Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware infection

Unread postby jim e » February 11th, 2008, 9:07 pm

Hello: I have had this infection for some time and it has been called a multitude of names by Avast and Ad Ware the most recent being "win32:tratbho[trj]" with the file name of "c:\windows\system32\geebc.dll" . After many scans and deletions the virus still keeps reappearing. It has also changed settings on some programs that cause them to load on start up regardless of my selecting them not to. I have attached the requested log file. Hope you can help as i do not want to format my HD. Any more info required please let me know as I am as novice to forums as one can get.
Thank you
You do not have the required permissions to view the files attached to this post.
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am
Advertisement
Register to Remove

Re: Malware infection

Unread postby Bob4 » February 15th, 2008, 2:39 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!


____________________________________
Small favor to make things easier for me.
Please post the contents of the logs I ask for here on the forum instead of uploading them.
By highlighting them and right click and copy into your next reply here.
Quicker that downloading all the logs.



________________________________________
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

2. Click start/run and copy and Paste this in exactly using the picture below for reference:

"%userprofile%\desktop\combofix.exe" /killall


Image

3. Combo will begin to run DO NOTING while this is happeneing.
  • It will kill a few processes and disconnect you from the internet.
  • If by chance it stops prematurly you can re-establish your internet connection by restarting your computer.
  • This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.

If when it's completed you can not get on the internet just reboot the computer

Post the log from comboFix for me located in
c:\comboFix.txt

___________________________

Please post the contents of the comboFix log
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Malware infection

Unread postby jim e » February 18th, 2008, 3:47 pm

dear: bob4
as requested here is the log hope this helps and thanks for the effort
jim e

ComboFix 08-02-18.1 - Owner 2008-02-18 14:18:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.663 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abhaedvt.ini
C:\WINDOWS\system32\dkvnaycp.ini
C:\WINDOWS\system32\dypvfnjx.ini
C:\WINDOWS\system32\eeybhvpx.ini
C:\WINDOWS\system32\fpvgbwtx.ini
C:\WINDOWS\system32\fyxpjkum.ini
C:\WINDOWS\system32\galyqaky.ini
C:\WINDOWS\system32\gebyv.exe
C:\WINDOWS\system32\gytbhdhs.ini
C:\WINDOWS\system32\hacgvnvk.ini
C:\WINDOWS\system32\iwhfiohw.ini
C:\WINDOWS\system32\iynosllx.ini
C:\WINDOWS\system32\jruoegmn.ini
C:\WINDOWS\system32\juinsrgi.ini
C:\WINDOWS\system32\kudcheag.ini
C:\WINDOWS\system32\kwrvnkvq.ini
C:\WINDOWS\system32\ldvlniia.ini
C:\WINDOWS\system32\llepvjxi.ini
C:\WINDOWS\system32\lvlgsdyy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mebsukop.ini
C:\WINDOWS\system32\mrmbxnud.ini
C:\WINDOWS\system32\mxxafwsy.ini
C:\WINDOWS\system32\nueogael.ini
C:\WINDOWS\system32\oembisxq.ini
C:\WINDOWS\system32\qrnymcpa.ini
C:\WINDOWS\system32\quumsphd.ini
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\RCX8D.tmp
C:\WINDOWS\system32\rldunxjw.ini
C:\WINDOWS\system32\rqijgtik.ini
C:\WINDOWS\system32\rrrfxhwm.ini
C:\WINDOWS\system32\smmphued.ini
C:\WINDOWS\system32\sylxkedp.ini
C:\WINDOWS\system32\vjxejlum.ini
C:\WINDOWS\system32\vvxcadym.ini
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\waayqung.ini
C:\WINDOWS\system32\wxhdmgsh.ini
C:\WINDOWS\system32\xjupfogp.ini
C:\WINDOWS\system32\xsrmiwfm.ini
C:\WINDOWS\system32\xtukwnir.ini
C:\WINDOWS\system32\yfqlvlxm.ini
C:\WINDOWS\system32\ytqugypj.ini

