Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91981 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] spyware/ fake antivirus


  • This topic is locked This topic is locked
29 replies to this topic

#1 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 31 October 2009 - 01:49 PM

This is a work computer running windows xp pro. System is set up with multiple users. Under one user, we keep getting a pop up that says security tool has found numerous viruses and prompts you to purchase a program to clean it up. Program loads at startup uner the one user. I can temporarily disable it by removing from the startup folder, but it returns on its own. I have run housecall and it found several virsuses and either deleted or quarantined sucessfully. Also when logged in as user with problems internet use is slow mostly under yahoo mail. I was unable to run rootrepeal it keeps locking up on initializing and not doing anything. Tried deleting and reinstalling from different site with no success.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 13:38:58.91 on Sat 10/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.575.267 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\administrator.GONPH\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dellnet.com
uStart Page = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9b.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~3.lnk - c:\windows\installer\{00030409-78e1-11d2-b60f-006097c998e7}\misc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\truemo~1.lnk - c:\program files\dell truemobile 1150\client manager\CmDEL.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238518757834
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

============= SERVICES / DRIVERS ===============

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2005-6-1 183808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-6-1 25088]
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [2002-2-22 65916]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [2005-6-17 171520]
S3 MSSQL$VIA_MSDE;MSSQL$VIA_MSDE;c:\program files\microsoft sql server\mssql$via_msde\binn\sqlservr.exe [2005-5-4 9150464]
S3 SQLAgent$VIA_MSDE;SQLAgent$VIA_MSDE;c:\program files\microsoft sql server\mssql$via_msde\binn\sqlagent.EXE [2005-5-3 323584]

=============== Created Last 30 ================

2009-10-31 13:08 <DIR> --d-h--- C:\BJPrinter
2009-10-26 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\wosakoye
2009-10-26 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\tevajige
2009-10-26 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kotugava
2009-10-26 11:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yadokibo
2009-10-26 11:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\nuvenida
2009-10-26 11:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\loneloho
2009-10-26 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\goguzeve
2009-10-26 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vekoniri
2009-10-26 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\japufeku
2009-10-25 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yenokidi
2009-10-25 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\rubabofa
2009-10-25 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\depawola
2009-10-25 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\wuvadefo
2009-10-25 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\witusaga
2009-10-25 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\bafopaga
2009-10-24 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\wivehogo
2009-10-24 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\welojehi
2009-10-24 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\giyujuyo
2009-10-24 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yohiyoto
2009-10-24 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\midipoyo
2009-10-24 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fuselefu
2009-10-23 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\wetitofa
2009-10-23 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\tanuzefu
2009-10-23 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\mozesupu
2009-10-23 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\83189332
2009-10-23 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pojuwige
2009-10-23 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\midifatu
2009-10-23 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\banubulo
2009-10-22 23:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\nolahaga
2009-10-22 23:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\mopohipe
2009-10-22 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yeminubo
2009-10-22 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\sisanuza
2009-10-22 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\gopavizi
2009-10-22 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\tazaloju
2009-10-22 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\lujigapi
2009-10-22 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jayekidu
2009-10-20 05:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jotuyiho
2009-10-20 05:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fofarohi
2009-10-20 05:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fafiwilu
2009-10-19 04:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\zufanazu
2009-10-19 04:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kukapaje
2009-10-19 04:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fekojihi
2009-10-18 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yaniwivo
2009-10-18 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jimunevi
2009-10-18 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\bowugoza
2009-10-18 04:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\noguwume
2009-10-18 04:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kinaweti
2009-10-18 04:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jovegovo
2009-10-17 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vanahuzu
2009-10-17 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fonaraju
2009-10-17 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\bupugoki
2009-10-17 04:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yiyomero
2009-10-17 04:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\katuziji
2009-10-17 04:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\botekuyu
2009-10-16 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pefemizi
2009-10-16 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ladosimu
2009-10-16 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\hobozodo
2009-10-16 04:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\zekorazi
2009-10-16 04:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jidomuye
2009-10-16 04:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\dinekega
2009-10-15 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\beliyupa
2009-10-15 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\zatavido
2009-10-15 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\sesameto
2009-10-15 04:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\rogawihe
2009-10-15 04:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\hokalehu
2009-10-15 04:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\gogitaya
2009-10-14 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\zofenuhi
2009-10-14 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fahumaki
2009-10-14 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\buvatolo
2009-10-14 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fimijeza
2009-10-14 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\raheleyu
2009-10-14 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kaboyene
2009-10-14 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jatibusu
2009-10-14 04:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yorokuzi
2009-10-14 04:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\tibepozi
2009-10-14 04:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\juhumuyo
2009-10-13 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\tukuhegu
2009-10-13 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\muhoyawa
2009-10-13 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jevayeyi
2009-10-13 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\hekazezi
2009-10-13 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\zifewiba
2009-10-13 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\netojeke
2009-10-13 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kerojade
2009-10-13 13:52 157,712 a------- c:\windows\system32\drivers\tmcomm.sys
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\zugilesu
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\nozarihu
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\nitinala
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\towamusi
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\mofohufu
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vejajiha
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\tumeleta
2009-10-12 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\daviheno
2009-10-09 15:36 6,583 a------- C:\all
2009-10-09 14:43 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-10-09 14:41 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-10-09 14:40 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-10-08 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\nevafeja
2009-10-08 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yovejipa
2009-10-08 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\wadurako
2009-10-08 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fofigubu
2009-10-08 03:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\koteguge
2009-10-08 03:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jegufedo
2009-10-08 03:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\bazomobu
2009-10-08 03:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\yuyabage
2009-10-08 03:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kimiloko
2009-10-08 03:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\sokiduni
2009-10-08 03:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\gugofehi
2009-10-07 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\jivovehe
2009-10-07 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\zuyaluse
2009-10-07 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vehanabu
2009-10-07 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\powuneba
2009-10-06 14:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vazileyo
2009-10-06 14:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\towezajo
2009-10-06 14:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\piwozasu

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll

============= FINISH: 13:40:14.85 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:38 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238518757834
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7948 bytes

Attached Files


    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 31 October 2009 - 07:01 PM

:welcome:

Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .<--Dont forget this
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#3 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 31 October 2009 - 07:41 PM

Malwarebytes' Anti-Malware 1.41
Database version: 3072
Windows 5.1.2600 Service Pack 3

10/31/2009 8:33:58 PM
mbam-log-2009-10-31 (20-33-58).txt

Scan type: Quick Scan
Objects scanned: 169441
Time elapsed: 23 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\83189332 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\83189332\83189332.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\doctor\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\doctor\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:54 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238518757834
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7588 bytes

#4 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 31 October 2009 - 08:27 PM

Hi,


Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean




Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#5 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 31 October 2009 - 09:46 PM

