
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:VA
  • Local time:11:16 AM

Posted 02 June 2010 - 06:31 AM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=fa9398d8aa81154f854c2ec7d6b3e2d9
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-02 10:02:12
# local_time=2010-06-02 06:02:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 83882294 83882294 0 0
# compatibility_mode=1797 16775141 100 94 766103 47159518 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=233401
# found=45
# cleaned=0
# scan_time=28331
C:\Documents and Settings\Robert Davies\Application Data\Qualcomm\Eudora\In.mbx HTML/Phishing.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Robert Davies\Application Data\Qualcomm\Eudora\In.mbx.001 HTML/Phishing.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Robert Davies\Application Data\Qualcomm\Eudora\In.mbx.002 HTML/Phishing.gen trojan 00000000000000000000000000000000 I
C:\Program Files\WebEx\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Program Files\WebEx\WebEx\425\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Program Files\WebEx\WebEx\425\webexmgr.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\briddvpb.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cuxehtwo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dvvoyhun.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jgafrhls.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lhlncxsc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wycdd.bak1.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wycdd.bak2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wycdd.tmp.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2112\A0211986.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2112\A0211987.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2112\A0211988.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2112\A0211989.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2112\A0211990.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\WebEx\425\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\WebEx\425\webexmgr.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\WebEx\426\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\WebEx\428\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\WebEx\428\wbxmgrsa.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\Documents and Settings\Robert Davies\Application Data\Qualcomm\Eudora\In.mbx HTML/Phishing.gen trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\Documents and Settings\Robert Davies\Application Data\Qualcomm\Eudora\In.mbx.001 HTML/Phishing.gen trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\Documents and Settings\Robert Davies\Application Data\Qualcomm\Eudora\In.mbx.002 HTML/Phishing.gen trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\briddvpb.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\cuxehtwo.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\dvvoyhun.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\jgafrhls.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\lhlncxsc.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\wycdd.bak1 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\wycdd.bak2 Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\SYSTEM32\wycdd.tmp Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\Downloaded Program Files\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\Downloaded Program Files\WebEx\425\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\Downloaded Program Files\WebEx\425\webexmgr.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\Downloaded Program Files\WebEx\426\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\Downloaded Program Files\WebEx\428\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\WINDOWS\Downloaded Program Files\WebEx\428\wbxmgrsa.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\Program Files\WebEx\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\Program Files\WebEx\WebEx\425\atpdmod.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
J:\Retrospect Backup\Backup of Drive C ©\Program Files\WebEx\WebEx\425\webexmgr.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users