----- BITS: Possible infected sites -----

hxxp://aõj
.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 14:21 . 2008-02-18 14:22 330,816 --a------ C:\WINDOWS\system32\gebyv.dll
2008-02-12 18:28 . 2008-02-13 00:20 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-11 18:47 . 2008-02-11 18:48 <DIR> d-------- C:\Documents and Settings\hjt\hjt log file
2008-02-11 18:45 . 2008-02-11 18:45 396,288 --a------ C:\Documents and Settings\hjt\HijackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 19:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-08 09:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-04 23:44 --------- d-----w C:\Program Files\QuickTime
2008-01-04 23:44 --------- d-----w C:\Program Files\MSN Messenger
2008-01-04 23:44 --------- d-----w C:\Program Files\iTunes
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: Select all
<pre>
----a-w            39,792 2008-02-18 19:22:01  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            79,224 2008-01-04 23:44:23  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           843,776 2008-02-18 19:21:54  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w           729,088 2008-01-05 02:51:46  C:\Program Files\Analog Devices\SoundMAX\Smax4               .exe
----a-w         1,073,152 2008-01-04 23:44:20  C:\Program Files\Analog Devices\SoundMAX\Smax4              .exe
----a-w         1,073,152 2008-01-04 11:50:36  C:\Program Files\Analog Devices\SoundMAX\Smax4             .exe
----a-w         1,073,152 2008-01-04 00:19:07  C:\Program Files\Analog Devices\SoundMAX\Smax4            .exe
----a-w         1,073,152 2008-01-02 23:44:38  C:\Program Files\Analog Devices\SoundMAX\Smax4           .exe
----a-w         1,073,152 2008-01-02 14:10:16  C:\Program Files\Analog Devices\SoundMAX\Smax4          .exe
----a-w         1,073,152 2008-01-01 11:51:17  C:\Program Files\Analog Devices\SoundMAX\Smax4         .exe
----a-w         1,073,152 2007-12-31 19:07:56  C:\Program Files\Analog Devices\SoundMAX\Smax4        .exe
----a-w         1,073,152 2007-12-31 08:31:50  C:\Program Files\Analog Devices\SoundMAX\Smax4       .exe
----a-w         1,073,152 2007-12-30 22:59:21  C:\Program Files\Analog Devices\SoundMAX\Smax4      .exe
----a-w         1,073,152 2007-12-29 22:46:13  C:\Program Files\Analog Devices\SoundMAX\Smax4     .exe
----a-w         1,073,152 2007-12-29 07:45:53  C:\Program Files\Analog Devices\SoundMAX\Smax4    .exe
----a-w         1,073,152 2007-12-29 02:10:46  C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe
----a-w         1,073,152 2007-12-28 10:34:57  C:\Program Files\Analog Devices\SoundMAX\Smax4  .exe
----a-w         1,073,152 2007-12-27 21:23:42  C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w            90,112 2008-02-18 19:21:55  C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w         2,061,816 2008-02-18 19:22:08  C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
----a-w           409,600 2008-02-18 19:21:57  C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
----a-w           155,648 2008-02-18 19:21:58  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w           185,896 2008-02-18 19:21:58  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           256,576 2008-02-18 19:21:57  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            83,608 2008-02-18 19:22:00  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w         1,694,208 2008-02-18 19:22:09  C:\Program Files\Messenger\MSMSGS .EXE
----a-w         5,674,352 2008-02-18 19:22:19  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w           610,816 2008-01-02 14:10:04  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~1 .EXE
----a-w           610,816 2008-01-02 18:27:40  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~2 .EXE
----a-w           610,816 2008-01-02 23:44:25  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~3 .EXE
----a-w           610,816 2008-01-03 18:28:36  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~4 .EXE
----a-w           610,816 2008-01-04 23:44:05  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~1 .EXE
----a-w           249,856 2008-01-04 23:44:42  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~2 .EXE
----a-w           610,816 2007-12-29 02:10:33  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~1 .EXE
----a-w           610,816 2007-12-29 07:45:41  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~2 .EXE
----a-w           610,816 2007-12-29 13:42:02  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~3 .EXE
----a-w           610,816 2007-12-29 22:46:01  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~4 .EXE
----a-w           610,816 2008-01-04 00:18:56  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~1 .EXE
----a-w           610,816 2008-01-04 05:19:14  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~2 .EXE
----a-w           610,816 2008-01-04 11:50:06  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~3 .EXE
----a-w           610,816 2008-01-04 18:00:27  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~4 .EXE
----a-w           610,816 2007-12-30 09:45:20  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~1 .EXE
----a-w           610,816 2007-12-30 13:07:49  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~2 .EXE
----a-w           610,816 2007-12-30 22:59:10  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~3 .EXE
----a-w           610,816 2007-12-31 07:48:14  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~4 .EXE
----a-w           610,816 2007-12-31 11:21:59  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~1 .EXE
----a-w           610,816 2007-12-31 17:10:01  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~2 .EXE
----a-w           610,816 2007-12-31 19:07:46  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~3 .EXE
----a-w           610,816 2008-01-01 20:07:06  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~4 .EXE
----a-w           610,816 2007-12-27 16:57:25  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\mssysmgr .exe
----a-w           610,816 2007-12-27 21:23:30  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
----a-w           610,816 2007-12-27 21:41:17  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
----a-w           610,816 2007-12-28 12:50:09  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
----a-w           610,816 2007-12-28 20:24:46  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
----a-w           282,624 2008-01-04 23:44:19  C:\Program Files\QuickTime\qttask               .exe
----a-w           644,096 2008-01-04 18:00:45  C:\Program Files\QuickTime\qttask              .exe
----a-w           644,096 2008-01-04 05:19:30  C:\Program Files\QuickTime\qttask             .exe
----a-w           644,096 2008-01-03 18:28:52  C:\Program Files\QuickTime\qttask            .exe
----a-w           644,096 2008-01-02 23:44:41  C:\Program Files\QuickTime\qttask           .exe
----a-w           644,096 2008-01-02 14:10:23  C:\Program Files\QuickTime\qttask          .exe
----a-w           644,096 2008-01-01 11:51:19  C:\Program Files\QuickTime\qttask         .exe
----a-w           644,096 2007-12-31 17:10:16  C:\Program Files\QuickTime\qttask        .exe
----a-w           644,096 2007-12-31 08:31:51  C:\Program Files\QuickTime\qttask       .exe
----a-w           644,096 2007-12-30 13:08:04  C:\Program Files\QuickTime\qttask      .exe
----a-w           644,096 2007-12-29 22:46:17  C:\Program Files\QuickTime\qttask     .exe
----a-w           644,096 2007-12-29 07:45:58  C:\Program Files\QuickTime\qttask    .exe
----a-w           644,096 2007-12-28 20:25:02  C:\Program Files\QuickTime\qttask   .exe
----a-w           644,096 2007-12-28 10:34:58  C:\Program Files\QuickTime\qttask  .exe
----a-w           644,096 2007-12-27 21:23:47  C:\Program Files\QuickTime\qttask .exe
----a-w            15,360 2008-01-04 18:00:55  C:\WINDOWS\system32\ctfmon .exe
----a-w           385,024 2008-02-18 19:21:54  C:\WINDOWS\system32\JMRaidTool .exe
</pre>



-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{347265BB-0443-487A-8ACB-31F4D04CE63E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A9ADE21-7049-40CB-9619-6BDC1A943F23}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B5D2FD4-533F-4FF3-BB1E-2AD52A2A525A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C856C68-3C3E-45CE-885F-966A31E8812C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4599AAE9-B747-4EF7-8A36-FD08AE8FE42C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2007-12-27 04:51 364544 --a------ C:\WINDOWS\system32\ljjjkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77EC5607-B7E5-44E3-A99E-19B288D30DF7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{888BB793-B917-43EB-BA85-576E733D13FE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{985D2CBE-8E1C-4685-8FDD-ED3E88844CC3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECAE9A4-4AFB-4820-95D6-DE6A0EC6EC8F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF1D848B-4714-4330-BDA5-1CA78F05D133}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2EAC935-DD71-47F0-B028-3353A6180853}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3E13427-7B01-4380-8715-498B02461D74}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB88392A-4460-44F2-9432-8D8CA1EEF5DF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E209CDE8-92BF-4DF6-930C-014C38E979A1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF72262F-6E49-4A61-A3AF-5CDBE45BF7E0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F85A302A-C119-4F78-AE01-620DD15293FC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE" [2008-01-04 18:44 249856]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2008-01-04 18:44 2221056]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-04 18:44 6040064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-01-04 06:50 1182208]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2008-01-04 21:51 729088]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2008-01-04 06:50 738816]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-01 06:51 472576]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2008-01-02 09:10 770048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-04 18:44 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-02 09:10 682496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-02 18:44 491008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-04 06:50 521216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2008-01-02 18:44 421888]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-02 18:44 375296]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2008-01-02 09:10 2422784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56 393216]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-12-03 09:58:23 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2005-07-26 11:35:56 94295]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\ljjjkjj.dll [2007-12-27 04:51 364544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkjj]
ljjjkjj.dll 2007-12-27 04:51 364544 C:\WINDOWS\system32\ljjjkjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnmll]
pmnnmll.dll