ComboFix 09-10-30.01 - Administrator 10/31/2009 22:25.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.575.297 [GMT -5:00]
Running from: c:\documents and settings\administrator.GONPH\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 01:08 . 2009-11-01 01:08 -------- d-----w- c:\documents and settings\administrator.GONPH\Application Data\Malwarebytes
2009-11-01 01:08 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 01:08 . 2009-11-01 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-01 01:08 . 2009-11-01 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 01:08 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 18:32 . 2009-10-31 18:33 -------- d-----w- c:\program files\ERUNT
2009-10-31 18:08 . 2009-10-31 18:08 -------- d-----w- C:\BJPrinter
2009-10-29 12:19 . 2009-10-29 12:19 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Apple Computer
2009-10-29 12:19 . 2009-10-29 12:19 -------- d-----w- c:\documents and settings\tech\Application Data\Apple Computer
2009-10-29 12:13 . 2009-10-29 12:13 -------- d-----w- c:\documents and settings\tech\Application Data\Yahoo!
2009-10-27 20:22 . 2009-10-29 16:57 -------- d-----w- c:\documents and settings\tech\Application Data\HPAppData
2009-10-27 04:18 . 2009-10-27 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\wosakoye
2009-10-27 04:18 . 2009-10-27 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\tevajige
2009-10-27 04:18 . 2009-10-27 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\kotugava
2009-10-26 16:20 . 2009-10-26 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\yadokibo
2009-10-26 16:20 . 2009-10-26 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\nuvenida
2009-10-26 16:20 . 2009-10-26 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\loneloho
2009-10-26 16:18 . 2009-10-26 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\goguzeve
2009-10-26 16:18 . 2009-10-26 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\vekoniri
2009-10-26 16:18 . 2009-10-26 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\japufeku
2009-10-26 04:18 . 2009-10-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\yenokidi
2009-10-26 04:18 . 2009-10-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\rubabofa
2009-10-26 04:18 . 2009-10-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\depawola
2009-10-25 16:18 . 2009-10-25 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\wuvadefo
2009-10-25 16:18 . 2009-10-25 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\witusaga
2009-10-25 16:18 . 2009-10-25 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\bafopaga
2009-10-25 04:18 . 2009-10-25 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\wivehogo
2009-10-25 04:18 . 2009-10-25 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\welojehi
2009-10-25 04:18 . 2009-10-25 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\giyujuyo
2009-10-24 16:18 . 2009-10-24 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\yohiyoto
2009-10-24 16:18 . 2009-10-24 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\midipoyo
2009-10-24 16:18 . 2009-10-24 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\fuselefu
2009-10-24 04:18 . 2009-10-24 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\wetitofa
2009-10-24 04:18 . 2009-10-24 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\tanuzefu
2009-10-24 04:18 . 2009-10-24 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\mozesupu
2009-10-23 16:17 . 2009-10-23 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\pojuwige
2009-10-23 16:17 . 2009-10-23 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\midifatu
2009-10-23 16:17 . 2009-10-23 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\banubulo
2009-10-23 04:17 . 2009-10-23 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\nolahaga
2009-10-23 04:17 . 2009-10-23 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\mopohipe
2009-10-22 16:18 . 2009-10-26 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\yeminubo
2009-10-22 16:18 . 2009-10-26 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\sisanuza
2009-10-22 16:18 . 2009-10-26 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\gopavizi
2009-10-22 16:17 . 2009-10-22 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\tazaloju
2009-10-22 16:17 . 2009-10-22 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\lujigapi
2009-10-22 16:17 . 2009-10-22 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\jayekidu
2009-10-20 13:43 . 2009-10-20 13:43 -------- d-----w- c:\documents and settings\tech\Application Data\HP
2009-10-20 13:42 . 2009-10-20 13:42 -------- d-----w- c:\documents and settings\tech\Application Data\Xerox
2009-10-20 10:20 . 2009-10-20 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\jotuyiho
2009-10-20 10:20 . 2009-10-20 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\fofarohi
2009-10-20 10:20 . 2009-10-20 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\fafiwilu
2009-10-19 09:07 . 2009-10-19 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\zufanazu
2009-10-19 09:07 . 2009-10-19 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\kukapaje
2009-10-19 09:07 . 2009-10-19 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\fekojihi
2009-10-18 21:06 . 2009-10-18 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\yaniwivo
2009-10-18 21:06 . 2009-10-18 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\jimunevi
2009-10-18 21:06 . 2009-10-18 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\bowugoza
2009-10-18 09:06 . 2009-10-18 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\noguwume
2009-10-18 09:06 . 2009-10-18 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\kinaweti
2009-10-18 09:06 . 2009-10-18 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\jovegovo
2009-10-17 21:06 . 2009-10-17 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\vanahuzu
2009-10-17 21:06 . 2009-10-17 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\fonaraju
2009-10-17 21:06 . 2009-10-17 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\bupugoki
2009-10-17 09:06 . 2009-10-17 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\yiyomero
2009-10-17 09:06 . 2009-10-17 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\katuziji
2009-10-17 09:06 . 2009-10-17 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\botekuyu
2009-10-16 21:05 . 2009-10-16 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\pefemizi
2009-10-16 21:05 . 2009-10-16 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ladosimu
2009-10-16 21:05 . 2009-10-16 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\hobozodo
2009-10-16 09:05 . 2009-10-16 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\zekorazi
2009-10-16 09:05 . 2009-10-16 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\jidomuye
2009-10-16 09:05 . 2009-10-16 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\dinekega
2009-10-15 21:05 . 2009-10-15 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\beliyupa
2009-10-15 21:05 . 2009-10-15 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\zatavido
2009-10-15 21:05 . 2009-10-15 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\sesameto
2009-10-15 09:05 . 2009-10-15 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\rogawihe
2009-10-15 09:05 . 2009-10-15 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\hokalehu
2009-10-15 09:05 . 2009-10-15 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\gogitaya
2009-10-13 21:05 . 2009-10-13 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\hekazezi
2009-10-13 21:05 . 2009-10-13 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\kerojade
2009-10-13 21:05 . 2009-10-13 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\zifewiba
2009-10-13 21:05 . 2009-10-13 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\netojeke
2009-10-13 18:52 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-12 13:14 . 2009-10-13 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\zugilesu
2009-10-12 13:14 . 2009-10-13 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\nozarihu
2009-10-12 13:14 . 2009-10-13 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\nitinala
2009-10-12 13:14 . 2009-10-12 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\towamusi
2009-10-12 13:14 . 2009-10-12 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\mofohufu
2009-10-12 13:14 . 2009-10-12 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\vejajiha
2009-10-12 13:14 . 2009-10-12 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\tumeleta
2009-10-12 13:14 . 2009-10-12 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\daviheno
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Xerox
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\documents and settings\elincadmin\Application Data\Xerox
2009-10-09 19:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-09 19:41 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-09 19:35 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-09 19:35 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-09 19:35 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-09 19:35 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-09 19:35 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-09 19:35 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-09 19:35 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-09 19:35 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-09 19:35 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-09 19:35 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-09 19:35 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-08 20:09 . 2009-10-13 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\nevafeja
2009-10-08 20:09 . 2009-10-13 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\yovejipa
2009-10-08 20:09 . 2009-10-08 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\wadurako
2009-10-08 20:09 . 2009-10-08 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\fofigubu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 01:43 . 2009-01-06 17:36 -------- d-----w- c:\documents and settings\administrator.GONPH\Application Data\HPAppData
2009-10-31 19:40 . 2005-06-01 20:25 62248 ----a-w- c:\documents and settings\administrator.GONPH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-31 18:41 . 2005-06-01 20:36 -------- d-----w- c:\program files\Trend Micro
2009-10-23 04:18 . 2009-01-06 19:02 -------- d-----w- c:\documents and settings\doctor\Application Data\HPAppData
2009-10-22 16:18 . 2009-10-14 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\zofenuhi
2009-10-22 16:18 . 2009-10-14 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\fahumaki
2009-10-22 16:18 . 2009-10-14 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\buvatolo
2009-10-22 16:01 . 2003-11-05 21:45 -------- d-----w- c:\program files\HESKA
2009-10-14 21:05 . 2009-10-13 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\muhoyawa
2009-10-14 21:05 . 2009-10-13 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\tukuhegu
2009-10-14 21:05 . 2009-10-13 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\jevayeyi
2009-10-14 21:05 . 2009-10-14 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\fimijeza
2009-10-14 21:05 . 2009-10-14 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\raheleyu
2009-10-14 21:05 . 2009-10-14 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\kaboyene
2009-10-14 21:05 . 2009-10-14 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\jatibusu
2009-10-14 09:04 . 2009-10-14 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\yorokuzi
2009-10-14 09:04 . 2009-10-14 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\tibepozi
2009-10-14 09:04 . 2009-10-14 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\juhumuyo
2009-10-13 20:58 . 2009-10-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\zuyaluse
2009-10-13 20:58 . 2009-10-08 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\sokiduni
2009-10-13 20:58 . 2009-10-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\powuneba
2009-10-12 13:14 . 2009-10-08 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\koteguge
2009-10-12 13:14 . 2009-10-08 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\jegufedo
2009-10-12 13:14 . 2009-10-08 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\bazomobu
2009-10-09 20:44 . 2002-01-22 09:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-08 08:09 . 2009-10-06 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\vazileyo
2009-10-08 08:09 . 2009-10-06 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\towezajo
2009-10-08 08:09 . 2009-10-06 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\piwozasu
2009-10-08 08:09 . 2009-10-08 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\yuyabage
2009-10-08 08:09 . 2009-10-08 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\kimiloko
2009-10-08 08:09 . 2009-10-08 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\gugofehi
2009-10-07 20:09 . 2009-10-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\jivovehe
2009-10-07 20:09 . 2009-10-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\vehanabu
2009-09-08 20:26 . 2009-09-08 20:26 62248 ----a-w- c:\documents and settings\doctor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2004-06-09 16384]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="c:\program files\DELL\AccessDirect\dadapp.exe" [2001-09-07 189480]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2002-01-22 26112]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-05-21 90112]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-07 303104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"AtiPTA"="atiptaxx.exe" - c:\windows\SYSTEM32\atiptaxx.exe [2001-09-17 245760]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-1-30 299008]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-6-9 169472]
Microsoft Office Shortcut Bar.lnk - c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe [2002-1-28 28160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
TrueMobile 1150 Client Manager.lnk - c:\program files\Dell TrueMobile 1150\Client Manager\CmDEL.exe [2005-6-14 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1111\Scripts\Logon\0\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 MSSQL$VIA_MSDE;MSSQL$VIA_MSDE;c:\program files\Microsoft SQL Server\MSSQL$VIA_MSDE\Binn\sqlservr.exe [2005-05-04 9150464]
S3 Ich;Ich;c:\windows\system32\DRIVERS\Ich.sys [2002-01-13 65916]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = localhost
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Works2002Setup - c:\program files\Microsoft Works Suite 2002\Setup\Launcher.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 22:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-01 22:39
ComboFix-quarantined-files.txt 2009-11-01 03:39

Pre-Run: 4,084,686,848 bytes free
Post-Run: 4,058,595,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - 5E274727B1226BEE31237CF6867BE45B
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:09 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238518757834
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7260 bytes

#6 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 November 2009 - 04:54 AM

Run this tool please

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    c:\documents and settings\All Users\Application Data
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#7 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 01 November 2009 - 06:57 AM

SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 06:49 on 01/11/2009 by Administrator (Administrator - Elevation successful) ========== filefind ========== Searching for "c:\documents and settings\All Users\Application Data" No files found. -=End Of File=-

#8 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 November 2009 - 08:19 AM

Lets just go a bit further

Plug this into Systemlook

:dir
c:\documents and settings\All Users\Application Data\wosakoye

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#9 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 01 November 2009 - 09:55 AM

SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 09:55 on 01/11/2009 by Administrator (Administrator - Elevation successful) ========== dir ========== c:\documents and settings\All Users\Application Data\wosakoye - Parameters: "(none)" ---Files--- wosakoye.dll --ahs- 89088 bytes [04:18 27/07/2009] [04:18 27/07/2009] ---Folders--- None found. -=End Of File=-

#10 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 November 2009 - 11:04 AM

I am almost 100% sure these files are bad but always like to check first before we delete them



You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\documents and settings\All Users\Application Data\wosakoye\wosakoye.dll

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#11 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 01 November 2009 - 01:05 PM

File wosakoye.dll received on 2009.11.01 19:00:05 (UTC)Antivirus Version Last Update Result a-squared 4.5.0.41 2009.11.01 Trojan.Win32.Vundo!IK AhnLab-V3 5.0.0.2 2009.10.30 - AntiVir 7.9.1.53 2009.10.30 - Antiy-AVL 2.0.3.7 2009.10.30 - Authentium 5.1.2.4 2009.11.01 - Avast 4.8.1351.0 2009.11.01 - AVG 8.5.0.423 2009.11.01 Vundo.IH BitDefender 7.2 2009.11.01 Trojan.Vundo.GQS CAT-QuickHeal 10.00 2009.10.31 - ClamAV 0.94.1 2009.11.01 - Comodo 2806 2009.11.01 UnclassifiedMalware DrWeb 5.0.0.12182 2009.11.01 - eSafe 7.0.17.0 2009.11.01 Suspicious File eTrust-Vet 35.1.7094 2009.10.30 - F-Prot 4.5.1.85 2009.11.01 W32/Virtumonde.BO.gen!Eldorado F-Secure 9.0.15370.0 2009.10.30 - Fortinet 3.120.0.0 2009.11.01 W32/Vundo.GHJ!tr GData 19 2009.11.01 Trojan.Vundo.GQS Ikarus T3.1.1.72.0 2009.11.01 Trojan.Win32.Vundo Jiangmin 11.0.800 2009.11.01 - K7AntiVirus 7.10.885 2009.10.31 - Kaspersky 7.0.0.125 2009.11.01 - McAfee 5789 2009.11.01 Vundo.gen.ab McAfee+Artemis 5789 2009.11.01 Vundo.gen.ab McAfee-GW-Edition 6.8.5 2009.11.01 Heuristic.BehavesLike.Win32.Adware.B Microsoft 1.5202 2009.11.01 Trojan:Win32/Vundo.gen!G NOD32 4563 2009.11.01 a variant of Win32/Adware.Virtumonde.NFY Norman 6.03.02 2009.11.01 - nProtect 2009.1.8.0 2009.11.01 - Panda 10.0.2.2 2009.11.01 Suspicious file PCTools 7.0.3.5 2009.10.30 - Prevx 3.0 2009.11.01 - Rising 21.53.62.00 2009.11.01 - Sophos 4.47.0 2009.11.01 Troj/Virtum-Gen Sunbelt 3.2.1858.2 2009.11.01 - Symantec 1.4.4.12 2009.11.01 - TheHacker 6.5.0.2.058 2009.10.31 - TrendMicro 8.950.0.1094 2009.11.01 - VBA32 3.12.10.11 2009.10.30 - ViRobot 2009.10.31.2015 2009.10.31 - VirusBuster 4.6.5.0 2009.10.31 - Additional information File size: 89088 bytes MD5...: 2d83ffaeb4ac800371f18f94db609f71 SHA1..: 46e42a733bc211de5a7d8a10538b922860a580d4 SHA256: e5dddc46a9b92997ee8af30f4545ce826bea03b44200f77d8ff9998412290702 ssdeep: 1536:bKWqGX6mew0vaGVUGQv5ZLN+cVWAsZgEY8HSNaTrGXs/bWSIcy73jFrPo3h<BR>TN:hqGK/waaGVShUqWAmPHqKurjNoZN<BR> PEiD..: - PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x2607f<BR>timedatestamp.....: 0x4a93a503 (Tue Aug 25 08:46:59 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 5 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x1000 0x200 7.58 32cf6562201d2276e72d36938b4c4910<BR>.rdata 0x2000 0x23000 0x12800 8.00 690df317dfea0ce0d259f4a5ac477c1a<BR>.data 0x25000 0x1000 0x400 0.96 bc898483e8fe6691811466a63118ac9f<BR>.RCODE 0x26000 0x3000 0x2800 3.81 4d3ff869826b95fa4bed159927c7394f<BR>_ 0x29000 0x1000 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b<BR><BR>( 2 imports ) <BR>&gt; SHLWAPI.dll: StrFormatKBSizeW, PathAddBackslashW, PathBuildRootW<BR>&gt; USER32.dll: MessageBoxW, DispatchMessageW, TranslateMessage, GetDC, SendMessageA, MessageBeep, DialogBoxIndirectParamA<BR><BR>( 0 exports ) <BR> RDS...: NSRL Reference Data Set<BR>- pdfid.: - trid..: Win32 Dynamic Link Library (generic) (55.7%)<BR>Clipper DOS Executable (14.8%)<BR>Generic Win/DOS Executable (14.7%)<BR>DOS Executable Generic (14.6%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>