S3 EyeOneDp;EyeOneDp;C:\WINDOWS\system32\drivers\EyeOneDp.sys []
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe [2004-08-04 02:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 19:20:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4E2153A1-B3E7-4BF8-88B8-117CA5E304D4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 14:22:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljjjkjj.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\WINDOWS\System32\JMRaidTool .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2008-02-18 14:24:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 19:24:30
.
2008-02-13 17:03:44 --- E O F ---
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am

Re: Malware infection

Unread postby Bob4 » February 18th, 2008, 5:56 pm

________________________________________
Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\ljjjkjj.dll


Renv::
----a-w 39,792 2008-02-18 19:22:01 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 79,224 2008-01-04 23:44:23 C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w 843,776 2008-02-18 19:21:54 C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w 1,073,152 2007-12-27 21:23:42 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 90,112 2008-02-18 19:21:55 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w 2,061,816 2008-02-18 19:22:08 C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
----a-w 409,600 2008-02-18 19:21:57 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
----a-w 155,648 2008-02-18 19:21:58 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 185,896 2008-02-18 19:21:58 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 256,576 2008-02-18 19:21:57 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 83,608 2008-02-18 19:22:00 C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w 15,360 2008-01-04 18:00:55 C:\WINDOWS\system32\ctfmon .exe
----a-w 385,024 2008-02-18 19:21:54 C:\WINDOWS\system32\JMRaidTool .exe
----a-w 644,096 2007-12-27 21:23:47 C:\Program Files\QuickTime\qttask .exe
----a-w 610,816 2007-12-28 20:24:46 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
----a-w 610,816 2007-12-28 12:50:09 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
----a-w 610,816 2007-12-27 21:41:17 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
----a-w 610,816 2007-12-27 21:23:30 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
----a-w 1,694,208 2008-02-18 19:22:09 C:\Program Files\Messenger\MSMSGS .EXE
----a-w 5,674,352 2008-02-18 19:22:19 C:\Program Files\MSN Messenger\MsnMsgr .Exe



Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnmll]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkjj]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{347265BB-0443-487A-8ACB-31F4D04CE63E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A9ADE21-7049-40CB-9619-6BDC1A943F23}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B5D2FD4-533F-4FF3-BB1E-2AD52A2A525A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C856C68-3C3E-45CE-885F-966A31E8812C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4599AAE9-B747-4EF7-8A36-FD08AE8FE42C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77EC5607-B7E5-44E3-A99E-19B288D30DF7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{888BB793-B917-43EB-BA85-576E733D13FE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{985D2CBE-8E1C-4685-8FDD-ED3E88844CC3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECAE9A4-4AFB-4820-95D6-DE6A0EC6EC8F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF1D848B-4714-4330-BDA5-1CA78F05D133}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2EAC935-DD71-47F0-B028-3353A6180853}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3E13427-7B01-4380-8715-498B02461D74}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB88392A-4460-44F2-9432-8D8CA1EEF5DF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E209CDE8-92BF-4DF6-930C-014C38E979A1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF72262F-6E49-4A61-A3AF-5CDBE45BF7E0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F85A302A-C119-4F78-AE01-620DD15293FC}]


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

_______________________________________________________


______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).


_________________________________


Using Internet explorer (firefox will not work)
Please do an online scan with Kaspersky Online Scanner
Click accept on the first page.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.


_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
  • The report from Kasperskys
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Malware infection

Unread postby jim e » February 18th, 2008, 11:44 pm

hello again bob4
as requested. although I am not sure of the combo log as I ? it. When I tried to drag & drop it to the Combo icon it started the scan right away and the log text file stayed on the desktop, so am unsure it took. If need to do it again please include a more detailed instruction.
thanks again
jim e

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\QuickTime\qttask .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/ ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3532994563
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3629285812
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/p ... der_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FB82C3D-7D26-481E-911D-5C865523A068}: NameServer = 207.164.234.193 207.164.234.129
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Scan and Clean utility\rpsupdaterR.exe