#12 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 November 2009 - 01:49 PM

Hi,

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::


File::
c:\documents and settings\doctor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\administrator.GONPH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Folder::
c:\documents and settings\All Users\Application Data\wosakoye
c:\documents and settings\All Users\Application Data\tevajige
c:\documents and settings\All Users\Application Data\kotugava
c:\documents and settings\All Users\Application Data\yadokibo
c:\documents and settings\All Users\Application Data\nuvenida
c:\documents and settings\All Users\Application Data\loneloho
c:\documents and settings\All Users\Application Data\goguzeve
c:\documents and settings\All Users\Application Data\vekoniri
c:\documents and settings\All Users\Application Data\japufeku
c:\documents and settings\All Users\Application Data\rubabofa
c:\documents and settings\All Users\Application Data\depawola
c:\documents and settings\All Users\Application Data\wuvadefo
c:\documents and settings\All Users\Application Data\witusaga
c:\documents and settings\All Users\Application Data\bafopaga
c:\documents and settings\All Users\Application Data\wivehogo
c:\documents and settings\All Users\Application Data\welojehi
c:\documents and settings\All Users\Application Data\giyujuyo
c:\documents and settings\All Users\Application Data\yohiyoto
c:\documents and settings\All Users\Application Data\midipoyo
c:\documents and settings\All Users\Application Data\fuselefu
c:\documents and settings\All Users\Application Data\wetitofa
c:\documents and settings\All Users\Application Data\tanuzefu
c:\documents and settings\All Users\Application Data\mozesupu
c:\documents and settings\All Users\Application Data\pojuwige
c:\documents and settings\All Users\Application Data\midifatu
c:\documents and settings\All Users\Application Data\banubulo
c:\documents and settings\All Users\Application Data\nolahaga
c:\documents and settings\All Users\Application Data\mopohipe
c:\documents and settings\All Users\Application Data\yeminubo
c:\documents and settings\All Users\Application Data\sisanuza
c:\documents and settings\All Users\Application Data\gopavizi
c:\documents and settings\All Users\Application Data\tazaloju
c:\documents and settings\All Users\Application Data\lujigapi
c:\documents and settings\All Users\Application Data\jayekidu
c:\documents and settings\All Users\Application Data\jotuyiho
c:\documents and settings\All Users\Application Data\fofarohi
c:\documents and settings\All Users\Application Data\fafiwilu
c:\documents and settings\All Users\Application Data\zufanazu
c:\documents and settings\All Users\Application Data\kukapaje
c:\documents and settings\All Users\Application Data\fekojihi
c:\documents and settings\All Users\Application Data\yaniwivo
c:\documents and settings\All Users\Application Data\jimunevi
c:\documents and settings\All Users\Application Data\bowugoza
c:\documents and settings\All Users\Application Data\noguwume
c:\documents and settings\All Users\Application Data\kinaweti
c:\documents and settings\All Users\Application Data\jovegovo
c:\documents and settings\All Users\Application Data\vanahuzu
c:\documents and settings\All Users\Application Data\fonaraju
c:\documents and settings\All Users\Application Data\bupugoki
c:\documents and settings\All Users\Application Data\yiyomero
c:\documents and settings\All Users\Application Data\katuziji
c:\documents and settings\All Users\Application Data\botekuyu
c:\documents and settings\All Users\Application Data\pefemizi
c:\documents and settings\All Users\Application Data\ladosimu
c:\documents and settings\All Users\Application Data\hobozodo
c:\documents and settings\All Users\Application Data\zekorazi
c:\documents and settings\All Users\Application Data\jidomuye
c:\documents and settings\All Users\Application Data\dinekega
c:\documents and settings\All Users\Application Data\beliyupa
c:\documents and settings\All Users\Application Data\zatavido
c:\documents and settings\All Users\Application Data\sesameto
c:\documents and settings\All Users\Application Data\rogawihe
c:\documents and settings\All Users\Application Data\hokalehu
c:\documents and settings\All Users\Application Data\gogitaya
c:\documents and settings\All Users\Application Data\hekazezi
c:\documents and settings\All Users\Application Data\kerojade
c:\documents and settings\All Users\Application Data\zifewiba
c:\documents and settings\All Users\Application Data\netojeke
c:\documents and settings\All Users\Application Data\zugilesu
c:\documents and settings\All Users\Application Data\nozarihu
c:\documents and settings\All Users\Application Data\nitinala
c:\documents and settings\All Users\Application Data\towamusi
c:\documents and settings\All Users\Application Data\mofohufu
c:\documents and settings\All Users\Application Data\vejajiha
c:\documents and settings\All Users\Application Data\tumeleta
c:\documents and settings\All Users\Application Data\daviheno
c:\documents and settings\All Users\Application Data\nevafeja
c:\documents and settings\All Users\Application Data\yovejipa
c:\documents and settings\All Users\Application Data\wadurako
c:\documents and settings\All Users\Application Data\fofigubu
c:\documents and settings\doctor\Application Data\HPAppData
c:\documents and settings\All Users\Application Data\zofenuhi
c:\documents and settings\All Users\Application Data\fahumaki
c:\documents and settings\All Users\Application Data\buvatolo
c:\documents and settings\All Users\Application Data\muhoyawa
c:\documents and settings\All Users\Application Data\tukuhegu
c:\documents and settings\All Users\Application Data\jevayeyi
c:\documents and settings\All Users\Application Data\fimijeza
c:\documents and settings\All Users\Application Data\raheleyu
c:\documents and settings\All Users\Application Data\kaboyene
c:\documents and settings\All Users\Application Data\jatibusu
c:\documents and settings\All Users\Application Data\yorokuzi
c:\documents and settings\All Users\Application Data\tibepozi
c:\documents and settings\All Users\Application Data\juhumuyo
c:\documents and settings\All Users\Application Data\zuyaluse
c:\documents and settings\All Users\Application Data\sokiduni
c:\documents and settings\All Users\Application Data\powuneba
c:\documents and settings\All Users\Application Data\koteguge
c:\documents and settings\All Users\Application Data\jegufedo
c:\documents and settings\All Users\Application Data\bazomobu
c:\documents and settings\All Users\Application Data\vazileyo
c:\documents and settings\All Users\Application Data\towezajo
c:\documents and settings\All Users\Application Data\piwozasu
c:\documents and settings\All Users\Application Data\yuyabage
c:\documents and settings\All Users\Application Data\kimiloko
c:\documents and settings\All Users\Application Data\gugofehi
c:\documents and settings\All Users\Application Data\jivovehe
c:\documents and settings\All Users\Application Data\vehanabu

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#13 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 01 November 2009 - 07:29 PM

ComboFix 09-10-30.01 - Administrator 11/01/2009 18:50.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.575.246 [GMT -6:00]
Running from: c:\documents and settings\administrator.GONPH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator.GONPH\Desktop\cfscript.txt

FILE ::
"c:\documents and settings\administrator.GONPH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT"
"c:\documents and settings\doctor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\administrator.GONPH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\All Users\Application Data\bafopaga
c:\documents and settings\All Users\Application Data\bafopaga\bafopaga.dll
c:\documents and settings\All Users\Application Data\banubulo
c:\documents and settings\All Users\Application Data\banubulo\banubulo.dll
c:\documents and settings\All Users\Application Data\bazomobu
c:\documents and settings\All Users\Application Data\bazomobu\bazomobu.dll.tmp
c:\documents and settings\All Users\Application Data\beliyupa
c:\documents and settings\All Users\Application Data\beliyupa\beliyupa.exe
c:\documents and settings\All Users\Application Data\botekuyu
c:\documents and settings\All Users\Application Data\botekuyu\botekuyu.exe
c:\documents and settings\All Users\Application Data\bowugoza
c:\documents and settings\All Users\Application Data\bowugoza\bowugoza.dll
c:\documents and settings\All Users\Application Data\bupugoki
c:\documents and settings\All Users\Application Data\bupugoki\bupugoki.dll
c:\documents and settings\All Users\Application Data\buvatolo
c:\documents and settings\All Users\Application Data\buvatolo\buvatolo.dll.tmp
c:\documents and settings\All Users\Application Data\daviheno
c:\documents and settings\All Users\Application Data\daviheno\daviheno.dll
c:\documents and settings\All Users\Application Data\depawola
c:\documents and settings\All Users\Application Data\depawola\depawola.dll
c:\documents and settings\All Users\Application Data\dinekega
c:\documents and settings\All Users\Application Data\dinekega\dinekega.dll
c:\documents and settings\All Users\Application Data\fafiwilu
c:\documents and settings\All Users\Application Data\fafiwilu\fafiwilu.dll
c:\documents and settings\All Users\Application Data\fahumaki
c:\documents and settings\All Users\Application Data\fahumaki\fahumaki.dll.tmp
c:\documents and settings\All Users\Application Data\fekojihi
c:\documents and settings\All Users\Application Data\fekojihi\fekojihi.dll
c:\documents and settings\All Users\Application Data\fimijeza
c:\documents and settings\All Users\Application Data\fimijeza\fimijeza.dll
c:\documents and settings\All Users\Application Data\fofarohi
c:\documents and settings\All Users\Application Data\fofarohi\fofarohi.dll
c:\documents and settings\All Users\Application Data\fofigubu
c:\documents and settings\All Users\Application Data\fofigubu\fofigubu.dll
c:\documents and settings\All Users\Application Data\fonaraju
c:\documents and settings\All Users\Application Data\fonaraju\fonaraju.exe
c:\documents and settings\All Users\Application Data\fuselefu
c:\documents and settings\All Users\Application Data\fuselefu\fuselefu.dll
c:\documents and settings\All Users\Application Data\giyujuyo
c:\documents and settings\All Users\Application Data\giyujuyo\giyujuyo.dll
c:\documents and settings\All Users\Application Data\gogitaya
c:\documents and settings\All Users\Application Data\gogitaya\gogitaya.dll
c:\documents and settings\All Users\Application Data\goguzeve
c:\documents and settings\All Users\Application Data\goguzeve\goguzeve.dll
c:\documents and settings\All Users\Application Data\gopavizi
c:\documents and settings\All Users\Application Data\gopavizi\gopavizi.dll.tmp
c:\documents and settings\All Users\Application Data\gugofehi
c:\documents and settings\All Users\Application Data\gugofehi\gugofehi.dll
c:\documents and settings\All Users\Application Data\hekazezi
c:\documents and settings\All Users\Application Data\hekazezi\hekazezi.dll
c:\documents and settings\All Users\Application Data\hobozodo
c:\documents and settings\All Users\Application Data\hobozodo\hobozodo.dll
c:\documents and settings\All Users\Application Data\hokalehu
c:\documents and settings\All Users\Application Data\hokalehu\hokalehu.dll
c:\documents and settings\All Users\Application Data\japufeku
c:\documents and settings\All Users\Application Data\japufeku\japufeku.dll
c:\documents and settings\All Users\Application Data\jatibusu
c:\documents and settings\All Users\Application Data\jatibusu\jatibusu.dll
c:\documents and settings\All Users\Application Data\jayekidu
c:\documents and settings\All Users\Application Data\jayekidu\jayekidu.dll
c:\documents and settings\All Users\Application Data\jegufedo
c:\documents and settings\All Users\Application Data\jegufedo\jegufedo.dll.tmp
c:\documents and settings\All Users\Application Data\jevayeyi
c:\documents and settings\All Users\Application Data\jevayeyi\jevayeyi.dll.tmp
c:\documents and settings\All Users\Application Data\jidomuye
c:\documents and settings\All Users\Application Data\jidomuye\jidomuye.dll
c:\documents and settings\All Users\Application Data\jimunevi
c:\documents and settings\All Users\Application Data\jimunevi\jimunevi.dll
c:\documents and settings\All Users\Application Data\jivovehe
c:\documents and settings\All Users\Application Data\jivovehe\jivovehe.dll
c:\documents and settings\All Users\Application Data\jotuyiho
c:\documents and settings\All Users\Application Data\jotuyiho\jotuyiho.exe
c:\documents and settings\All Users\Application Data\jovegovo
c:\documents and settings\All Users\Application Data\jovegovo\jovegovo.dll
c:\documents and settings\All Users\Application Data\juhumuyo
c:\documents and settings\All Users\Application Data\juhumuyo\juhumuyo.exe
c:\documents and settings\All Users\Application Data\kaboyene
c:\documents and settings\All Users\Application Data\kaboyene\kaboyene.exe
c:\documents and settings\All Users\Application Data\katuziji
c:\documents and settings\All Users\Application Data\katuziji\katuziji.dll
c:\documents and settings\All Users\Application Data\kerojade
c:\documents and settings\All Users\Application Data\kerojade\kerojade.exe
c:\documents and settings\All Users\Application Data\kimiloko
c:\documents and settings\All Users\Application Data\kimiloko\kimiloko.exe
c:\documents and settings\All Users\Application Data\kinaweti