--
End of file - 8210 bytes

ComboFix 08-02-18.1 - Owner 2008-02-18 18:49:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.590 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\ljjjkjj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ljjjkjj.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 18:52 . 2008-02-18 18:52 330,816 --a------ C:\WINDOWS\system32\gebyv.dll
2008-02-11 18:47 . 2008-02-11 18:48 <DIR> d-------- C:\Documents and Settings\hjt\hjt log file
2008-02-11 18:45 . 2008-02-11 18:45 396,288 --a------ C:\Documents and Settings\hjt\HijackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 23:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-08 09:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-04 23:44 --------- d-----w C:\Program Files\QuickTime
2008-01-04 23:44 --------- d-----w C:\Program Files\MSN Messenger
2008-01-04 23:44 --------- d-----w C:\Program Files\iTunes
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: Select all
<pre>
----a-w            79,224 2008-01-04 23:44:23  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           843,776 2008-02-18 23:52:19  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w           729,088 2008-01-05 02:51:46  C:\Program Files\Analog Devices\SoundMAX\Smax4               .exe
----a-w         1,073,152 2008-01-04 23:44:20  C:\Program Files\Analog Devices\SoundMAX\Smax4              .exe
----a-w         1,073,152 2008-01-04 11:50:36  C:\Program Files\Analog Devices\SoundMAX\Smax4             .exe
----a-w         1,073,152 2008-01-04 00:19:07  C:\Program Files\Analog Devices\SoundMAX\Smax4            .exe
----a-w         1,073,152 2008-01-02 23:44:38  C:\Program Files\Analog Devices\SoundMAX\Smax4           .exe
----a-w         1,073,152 2008-01-02 14:10:16  C:\Program Files\Analog Devices\SoundMAX\Smax4          .exe
----a-w         1,073,152 2008-01-01 11:51:17  C:\Program Files\Analog Devices\SoundMAX\Smax4         .exe
----a-w         1,073,152 2007-12-31 19:07:56  C:\Program Files\Analog Devices\SoundMAX\Smax4        .exe
----a-w         1,073,152 2007-12-31 08:31:50  C:\Program Files\Analog Devices\SoundMAX\Smax4       .exe
----a-w         1,073,152 2007-12-30 22:59:21  C:\Program Files\Analog Devices\SoundMAX\Smax4      .exe
----a-w         1,073,152 2007-12-29 22:46:13  C:\Program Files\Analog Devices\SoundMAX\Smax4     .exe
----a-w         1,073,152 2007-12-29 07:45:53  C:\Program Files\Analog Devices\SoundMAX\Smax4    .exe
----a-w         1,073,152 2007-12-29 02:10:46  C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe
----a-w         1,073,152 2007-12-28 10:34:57  C:\Program Files\Analog Devices\SoundMAX\Smax4  .exe
----a-w         1,073,152 2007-12-27 21:23:42  C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w            90,112 2008-02-18 23:52:19  C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w         2,061,816 2008-02-18 23:52:24  C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
----a-w           409,600 2008-02-18 23:52:21  C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
----a-w           155,648 2008-02-18 23:52:21  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w           185,896 2008-02-18 23:52:21  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           256,576 2008-02-18 23:52:21  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            83,608 2008-02-18 23:52:21  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w         1,694,208 2008-02-18 23:52:26  C:\Program Files\Messenger\MSMSGS .EXE
----a-w         5,674,352 2008-02-18 23:52:33  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w           610,816 2008-01-02 14:10:04  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~1 .EXE
----a-w           610,816 2008-01-02 18:27:40  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~2 .EXE
----a-w           610,816 2008-01-02 23:44:25  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~3 .EXE
----a-w           610,816 2008-01-03 18:28:36  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~4 .EXE
----a-w           610,816 2008-01-04 23:44:05  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~1 .EXE
----a-w           249,856 2008-01-04 23:44:42  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~2 .EXE
----a-w           610,816 2007-12-29 02:10:33  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~1 .EXE
----a-w           610,816 2007-12-29 07:45:41  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~2 .EXE
----a-w           610,816 2007-12-29 13:42:02  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~3 .EXE
----a-w           610,816 2007-12-29 22:46:01  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~4 .EXE
----a-w           610,816 2008-01-04 00:18:56  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~1 .EXE
----a-w           610,816 2008-01-04 05:19:14  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~2 .EXE
----a-w           610,816 2008-01-04 11:50:06  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~3 .EXE
----a-w           610,816 2008-01-04 18:00:27  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~4 .EXE
----a-w           610,816 2007-12-30 09:45:20  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~1 .EXE
----a-w           610,816 2007-12-30 13:07:49  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~2 .EXE
----a-w           610,816 2007-12-30 22:59:10  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~3 .EXE
----a-w           610,816 2007-12-31 07:48:14  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~4 .EXE
----a-w           610,816 2007-12-31 11:21:59  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~1 .EXE
----a-w           610,816 2007-12-31 17:10:01  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~2 .EXE
----a-w           610,816 2007-12-31 19:07:46  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~3 .EXE
----a-w           610,816 2008-01-01 20:07:06  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~4 .EXE
----a-w           610,816 2007-12-27 16:57:25  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\mssysmgr .exe
----a-w           610,816 2007-12-27 21:23:30  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
----a-w           610,816 2007-12-27 21:41:17  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
----a-w           610,816 2007-12-28 12:50:09  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
----a-w           610,816 2007-12-28 20:24:46  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
----a-w           282,624 2008-01-04 23:44:19  C:\Program Files\QuickTime\qttask               .exe
----a-w           644,096 2008-01-04 18:00:45  C:\Program Files\QuickTime\qttask              .exe
----a-w           644,096 2008-01-04 05:19:30  C:\Program Files\QuickTime\qttask             .exe
----a-w           644,096 2008-01-03 18:28:52  C:\Program Files\QuickTime\qttask            .exe
----a-w           644,096 2008-01-02 23:44:41  C:\Program Files\QuickTime\qttask           .exe
----a-w           644,096 2008-01-02 14:10:23  C:\Program Files\QuickTime\qttask          .exe
----a-w           644,096 2008-01-01 11:51:19  C:\Program Files\QuickTime\qttask         .exe
----a-w           644,096 2007-12-31 17:10:16  C:\Program Files\QuickTime\qttask        .exe
----a-w           644,096 2007-12-31 08:31:51  C:\Program Files\QuickTime\qttask       .exe
----a-w           644,096 2007-12-30 13:08:04  C:\Program Files\QuickTime\qttask      .exe
----a-w           644,096 2007-12-29 22:46:17  C:\Program Files\QuickTime\qttask     .exe
----a-w           644,096 2007-12-29 07:45:58  C:\Program Files\QuickTime\qttask    .exe
----a-w           644,096 2007-12-28 20:25:02  C:\Program Files\QuickTime\qttask   .exe
----a-w           644,096 2007-12-28 10:34:58  C:\Program Files\QuickTime\qttask  .exe
----a-w           644,096 2007-12-27 21:23:47  C:\Program Files\QuickTime\qttask .exe
----a-w            15,360 2008-01-04 18:00:55  C:\WINDOWS\system32\ctfmon .exe
----a-w           385,024 2008-02-18 23:52:19  C:\WINDOWS\system32\JMRaidTool .exe
</pre>



-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE" [2008-01-04 18:44 249856]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2008-01-04 18:44 2221056]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-04 18:44 6040064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-01-04 06:50 1182208]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2008-01-04 21:51 729088]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2008-01-04 06:50 738816]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-01 06:51 472576]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2008-01-02 09:10 770048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-04 18:44 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-02 09:10 682496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-02 18:44 491008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-04 06:50 521216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2008-01-02 18:44 421888]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-18 14:22 39792]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2008-01-02 09:10 2422784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56 393216]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-12-03 09:58:23 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2005-07-26 11:35:56 94295]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

S3 EyeOneDp;EyeOneDp;C:\WINDOWS\system32\drivers\EyeOneDp.sys []
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe [2004-08-04 02:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 23:50:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4E2153A1-B3E7-4BF8-88B8-117CA5E304D4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 18:52:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\WINDOWS\System32\JMRaidTool .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2008-02-18 18:54:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 23:54:03
ComboFix2.txt 2008-02-18 19:24:35
.
2008-02-13 17:03:44 --- E O F ---