c:\documents and settings\All Users\Application Data\kinaweti\kinaweti.exe
c:\documents and settings\All Users\Application Data\koteguge
c:\documents and settings\All Users\Application Data\koteguge\koteguge.dll.tmp
c:\documents and settings\All Users\Application Data\kotugava
c:\documents and settings\All Users\Application Data\kotugava\kotugava.exe
c:\documents and settings\All Users\Application Data\kukapaje
c:\documents and settings\All Users\Application Data\kukapaje\kukapaje.dll
c:\documents and settings\All Users\Application Data\ladosimu
c:\documents and settings\All Users\Application Data\ladosimu\ladosimu.exe
c:\documents and settings\All Users\Application Data\loneloho
c:\documents and settings\All Users\Application Data\loneloho\loneloho.dll
c:\documents and settings\All Users\Application Data\lujigapi
c:\documents and settings\All Users\Application Data\lujigapi\lujigapi.dll
c:\documents and settings\All Users\Application Data\midifatu
c:\documents and settings\All Users\Application Data\midifatu\midifatu.dll
c:\documents and settings\All Users\Application Data\midipoyo
c:\documents and settings\All Users\Application Data\midipoyo\midipoyo.exe
c:\documents and settings\All Users\Application Data\mofohufu
c:\documents and settings\All Users\Application Data\mofohufu\mofohufu.dll
c:\documents and settings\All Users\Application Data\mopohipe
c:\documents and settings\All Users\Application Data\mopohipe\mopohipe.dll
c:\documents and settings\All Users\Application Data\mozesupu
c:\documents and settings\All Users\Application Data\mozesupu\mozesupu.dll
c:\documents and settings\All Users\Application Data\muhoyawa
c:\documents and settings\All Users\Application Data\muhoyawa\muhoyawa.dll.tmp
c:\documents and settings\All Users\Application Data\netojeke
c:\documents and settings\All Users\Application Data\netojeke\netojeke.dll
c:\documents and settings\All Users\Application Data\nevafeja
c:\documents and settings\All Users\Application Data\nitinala
c:\documents and settings\All Users\Application Data\nitinala\nitinala.dll.tmp
c:\documents and settings\All Users\Application Data\noguwume
c:\documents and settings\All Users\Application Data\noguwume\noguwume.dll
c:\documents and settings\All Users\Application Data\nolahaga
c:\documents and settings\All Users\Application Data\nolahaga\nolahaga.dll
c:\documents and settings\All Users\Application Data\nozarihu
c:\documents and settings\All Users\Application Data\nozarihu\nozarihu.dll.tmp
c:\documents and settings\All Users\Application Data\nuvenida
c:\documents and settings\All Users\Application Data\nuvenida\nuvenida.dll
c:\documents and settings\All Users\Application Data\pefemizi
c:\documents and settings\All Users\Application Data\pefemizi\pefemizi.dll
c:\documents and settings\All Users\Application Data\piwozasu
c:\documents and settings\All Users\Application Data\piwozasu\piwozasu.dll.tmp
c:\documents and settings\All Users\Application Data\pojuwige
c:\documents and settings\All Users\Application Data\pojuwige\pojuwige.exe
c:\documents and settings\All Users\Application Data\powuneba
c:\documents and settings\All Users\Application Data\raheleyu
c:\documents and settings\All Users\Application Data\raheleyu\raheleyu.dll
c:\documents and settings\All Users\Application Data\rogawihe
c:\documents and settings\All Users\Application Data\rogawihe\rogawihe.exe
c:\documents and settings\All Users\Application Data\rubabofa
c:\documents and settings\All Users\Application Data\rubabofa\rubabofa.exe
c:\documents and settings\All Users\Application Data\sesameto
c:\documents and settings\All Users\Application Data\sesameto\sesameto.dll
c:\documents and settings\All Users\Application Data\sisanuza
c:\documents and settings\All Users\Application Data\sisanuza\sisanuza.dll.tmp
c:\documents and settings\All Users\Application Data\sokiduni
c:\documents and settings\All Users\Application Data\tanuzefu
c:\documents and settings\All Users\Application Data\tanuzefu\tanuzefu.exe
c:\documents and settings\All Users\Application Data\tazaloju
c:\documents and settings\All Users\Application Data\tazaloju\tazaloju.dll
c:\documents and settings\All Users\Application Data\tevajige
c:\documents and settings\All Users\Application Data\tevajige\tevajige.dll
c:\documents and settings\All Users\Application Data\tibepozi
c:\documents and settings\All Users\Application Data\tibepozi\tibepozi.dll
c:\documents and settings\All Users\Application Data\towamusi
c:\documents and settings\All Users\Application Data\towamusi\towamusi.dll
c:\documents and settings\All Users\Application Data\towezajo
c:\documents and settings\All Users\Application Data\towezajo\towezajo.dll.tmp
c:\documents and settings\All Users\Application Data\tukuhegu
c:\documents and settings\All Users\Application Data\tukuhegu\tukuhegu.dll.tmp
c:\documents and settings\All Users\Application Data\tumeleta
c:\documents and settings\All Users\Application Data\tumeleta\tumeleta.exe
c:\documents and settings\All Users\Application Data\vanahuzu
c:\documents and settings\All Users\Application Data\vanahuzu\vanahuzu.dll
c:\documents and settings\All Users\Application Data\vazileyo
c:\documents and settings\All Users\Application Data\vazileyo\vazileyo.dll.tmp
c:\documents and settings\All Users\Application Data\vehanabu
c:\documents and settings\All Users\Application Data\vehanabu\vehanabu.exe
c:\documents and settings\All Users\Application Data\vejajiha
c:\documents and settings\All Users\Application Data\vejajiha\vejajiha.exe
c:\documents and settings\All Users\Application Data\vekoniri
c:\documents and settings\All Users\Application Data\vekoniri\vekoniri.dll
c:\documents and settings\All Users\Application Data\wadurako
c:\documents and settings\All Users\Application Data\wadurako\wadurako.exe
c:\documents and settings\All Users\Application Data\welojehi
c:\documents and settings\All Users\Application Data\welojehi\welojehi.exe
c:\documents and settings\All Users\Application Data\wetitofa
c:\documents and settings\All Users\Application Data\wetitofa\wetitofa.dll
c:\documents and settings\All Users\Application Data\witusaga
c:\documents and settings\All Users\Application Data\witusaga\witusaga.dll
c:\documents and settings\All Users\Application Data\wivehogo
c:\documents and settings\All Users\Application Data\wivehogo\wivehogo.dll
c:\documents and settings\All Users\Application Data\wosakoye
c:\documents and settings\All Users\Application Data\wosakoye\wosakoye.dll
c:\documents and settings\All Users\Application Data\wuvadefo
c:\documents and settings\All Users\Application Data\wuvadefo\wuvadefo.exe
c:\documents and settings\All Users\Application Data\yadokibo
c:\documents and settings\All Users\Application Data\yadokibo\yadokibo.dll
c:\documents and settings\All Users\Application Data\yaniwivo
c:\documents and settings\All Users\Application Data\yaniwivo\yaniwivo.exe
c:\documents and settings\All Users\Application Data\yeminubo
c:\documents and settings\All Users\Application Data\yeminubo\yeminubo.dll.tmp
c:\documents and settings\All Users\Application Data\yiyomero
c:\documents and settings\All Users\Application Data\yiyomero\yiyomero.dll
c:\documents and settings\All Users\Application Data\yohiyoto
c:\documents and settings\All Users\Application Data\yohiyoto\yohiyoto.dll
c:\documents and settings\All Users\Application Data\yorokuzi
c:\documents and settings\All Users\Application Data\yorokuzi\yorokuzi.dll
c:\documents and settings\All Users\Application Data\yovejipa
c:\documents and settings\All Users\Application Data\yuyabage
c:\documents and settings\All Users\Application Data\yuyabage\yuyabage.dll
c:\documents and settings\All Users\Application Data\zatavido
c:\documents and settings\All Users\Application Data\zatavido\zatavido.dll
c:\documents and settings\All Users\Application Data\zekorazi
c:\documents and settings\All Users\Application Data\zekorazi\zekorazi.exe
c:\documents and settings\All Users\Application Data\zifewiba
c:\documents and settings\All Users\Application Data\zifewiba\zifewiba.dll
c:\documents and settings\All Users\Application Data\zofenuhi
c:\documents and settings\All Users\Application Data\zofenuhi\zofenuhi.dll.tmp
c:\documents and settings\All Users\Application Data\zufanazu
c:\documents and settings\All Users\Application Data\zufanazu\zufanazu.exe
c:\documents and settings\All Users\Application Data\zugilesu
c:\documents and settings\All Users\Application Data\zugilesu\zugilesu.dll.tmp
c:\documents and settings\All Users\Application Data\zuyaluse
c:\documents and settings\doctor\Application Data\HPAppData
c:\documents and settings\doctor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 00:41 . 2009-11-02 00:41 -------- d-----w- c:\windows\system32\LogFiles
2009-11-01 01:08 . 2009-11-01 01:08 -------- d-----w- c:\documents and settings\administrator.GONPH\Application Data\Malwarebytes
2009-11-01 01:08 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 01:08 . 2009-11-01 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-01 01:08 . 2009-11-01 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 01:08 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 18:32 . 2009-10-31 18:33 -------- d-----w- c:\program files\ERUNT
2009-10-31 18:08 . 2009-10-31 18:08 -------- d-----w- C:\BJPrinter
2009-10-29 12:19 . 2009-10-29 12:19 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Apple Computer
2009-10-29 12:19 . 2009-10-29 12:19 -------- d-----w- c:\documents and settings\tech\Application Data\Apple Computer
2009-10-29 12:13 . 2009-10-29 12:13 -------- d-----w- c:\documents and settings\tech\Application Data\Yahoo!
2009-10-27 20:22 . 2009-10-29 16:57 -------- d-----w- c:\documents and settings\tech\Application Data\HPAppData
2009-10-26 04:18 . 2009-10-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\yenokidi
2009-10-20 13:43 . 2009-10-20 13:43 -------- d-----w- c:\documents and settings\tech\Application Data\HP
2009-10-20 13:42 . 2009-10-20 13:42 -------- d-----w- c:\documents and settings\tech\Application Data\Xerox
2009-10-13 18:52 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Xerox
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\documents and settings\elincadmin\Application Data\Xerox
2009-10-09 19:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-09 19:41 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-09 19:35 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-09 19:35 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-09 19:35 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-09 19:35 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-09 19:35 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-09 19:35 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-09 19:35 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-09 19:35 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-09 19:35 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-09 19:35 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-09 19:35 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 00:45 . 2009-01-06 17:36 -------- d-----w- c:\documents and settings\administrator.GONPH\Application Data\HPAppData
2009-10-31 18:41 . 2005-06-01 20:36 -------- d-----w- c:\program files\Trend Micro
2009-10-22 16:01 . 2003-11-05 21:45 -------- d-----w- c:\program files\HESKA
2009-10-09 20:44 . 2002-01-22 09:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2004-06-09 16384]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="c:\program files\DELL\AccessDirect\dadapp.exe" [2001-09-07 189480]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2002-01-22 26112]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-05-21 90112]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-07 303104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"AtiPTA"="atiptaxx.exe" - c:\windows\SYSTEM32\atiptaxx.exe [2001-09-17 245760]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-1-30 299008]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-6-9 169472]
Microsoft Office Shortcut Bar.lnk - c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe [2002-1-28 28160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
TrueMobile 1150 Client Manager.lnk - c:\program files\Dell TrueMobile 1150\Client Manager\CmDEL.exe [2005-6-14 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1111\Scripts\Logon\0\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [6/1/2005 2:36 PM 183808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [6/1/2005 2:36 PM 25088]
R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [2/22/2002 10:17 AM 65916]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\SYSTEM32\DRIVERS\wldel48b.sys [6/17/2005 7:27 AM 171520]
S3 MSSQL$VIA_MSDE;MSSQL$VIA_MSDE;c:\program files\Microsoft SQL Server\MSSQL$VIA_MSDE\Binn\sqlservr.exe [5/3/2005 11:04 PM 9150464]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = localhost
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 19:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-02 19:09
ComboFix-quarantined-files.txt 2009-11-02 01:09
ComboFix2.txt 2009-11-01 03:40

Pre-Run: 4,067,921,920 bytes free
Post-Run: 4,030,889,984 bytes free

- - End Of File - - 9FB9B462BF15AB2C299ACFA23755B689

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:58 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238518757834
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7219 bytes

#14 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 November 2009 - 08:08 PM

Great,

We missed one, try and delete the folder yourself, let me know if it would not delete

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE

c:\documents and settings\All Users\Application Data\yenokidi





Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


How are things running now ?

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#15 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 01 November 2009 - 10:46 PM

ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=7.00.6000.16876 (vista_gdr.090625-2339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=bc8396330f22c146ac6132d172b9a9c7 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-11-02 04:32:20 # local_time=2009-11-01 10:32:20 (-0600, Central Standard Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=58828 # found=218 # cleaned=216 # scan_time=6628 C:\Documents and Settings\doctor\Local Settings\Application Data\Identities\{D7440D5C-5A15-4202-84F0-95AC6869D073}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats (unable to clean) 00000000000000000000000000000000 I C:\Documents and Settings\Greg Dye\Local Settings\Application Data\Identities\{22EC0CF3-81F7-4841-81FA-78134B37A30D}\Microsoft\Outlook Express\Deleted Items.dbx Win32/Mimail.J worm (unable to clean) 00000000000000000000000000000000 I C:\Program Files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe Win32/Adware.HiWire application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\bafopaga\bafopaga.dll.vir a variant of Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\banubulo\banubulo.dll.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\bazomobu\bazomobu.dll.tmp.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\beliyupa\beliyupa.exe.vir a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\botekuyu\botekuyu.exe.vir a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\bowugoza\bowugoza.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\bupugoki\bupugoki.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\buvatolo\buvatolo.dll.tmp.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\daviheno\daviheno.dll.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\depawola\depawola.dll.vir a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\dinekega\dinekega.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fafiwilu\fafiwilu.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fahumaki\fahumaki.dll.tmp.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fekojihi\fekojihi.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fimijeza\fimijeza.dll.vir a variant of Win32/AntiAV.NCZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fofarohi\fofarohi.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fofigubu\fofigubu.dll.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fonaraju\fonaraju.exe.vir a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\fuselefu\fuselefu.dll.vir a variant of Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\giyujuyo\giyujuyo.dll.vir a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gogitaya\gogitaya.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\goguzeve\goguzeve.dll.vir a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gopavizi\gopavizi.dll.tmp.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gugofehi\gugofehi.dll.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\hekazezi\hekazezi.dll.vir Win32/Adware.Virtumonde.NFT application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\hobozodo\hobozodo.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\hokalehu\hokalehu.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\japufeku\japufeku.dll.vir a variant of Win32/Adware.Virtumonde.NFY application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jatibusu\jatibusu.dll.vir a variant of Win32/Adware.Virtumonde.NFT application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jayekidu\jayekidu.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jegufedo\jegufedo.dll.tmp.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jevayeyi\jevayeyi.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jidomuye\jidomuye.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jimunevi\jimunevi.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jivovehe\jivovehe.dll.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jotuyiho\jotuyiho.exe.vir a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\jovegovo\jovegovo.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\juhumuyo\juhumuyo.exe.vir a variant of Win32/Kryptik.AVH trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\kaboyene\kaboyene.exe.vir a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\katuziji\katuziji.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\kerojade\kerojade.exe.vir a variant of Win32/Kryptik.AVV trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\kimiloko\kimiloko.exe.vir a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\kinaweti\kinaweti.exe.vir a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\koteguge\koteguge.dll.tmp.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\kotugava\kotugava.exe.vir Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\kukapaje\kukapaje.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ladosimu\ladosimu.exe.vir a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\loneloho\loneloho.dll.vir a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\lujigapi\lujigapi.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\midifatu\midifatu.dll.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\midipoyo\midipoyo.exe.vir Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\mofohufu\mofohufu.dll.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\mopohipe\mopohipe.dll.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\mozesupu\mozesupu.dll.vir a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\muhoyawa\muhoyawa.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\netojeke\netojeke.dll.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\nitinala\nitinala.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\noguwume\noguwume.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\nolahaga\nolahaga.dll.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\nozarihu\nozarihu.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\nuvenida\nuvenida.dll.vir a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\pefemizi\pefemizi.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\piwozasu\piwozasu.dll.tmp.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\pojuwige\pojuwige.exe.vir Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\raheleyu\raheleyu.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\rogawihe\rogawihe.exe.vir a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\rubabofa\rubabofa.exe.vir Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\sesameto\sesameto.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\sisanuza\sisanuza.dll.tmp.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\tanuzefu\tanuzefu.exe.vir Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\tazaloju\tazaloju.dll.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\tevajige\tevajige.dll.vir a variant of Win32/AntiAV.NDE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\tibepozi\tibepozi.dll.vir a variant of Win32/AntiAV.NCZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\towamusi\towamusi.dll.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\towezajo\towezajo.dll.tmp.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\tukuhegu\tukuhegu.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\tumeleta\tumeleta.exe.vir probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vanahuzu\vanahuzu.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vazileyo\vazileyo.dll.tmp.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vehanabu\vehanabu.exe.vir a variant of Win32/Kryptik.AWF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vejajiha\vejajiha.exe.vir a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vekoniri\vekoniri.dll.vir a variant of Win32/AntiAV.NDE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\wadurako\wadurako.exe.vir a variant of Win32/Kryptik.AVV trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\welojehi\welojehi.exe.vir Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\wetitofa\wetitofa.dll.vir Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\witusaga\witusaga.dll.vir a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\wivehogo\wivehogo.dll.vir a variant of Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\wosakoye\wosakoye.dll.vir a variant of Win32/Adware.Virtumonde.NFY application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\wuvadefo\wuvadefo.exe.vir Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yadokibo\yadokibo.dll.vir a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yaniwivo\yaniwivo.exe.vir a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yeminubo\yeminubo.dll.tmp.vir a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yiyomero\yiyomero.dll.vir a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yohiyoto\yohiyoto.dll.vir a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yorokuzi\yorokuzi.dll.vir a variant of Win32/Adware.Virtumonde.NFT application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yuyabage\yuyabage.dll.vir a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\zatavido\zatavido.dll.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\zekorazi\zekorazi.exe.vir a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\zifewiba\zifewiba.dll.vir a variant of Win32/AntiAV.NCZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\zofenuhi\zofenuhi.dll.tmp.vir a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\zufanazu\zufanazu.exe.vir a variant of Win32/Kryptik.AWF trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\zugilesu\zugilesu.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1263\A0041129.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1263\A0041130.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1263\A0041131.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1267\A0042340.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1267\A0042341.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1267\A0042342.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042374.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042375.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042376.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042377.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042378.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042392.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042393.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1268\A0042394.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1269\A0042439.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1269\A0042440.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1269\A0042441.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1276\A0042668.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1276\A0042669.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1276\A0042671.exe a variant of Win32/Kryptik.AWF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1276\A0042678.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1276\A0042679.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1276\A0042680.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1280\A0042690.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1280\A0042691.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1280\A0042692.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045776.exe Win32/Adware.SecurityTool application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045905.dll a variant of Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045906.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045907.exe a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045908.exe a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045909.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045910.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045911.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045912.dll a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045913.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045914.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045915.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045916.dll a variant of Win32/AntiAV.NCZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045917.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045918.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045919.exe a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045920.dll a variant of Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045921.dll a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045922.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045923.dll a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045924.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045925.dll Win32/Adware.Virtumonde.NFT application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045926.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045927.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045928.dll a variant of Win32/Adware.Virtumonde.NFY application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045929.dll a variant of Win32/Adware.Virtumonde.NFT application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045930.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045931.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045932.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045933.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045934.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045935.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045936.exe a variant of Win32/Kryptik.AVH trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045937.exe a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045938.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045939.exe a variant of Win32/Kryptik.AVV trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045940.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045941.exe a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045942.exe Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045943.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045944.exe a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045945.dll a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045946.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045947.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045948.exe Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045949.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045950.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045951.dll a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045952.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045953.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045954.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045955.dll a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045956.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045957.exe Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045958.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045959.exe a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045960.exe Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045961.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045962.exe Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045963.dll a variant of Win32/Kryptik.AWS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045964.dll a variant of Win32/AntiAV.NDE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045965.dll a variant of Win32/AntiAV.NCZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045966.dll a variant of Win32/Adware.SuperJuan.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045967.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045968.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045969.exe a variant of Win32/Kryptik.AWF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045970.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045971.dll a variant of Win32/AntiAV.NDE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045972.exe a variant of Win32/Kryptik.AVV trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045973.exe Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045974.dll Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045975.dll a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045976.dll a variant of Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045977.dll a variant of Win32/Adware.Virtumonde.NFY application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045978.exe Win32/Adware.SecurityTool application (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045979.dll a variant of Win32/Adware.SuperJuan.K application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045980.exe a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045981.dll a variant of Win32/Kryptik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045982.dll a variant of Win32/KillAV.NGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045983.dll a variant of Win32/Adware.Virtumonde.NFT application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045984.dll a variant of Win32/Kryptik.AZP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045985.dll a variant of Win32/Kryptik.AYZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045986.exe a variant of Win32/Kryptik.AVG trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045987.dll a variant of Win32/AntiAV.NCZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0045988.exe a variant of Win32/Kryptik.AWF trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0046059.dll a variant of Win32/Adware.Virtumonde.NFW application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1285\A0046060.exe Win32/Adware.HiWire application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C It let me delete the yenokidi file manually. The computer seems to be running better, but when I log on as the user that initially showed the problems I get the following Rundll errors. Error loading C:\documents and settings\All Users\Application Data\wosakoye\wosakye.dll Error loading C:\documents and settings\All Users\Application Data\wloneloho\lonelohodll Specified module could not be found.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users