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-18 22:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/02/2008
Kaspersky Anti-Virus database records: 572657
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 54588
Number of viruses found: 3
Number of infected objects: 498
Number of suspicious objects: 0
Duration of the scan process: 00:38:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Bell\Sympatico Security Advisor\client_gateway.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47664206-D02A-43DE-8E2A-09508CAD31B1}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47664206-D02A-43DE-8E2A-09508CAD31B1}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{47664206-D02A-43DE-8E2A-09508CAD31B1}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008021820080219\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\2308 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_2fc.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_c34.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_c3c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD08E.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Analog Devices\Core\smax4pnp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Messenger\MSMSGS.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\MSN Messenger\MsnMsgr.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~1 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~2 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~3 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~4 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~1 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~1 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~2 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~3 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~4 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~1 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~2 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~3 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~4 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~1 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~2 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~3 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~4 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~1 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~2 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~3 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~4 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\mssysmgr .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\mssysmgr.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~1 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~2 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~3 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~4 .EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebyv.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX5A.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX8D.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\QooBox\Quarantine\catchme2008-02-18_185218.06.zip/ljjjkjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-18_185218.06.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021273.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021275.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021276.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021277.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021278.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021279.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021280.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021281.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021282.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021283.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021284.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021285.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021286.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021287.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021289.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021291.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021295.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021304.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021305.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021306.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021310.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021312.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021314.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021317.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021319.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021321.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021322.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021323.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021324.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021328.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021342.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021343.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021344.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021345.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021347.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021349.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021352.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021354.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021355.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021357.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021358.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021360.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021361.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021364.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021367.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021376.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021385.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021386.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021390.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021394.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021397.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021399.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021400.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021401.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021403.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021404.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021405.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021407.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021408.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP238\A0021409.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021435.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021436.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021437.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021438.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021439.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021440.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021441.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021443.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021444.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021445.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021446.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021447.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021448.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021449.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021452.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021453.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021462.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021464.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021465.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021466.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021467.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021471.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021472.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021473.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021476.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021477.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021478.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021480.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021481.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021483.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021484.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021497.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021504.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021507.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021508.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021512.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021513.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021516.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021519.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021521.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021523.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021524.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021526.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021528.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP239\A0021530.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021546.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021554.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021555.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021556.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021557.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021558.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021561.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021563.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021565.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021566.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021568.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021569.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021570.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021572.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021573.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021588.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021589.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021591.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021594.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021597.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021598.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021603.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021605.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021609.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021610.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021611.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021612.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021613.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021616.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021629.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021638.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021639.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021641.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021642.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021645.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021646.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021649.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021650.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021652.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021655.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021658.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021659.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021660.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021661.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021669.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021678.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021679.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021682.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021687.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021690.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021692.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021694.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021695.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021696.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021698.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021700.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021703.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021704.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021711.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021719.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021720.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021721.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021722.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021726.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021729.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021730.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021731.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021732.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021735.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021736.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021737.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021738.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021741.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021742.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021757.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021766.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021768.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021769.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021770.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021774.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021775.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021779.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021780.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021783.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021784.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021785.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021787.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021789.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021798.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021806.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021807.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021808.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021813.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021815.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021816.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021818.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021820.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021821.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021822.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021823.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021825.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021826.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021837.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021846.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021847.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021849.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021853.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021854.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021857.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021859.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021861.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021864.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021866.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021867.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021868.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021869.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021871.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021886.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021892.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021893.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021895.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021896.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021898.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021902.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021903.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021904.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021906.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021907.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021909.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021910.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021912.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021913.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021915.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP240\A0021917.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021929.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021937.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021938.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021940.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021944.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021947.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021948.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021952.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021954.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021956.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021957.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021959.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021962.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021969.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021977.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021978.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021980.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021981.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021982.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021984.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021989.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021990.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021992.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021994.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021995.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021997.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021998.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0021999.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP241\A0022003.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022030.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022038.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022039.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022040.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022042.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022044.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022046.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022047.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022048.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022052.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022053.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022054.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022058.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022059.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022060.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022062.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022078.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022087.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022090.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022096.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022102.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022103.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022105.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022107.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022108.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022110.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022112.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022113.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022114.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022116.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022121.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022129.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022130.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022132.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022133.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022134.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022138.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022141.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022142.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022146.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022147.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022148.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022151.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022152.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022155.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022162.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022171.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022172.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022177.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022183.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022185.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022186.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022189.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022191.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022193.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022194.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022196.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022198.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022199.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022205.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022214.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022216.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022224.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022225.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022226.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022227.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022229.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022231.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022232.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022233.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022234.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022237.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022238.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP242\A0022239.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022251.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022259.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022260.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022262.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022268.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022270.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022271.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022274.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022275.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022276.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022278.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022279.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022282.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022284.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022285.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022292.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022301.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022302.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022304.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022308.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022309.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022312.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022314.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022318.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022320.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022321.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022322.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022324.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022325.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022327.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022419.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022426.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022428.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022429.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022435.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022437.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022439.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022440.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022442.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022443.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022445.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022448.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022449.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022450.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022452.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022460.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022468.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022469.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022470.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022474.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022475.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022477.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022479.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022482.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022483.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022485.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022487.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022488.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022491.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022493.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022506.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022507.Exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022508.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022517.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022519.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022520.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022522.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022523.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022525.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022528.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022529.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022531.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022532.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022533.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022534.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP243\A0022542.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP277\A0027586.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP278\A0027732.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP278\A0027738.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{7AC96DF9-938A-461D-BAE5-3974BE22174D}\RP278\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_SM56PCI-A.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{47CE067F-4D71-429B-8141-AD66352F4C65}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\JMRaidTool.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_470.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am

Re: Malware infection

Unread postby Bob4 » February 19th, 2008, 7:57 am

The script you added to Combofix worked just fine. It's not supposed to disappear.

I'm checking on something.

In the meantime please do the following.

We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you
in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
When complete, a log named CF_RC.txt will open. Please post the contents of that log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Malware infection

Unread postby Bob4 » February 19th, 2008, 7:19 pm

Please let me know when you have that done.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Malware infection

Unread postby jim e » February 20th, 2008, 7:06 am

Bob4
here is the cf file
thks jim e
ps will not reboot comp until directed
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am

Re: Malware infection

Unread postby jim e » February 20th, 2008, 7:07 am

bob4 sorry forgot this

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am

Re: Malware infection

Unread postby Bob4 » February 20th, 2008, 7:56 am

You may reboot your computer
___________________________________
Safe mode:
Please reboot to safe mode:
After the very first black screen start tapping the
F8 key untill prompted with a list.... choose safe
mode. Logon to your usual account.

________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
 


Renv::
----a-w 39,792 2008-02-18 19:22:01 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 79,224 2008-01-04 23:44:23 C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w 843,776 2008-02-18 19:21:54 C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w 1,073,152 2007-12-27 21:23:42 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 90,112 2008-02-18 19:21:55 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w 2,061,816 2008-02-18 19:22:08 C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
----a-w 409,600 2008-02-18 19:21:57 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
----a-w 155,648 2008-02-18 19:21:58 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 185,896 2008-02-18 19:21:58 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 256,576 2008-02-18 19:21:57 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 83,608 2008-02-18 19:22:00 C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w 15,360 2008-01-04 18:00:55 C:\WINDOWS\system32\ctfmon .exe
----a-w 385,024 2008-02-18 19:21:54 C:\WINDOWS\system32\JMRaidTool .exe
----a-w 644,096 2007-12-27 21:23:47 C:\Program Files\QuickTime\qttask .exe
----a-w 610,816 2007-12-28 20:24:46 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
----a-w 610,816 2007-12-28 12:50:09 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
----a-w 610,816 2007-12-27 21:41:17 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
----a-w 610,816 2007-12-27 21:23:30 C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
----a-w 1,694,208 2008-02-18 19:22:09 C:\Program Files\Messenger\MSMSGS .EXE
----a-w 5,674,352 2008-02-18 19:22:19 C:\Program Files\MSN Messenger\MsnMsgr .Exe




NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from comboFix
  • Let me know how things are running.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Malware infection

Unread postby jim e » February 20th, 2008, 8:42 pm

bob4 both logs were done in safe mode but had to reboot to regular mode to get internet connection. On reboot to regular mode malware showed up under avant as well as several of the non highlighted programs ie: j micron, cannon photo printer and the usual windows pop upfor a request for internet access by a unspecified program.
Thks
jim e

ComboFix 08-02-18.1 - Owner 2008-02-20 19:14:16.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-18 19:42 . 2008-02-18 19:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 19:42 . 2008-02-18 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-11 18:47 . 2008-02-11 18:48 <DIR> d-------- C:\Documents and Settings\hjt\hjt log file
2008-02-11 18:45 . 2008-02-11 18:45 396,288 --a------ C:\Documents and Settings\hjt\HijackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 08:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-20 08:34 385,024 ----a-w C:\WINDOWS\system32\JMRaidTool .exe
2008-02-08 09:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-01-04 23:44 --------- d-----w C:\Program Files\QuickTime
2008-01-04 23:44 --------- d-----w C:\Program Files\MSN Messenger
2008-01-04 23:44 --------- d-----w C:\Program Files\iTunes
2008-01-04 18:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-01-04 11:50 738,816 ----a-w C:\WINDOWS\system32\JMRaidTool.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-24 03:09 299,646 --sha-w C:\WINDOWS\system32\fgjlm.tmp
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: Select all
<pre>
----a-w            79,224 2008-01-04 23:44:23  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w           843,776 2008-02-20 08:34:57  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w           729,088 2008-01-05 02:51:46  C:\Program Files\Analog Devices\SoundMAX\Smax4               .exe
----a-w         1,073,152 2008-01-04 23:44:20  C:\Program Files\Analog Devices\SoundMAX\Smax4              .exe
----a-w         1,073,152 2008-01-04 11:50:36  C:\Program Files\Analog Devices\SoundMAX\Smax4             .exe
----a-w         1,073,152 2008-01-04 00:19:07  C:\Program Files\Analog Devices\SoundMAX\Smax4            .exe
----a-w         1,073,152 2008-01-02 23:44:38  C:\Program Files\Analog Devices\SoundMAX\Smax4           .exe
----a-w         1,073,152 2008-01-02 14:10:16  C:\Program Files\Analog Devices\SoundMAX\Smax4          .exe
----a-w         1,073,152 2008-01-01 11:51:17  C:\Program Files\Analog Devices\SoundMAX\Smax4         .exe
----a-w         1,073,152 2007-12-31 19:07:56  C:\Program Files\Analog Devices\SoundMAX\Smax4        .exe
----a-w         1,073,152 2007-12-31 08:31:50  C:\Program Files\Analog Devices\SoundMAX\Smax4       .exe
----a-w         1,073,152 2007-12-30 22:59:21  C:\Program Files\Analog Devices\SoundMAX\Smax4      .exe
----a-w         1,073,152 2007-12-29 22:46:13  C:\Program Files\Analog Devices\SoundMAX\Smax4     .exe
----a-w         1,073,152 2007-12-29 07:45:53  C:\Program Files\Analog Devices\SoundMAX\Smax4    .exe
----a-w         1,073,152 2007-12-29 02:10:46  C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe
----a-w         1,073,152 2007-12-28 10:34:57  C:\Program Files\Analog Devices\SoundMAX\Smax4  .exe
----a-w         1,073,152 2007-12-27 21:23:42  C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w            90,112 2008-02-20 08:34:57  C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w         2,061,816 2008-02-20 08:35:07  C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
----a-w           409,600 2008-02-20 08:34:59  C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
----a-w           155,648 2008-02-20 08:35:00  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w           185,896 2008-02-20 08:35:02  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           256,576 2008-02-20 08:34:59  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            83,608 2008-02-20 08:35:02  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w         1,694,208 2008-02-20 08:35:07  C:\Program Files\Messenger\MSMSGS .EXE
----a-w         5,674,352 2008-02-20 08:35:09  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w           610,816 2008-01-02 14:10:04  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~1 .EXE
----a-w           610,816 2008-01-02 18:27:40  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~2 .EXE
----a-w           610,816 2008-01-02 23:44:25  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~3 .EXE
----a-w           610,816 2008-01-03 18:28:36  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~4 .EXE
----a-w           610,816 2008-01-04 23:44:05  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~1 .EXE
----a-w           249,856 2008-01-04 23:44:42  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~2 .EXE
----a-w           610,816 2007-12-29 02:10:33  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~1 .EXE
----a-w           610,816 2007-12-29 07:45:41  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~2 .EXE
----a-w           610,816 2007-12-29 13:42:02  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~3 .EXE
----a-w           610,816 2007-12-29 22:46:01  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~4 .EXE
----a-w           610,816 2008-01-04 00:18:56  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~1 .EXE
----a-w           610,816 2008-01-04 05:19:14  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~2 .EXE
----a-w           610,816 2008-01-04 11:50:06  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~3 .EXE
----a-w           610,816 2008-01-04 18:00:27  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~4 .EXE
----a-w           610,816 2007-12-30 09:45:20  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~1 .EXE
----a-w           610,816 2007-12-30 13:07:49  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~2 .EXE
----a-w           610,816 2007-12-30 22:59:10  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~3 .EXE
----a-w           610,816 2007-12-31 07:48:14  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~4 .EXE
----a-w           610,816 2007-12-31 11:21:59  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~1 .EXE
----a-w           610,816 2007-12-31 17:10:01  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~2 .EXE
----a-w           610,816 2007-12-31 19:07:46  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~3 .EXE
----a-w           610,816 2008-01-01 20:07:06  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~4 .EXE
----a-w           610,816 2007-12-27 16:57:25  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\mssysmgr .exe
----a-w           610,816 2007-12-27 21:23:30  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
----a-w           610,816 2007-12-27 21:41:17  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
----a-w           610,816 2007-12-28 12:50:09  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
----a-w           610,816 2007-12-28 20:24:46  C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
----a-w           282,624 2008-01-04 23:44:19  C:\Program Files\QuickTime\qttask               .exe
----a-w           644,096 2008-01-04 18:00:45  C:\Program Files\QuickTime\qttask              .exe
----a-w           644,096 2008-01-04 05:19:30  C:\Program Files\QuickTime\qttask             .exe
----a-w           644,096 2008-01-03 18:28:52  C:\Program Files\QuickTime\qttask            .exe
----a-w           644,096 2008-01-02 23:44:41  C:\Program Files\QuickTime\qttask           .exe
----a-w           644,096 2008-01-02 14:10:23  C:\Program Files\QuickTime\qttask          .exe
----a-w           644,096 2008-01-01 11:51:19  C:\Program Files\QuickTime\qttask         .exe
----a-w           644,096 2007-12-31 17:10:16  C:\Program Files\QuickTime\qttask        .exe
----a-w           644,096 2007-12-31 08:31:51  C:\Program Files\QuickTime\qttask       .exe
----a-w           644,096 2007-12-30 13:08:04  C:\Program Files\QuickTime\qttask      .exe
----a-w           644,096 2007-12-29 22:46:17  C:\Program Files\QuickTime\qttask     .exe
----a-w           644,096 2007-12-29 07:45:58  C:\Program Files\QuickTime\qttask    .exe
----a-w           644,096 2007-12-28 20:25:02  C:\Program Files\QuickTime\qttask   .exe
----a-w           644,096 2007-12-28 10:34:58  C:\Program Files\QuickTime\qttask  .exe
----a-w           644,096 2007-12-27 21:23:47  C:\Program Files\QuickTime\qttask .exe
----a-w            15,360 2008-01-04 18:00:55  C:\WINDOWS\system32\ctfmon .exe
----a-w           385,024 2008-02-20 08:34:58  C:\WINDOWS\system32\JMRaidTool .exe
</pre>



-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE" [2008-01-04 18:44 249856]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2008-01-04 18:44 2221056]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-04 18:44 6040064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-01-04 06:50 1182208]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2008-01-04 21:51 729088]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2008-01-04 06:50 738816]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-01 06:51 472576]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2008-01-02 09:10 770048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-04 18:44 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-02 09:10 682496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-02 18:44 491008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-04 06:50 521216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2008-01-02 18:44 421888]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-18 14:22 39792]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2008-01-02 09:10 2422784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56 393216]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-12-03 09:58:23 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2005-07-26 11:35:56 94295]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

S3 EyeOneDp;EyeOneDp;C:\WINDOWS\system32\drivers\EyeOneDp.sys []
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe [2004-08-04 02:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-21 00:05:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4E2153A1-B3E7-4BF8-88B8-117CA5E304D4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 19:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-20 19:16:34
ComboFix-quarantined-files.txt 2008-02-21 00:16:25
ComboFix2.txt 2008-02-18 23:54:07
ComboFix3.txt 2008-02-18 19:24:35
.
2008-02-13 17:03:44 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/ ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3532994563
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3629285812
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/p ... der_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Scan and Clean utility\rpsupdaterR.exe

--
End of file - 6676 bytes
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am

Re: Malware infection

Unread postby Bob4 » February 21st, 2008, 3:25 pm

________________________________________
Open notepad and copy/paste the text in the quotebox below into it:


Renv::

C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA .exe
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN .EXE
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
C:\Program Files\Messenger\MSMSGS .EXE
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~1 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~2 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~3 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS01A0~4 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~1 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS0827~2 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~1 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~2 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~3 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS28C2~4 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~1 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~2 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~3 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS74A3~4 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~1 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~2 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~3 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS872A~4 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~1 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~2 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~3 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MS9997~4 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\mssysmgr .exe
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~1 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~2 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~3 .EXE
C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\MSSYSM~4 .EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\JMRaidTool .exe



NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.


Please post that log along with a new HJT log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Malware infection

Unread postby jim e » February 21st, 2008, 7:20 pm

hello bob4

ComboFix 08-02-18.1 - Owner 2008-02-21 17:42:21.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.583 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-18 19:42 . 2008-02-18 19:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 19:42 . 2008-02-18 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-11 18:47 . 2008-02-11 18:48 <DIR> d-------- C:\Documents and Settings\hjt\hjt log file
2008-02-11 18:45 . 2008-02-11 18:45 396,288 --a------ C:\Documents and Settings\hjt\HijackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 22:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-21 22:42 --------- d-----w C:\Program Files\QuickTime
2008-02-21 22:42 --------- d-----w C:\Program Files\MSN Messenger
2008-02-21 22:41 --------- d-----w C:\Program Files\iTunes
2008-02-08 09:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: Select all
<pre>
----a-w           729,088 2008-01-05 02:51:46  C:\Program Files\Analog Devices\SoundMAX\Smax4               .exe
----a-w         1,073,152 2008-01-04 23:44:20  C:\Program Files\Analog Devices\SoundMAX\Smax4              .exe
----a-w         1,073,152 2008-01-04 11:50:36  C:\Program Files\Analog Devices\SoundMAX\Smax4             .exe
----a-w         1,073,152 2008-01-04 00:19:07  C:\Program Files\Analog Devices\SoundMAX\Smax4            .exe
----a-w         1,073,152 2008-01-02 23:44:38  C:\Program Files\Analog Devices\SoundMAX\Smax4           .exe
----a-w         1,073,152 2008-01-02 14:10:16  C:\Program Files\Analog Devices\SoundMAX\Smax4          .exe
----a-w         1,073,152 2008-01-01 11:51:17  C:\Program Files\Analog Devices\SoundMAX\Smax4         .exe
----a-w         1,073,152 2007-12-31 19:07:56  C:\Program Files\Analog Devices\SoundMAX\Smax4        .exe
----a-w         1,073,152 2007-12-31 08:31:50  C:\Program Files\Analog Devices\SoundMAX\Smax4       .exe
----a-w         1,073,152 2007-12-30 22:59:21  C:\Program Files\Analog Devices\SoundMAX\Smax4      .exe
----a-w         1,073,152 2007-12-29 22:46:13  C:\Program Files\Analog Devices\SoundMAX\Smax4     .exe
----a-w         1,073,152 2007-12-29 07:45:53  C:\Program Files\Analog Devices\SoundMAX\Smax4    .exe
----a-w         1,073,152 2007-12-29 02:10:46  C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe
----a-w         1,073,152 2007-12-28 10:34:57  C:\Program Files\Analog Devices\SoundMAX\Smax4  .exe
----a-w           282,624 2008-01-04 23:44:19  C:\Program Files\QuickTime\qttask               .exe
----a-w           644,096 2008-01-04 18:00:45  C:\Program Files\QuickTime\qttask              .exe
----a-w           644,096 2008-01-04 05:19:30  C:\Program Files\QuickTime\qttask             .exe
----a-w           644,096 2008-01-03 18:28:52  C:\Program Files\QuickTime\qttask            .exe
----a-w           644,096 2008-01-02 23:44:41  C:\Program Files\QuickTime\qttask           .exe
----a-w           644,096 2008-01-02 14:10:23  C:\Program Files\QuickTime\qttask          .exe
----a-w           644,096 2008-01-01 11:51:19  C:\Program Files\QuickTime\qttask         .exe
----a-w           644,096 2007-12-31 17:10:16  C:\Program Files\QuickTime\qttask        .exe
----a-w           644,096 2007-12-31 08:31:51  C:\Program Files\QuickTime\qttask       .exe
----a-w           644,096 2007-12-30 13:08:04  C:\Program Files\QuickTime\qttask      .exe
----a-w           644,096 2007-12-29 22:46:17  C:\Program Files\QuickTime\qttask     .exe
----a-w           644,096 2007-12-29 07:45:58  C:\Program Files\QuickTime\qttask    .exe
----a-w           644,096 2007-12-28 20:25:02  C:\Program Files\QuickTime\qttask   .exe
----a-w           644,096 2007-12-28 10:34:58  C:\Program Files\QuickTime\qttask  .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE" [ ]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2008-02-21 16:59 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-02-21 16:59 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-02-21 16:59 843776]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2008-01-04 21:51 729088]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2008-02-21 16:59 385024]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-02-21 16:59 90112]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2008-02-21 16:59 409600]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-04 18:44 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-21 16:59 256576]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-21 16:59 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-04 18:44 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-21 16:59 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2008-02-21 16:59 83608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-18 14:22 39792]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2008-02-21 16:59 2061816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56 393216]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-12-03 09:58:23 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2005-07-26 11:35:56 94295]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

S3 EyeOneDp;EyeOneDp;C:\WINDOWS\system32\drivers\EyeOneDp.sys []
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe [2004-08-04 02:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-21 22:45:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4E2153A1-B3E7-4BF8-88B8-117CA5E304D4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 17:44:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2008-02-21 17:46:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-21 22:46:16
ComboFix2.txt 2008-02-21 00:16:34
ComboFix3.txt 2008-02-18 23:54:07
ComboFix4.txt 2008-02-18 19:24:35
.
2008-02-13 17:03:44 --- E O F ---

------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10, on 2008-02-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Webshots\Webshots.scr
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/ ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3532994563
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3629285812
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/p ... der_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Scan and Clean utility\rpsupdaterR.exe

--
End of file - 7989 bytes

thks
jim e
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am

Re: Malware infection

Unread postby Bob4 » February 22nd, 2008, 5:53 am

We need to do this one last time hopefully.




________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
 

RENV::
C:\Program Files\Analog Devices\SoundMAX\Smax4               .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4              .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4             .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4            .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4           .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4          .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4         .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4        .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4       .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4      .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4     .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4    .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4  .exe
C:\Program Files\QuickTime\qttask               .exe
C:\Program Files\QuickTime\qttask              .exe
C:\Program Files\QuickTime\qttask             .exe
C:\Program Files\QuickTime\qttask            .exe
C:\Program Files\QuickTime\qttask           .exe
C:\Program Files\QuickTime\qttask          .exe
C:\Program Files\QuickTime\qttask         .exe
C:\Program Files\QuickTime\qttask        .exe
C:\Program Files\QuickTime\qttask       .exe
C:\Program Files\QuickTime\qttask      .exe
C:\Program Files\QuickTime\qttask     .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe




NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Malware infection

Unread postby jim e » February 23rd, 2008, 8:40 am

Bob4. the comp is back to booting as it did before the malware "THANK YOU" Hopefully you have cured it and if so a short explanation as to what it was or hide might make me a little more informed to prevent this again.
Here is as you say hopefully the last log

ComboFix 08-02-18.1 - Owner 2008-02-23 7:17:15.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.592 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-18 19:42 . 2008-02-18 19:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 19:42 . 2008-02-18 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-11 18:47 . 2008-02-11 18:48 <DIR> d-------- C:\Documents and Settings\hjt\hjt log file
2008-02-11 18:45 . 2008-02-11 18:45 396,288 --a------ C:\Documents and Settings\hjt\HijackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 12:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-23 12:18 --------- d-----w C:\Program Files\QuickTime
2008-02-21 22:42 --------- d-----w C:\Program Files\MSN Messenger
2008-02-21 22:41 --------- d-----w C:\Program Files\iTunes
2008-02-08 09:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE" [ ]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2008-02-21 16:59 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-02-21 16:59 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-02-21 16:59 843776]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [ ]
"JMB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [2008-02-21 16:59 385024]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-02-21 16:59 90112]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2008-02-21 16:59 409600]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-21 16:59 256576]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-21 16:59 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-04 18:44 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-21 16:59 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2008-02-21 16:59 83608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-18 14:22 39792]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2008-02-21 16:59 2061816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56 393216]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-12-03 09:58:23 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe [2005-07-26 11:35:56 94295]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

S3 EyeOneDp;EyeOneDp;C:\WINDOWS\system32\drivers\EyeOneDp.sys []
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe [2004-08-04 02:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 12:20:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4E2153A1-B3E7-4BF8-88B8-117CA5E304D4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 07:19:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2008-02-23 7:20:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 12:20:53
ComboFix2.txt 2008-02-21 22:46:19
ComboFix3.txt 2008-02-21 00:16:34
ComboFix4.txt 2008-02-18 23:54:07
ComboFix5.txt 2008-02-18 19:24:35
.
2008-02-13 17:03:44 --- E O F ---

Thanks again
jim e
jim e
Active Member
 
Posts: 10
Joined: January 23rd, 2008, 5:46 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware