Results 1 to 10 of 11

Thread: Probably amvo.exe infection

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    6

    Default Probably amvo.exe infection

    Ok, my computer seemed to be fine before I took my USB and went to my university to copy some classes that I needed.
    I've put it in several laptops and computers.
    When I came back home and put my USB on my computer to copy the files, the first thing I noticed is that my Sygate firewall "died".. Then I uninstall it.
    The next weird thing that I noticed is when I go to My computer and click on C: it was always opened in another window even though I have the option checked "Open in same window".
    The next weird thing was hidden files and folders.. even if I have checked "show hidden files" it still didnt showed them.
    I ran Spybot completely updated.. and it fixed some spyware problems i seem to get every week(not serious thing).
    I also ran AVG free fully updated it didn't find any virus..
    Oh and I also ran the CCleaner.. found problems and fixed I guess.
    Anyhow, then I discovered what happened...
    Run, msconfig, start up and I found "amvo.exe" which was utterly weird..
    I searched the net for that and saw almost all of the guys infected were because of USB..
    Before I finish this long intro(sorry!) I must say I tried some of the fixes for "show hidden files and folders" to change the registry etc. but no matter how many times I've changed, it always went back to 0 or 2.

    "Method 1:

    Go to registry editor by running regedit in the run box.
    Go to this key:
    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Explorer\Advanced


    In the right hand area, double click hidden and change the value to 1.

    Now you’re all set to go. Check it in your tools menu if the changes have taken effect."
    I AM DEEPLY SORRY FOR THIS LONG INTRO, BUT I THOUGHT YOU MAY WANT TO KNOW THAT

    Now the Hijackthislog

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:33:50, on 14.03.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C194CC32-C591-4CD9-A181-48506D261CBE}: NameServer = 217.16.68.140,217.16.69.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C71C8812-68BC-4D70-A9CD-AD72F50C0D10}: NameServer = 217.16.69.1 217.16.69.3
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

    --
    End of file - 6153 bytes

    And the kaspersky online scan

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, March 14, 2008 3:30:06 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 14/03/2008
    Kaspersky Anti-Virus database records: 629539
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 72154
    Number of viruses found: 5
    Number of infected objects: 38
    Number of suspicious objects: 0
    Duration of the scan process: 01:23:31

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\cert8.db Object is locked skipped
    C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\history.dat Object is locked skipped
    C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\key3.db Object is locked skipped
    C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\parent.lock Object is locked skipped
    C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\zivko\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream/data0249 Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
    C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
    C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe NSIS: infected - 2 skipped
    C:\Documents and Settings\zivko\Desktop\programista\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe NSIS: infected - 4 skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped
    C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\38J8IR57\help[1].exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\ntuser.dat Object is locked skipped
    C:\Documents and Settings\zivko\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\sccfg.sys Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025801.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025803.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025842.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025856.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025857.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025899.exe Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025900.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025901.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025912.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025913.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\change.log Object is locked skipped
    C:\v.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\amvo.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\WINDOWS\system32\amvo0.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\WINDOWS\system32\amvo1.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
    C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\yo2mq6.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025805.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025844.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025859.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025889.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025892.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025903.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025915.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\change.log Object is locked skipped
    D:\v.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\yo2mq6.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped

    Scan process completed.

  2. #2
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    These look like your infectors ...

    D:\v.cmd
    D:\yo2mq6.exe

    C:\v.cmd
    C:\yo2mq6.exe

    Which created these ..

    C:\WINDOWS\system32\amvo.exe
    C:\WINDOWS\system32\amvo0.dll
    C:\WINDOWS\system32\amvo1.dll

    Is D:\ your USB ?

    Don't delete any yet, you probably wont be able to anyway ... run this first :-

    Please follow these directions to run Combofix & post a log.

    http://www.bleepingcomputer.com/comb...o-use-combofix

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    6

    Default

    Hello, thanks for your reply. My D:\ is not my USB
    I have 40 gb HD, 20gb on C:\ and 20gb on D:\
    Inpatient guy as I am, I tried to remove it myself. The virus infected other friends who used their USB's on the computers in university. Because I'm not really good with registry, I was afraid to try something I found in a blog on my computer, therefore I tried to remove it on one computer in university.
    Tbh I'm 90% sure I removed it.
    Then I tried to remove it on my computer too and I think I succeeded as well.
    This is what I did (found on a blog)
    * First I have checked in task manager, I didn't find any suspicious processes.
    * Next I opened MSConfig (Go to run, and type msconfig). I have found one process withe the name amvo.exe under the startup tab. It is located in Windows\System32 folder.
    * I unchecked the process, and closed the msconfig window.
    * Next I open Registry Editor (go to run, and type regedit). I have searched for "amvo.exe" and found one entry. I have deleted the whole key.
    * Next I have tried to set the option to "show hidden files" (Go to Tools> View in windows explorer), as virus file is hidden. But it is not allowing me. As soon as I set it to show hidden files and clicked on ok, it is changing back to "Don't show hidden files".
    * Then I have used Bullet Proof FTP software to browse the local disk, because it shows all files even hidden files. (I have already installed FTP software in my system. You can get free trial version from the website.)
    * Then I have browsed to Windows\System32 folder, and deleted amvo.exe, amvo0.dll, amvo1.dll.
    * This virus put an Autorun.inf file, and .cmd file at every drive's root. I have removed all those.
    Sorry but I was inpatient.. So now I didn't try combofix.
    I will post new hijack log and kaspersky

    Also I forgot to mention back then when I had the virus and when I scanned with AVG and it found this:
    c:\windows\system32\drivers\etc\hosts
    result/infection: changed
    what's that?

    Next question from me is: Can a virus be implemented in a video file although the video looks fine?
    In a picture?

    new Hijackthis log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:11:36, on 16.03.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C194CC32-C591-4CD9-A181-48506D261CBE}: NameServer = 217.16.68.140,217.16.69.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C71C8812-68BC-4D70-A9CD-AD72F50C0D10}: NameServer = 217.16.69.1 217.16.69.3
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5704 bytes

    New kaspersky log in next post

  4. #4
    Junior Member
    Join Date
    Mar 2008
    Posts
    6

    Default

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, March 16, 2008 12:11:01 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 16/03/2008
    Kaspersky Anti-Virus database records: 633068
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 72937
    Number of viruses found: 7
    Number of infected objects: 68
    Number of suspicious objects: 0
    Duration of the scan process: 01:36:52

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\zivko\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream/data0249 Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
    C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
    C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe NSIS: infected - 2 skipped
    C:\Documents and Settings\zivko\Desktop\programista\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe NSIS: infected - 4 skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\History\History.IE5\MSHist012008031620080317\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Temp\f.dll Infected: Trojan-PSW.Win32.OnLineGames.ulc skipped
    C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped
    C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\K3OZYRR6\help[1].exe Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\Documents and Settings\zivko\ntuser.dat Object is locked skipped
    C:\Documents and Settings\zivko\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025801.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025803.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025842.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025856.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025857.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025899.exe Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025900.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025901.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025912.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025913.exe Object is locked skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025920.exe Object is locked skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025921.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025930.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025931.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025939.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025940.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025941.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025955.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025956.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025964.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026082.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026083.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026091.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026092.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026214.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026215.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026216.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026225.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026226.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026227.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026241.exe Object is locked skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026242.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026243.exe Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026244.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026250.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
    C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
    C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025805.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025844.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025859.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025889.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025892.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025903.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025915.exe Object is locked skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025932.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025933.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025942.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025943.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025957.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025958.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026084.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026085.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026093.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026094.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026217.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026218.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026228.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026229.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026239.exe Object is locked skipped
    D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026240.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped

    Scan process completed.

  5. #5
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    You dabbled ...

    Combofix would have removed all the Autorun.inf files & the files in system32 ...

    Next I open Registry Editor (go to run, and type regedit). I have searched for "amvo.exe" and found one entry. I have deleted the whole key.
    So what did you remove from the registry ? the run key ? ... your flash drive will have the infection on it still, this mapped drive will listed in the Mountpoints2 key in the registry, which runs the infected files etc,

    I still want you to run Combofix & make sure the flashdrive is inserted when you do.

    The Combofix log will tell me a lot more than you have as to how much of the infection you still have...

    The Hosts file can be used legitimately to speed up access to sites, it can also be used by malware to redirect or block sites, if you had redirects then hijackthis would tell us, as it doesn't, then possibly some sites have been blocked.

    Open the file in notepad and post the contents here ...

    Next question from me is: Can a virus be implemented in a video file although the video looks fine?
    In a picture?
    A virus/malware can add extra code to any file ... video, picture, song, music, anything, so that when you run/view the file, the virus/malware is executed as well.

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  6. #6
    Junior Member
    Join Date
    Mar 2008
    Posts
    6

    Default

    I'm pretty sure I removed all autorun.inf files and all the files in system32 that were infected.
    Oh and sorry I forgot to mention that I cleaned the USB too
    it had autorun.inf and 1 more i think it was v.cmd or something.

    Anyhow, I'm afraid to use the combofix because I think I will mess up something... and I need the computer for the following week because I have exams.
    Can we delay this to Friday? I will run combofix on Friday and post results here.

    About the hosts file
    here it is
    [edit] lol sorry can't do that
    "(228210 characters)"
    It has this

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    # Start of entries inserted by Spybot - Search & Destroy
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com

    om
    127.0.0.1 amediasource.com
    127.0.0.1 www.amediasource.com
    127.0.0.1 americanautobargains.com
    127.0.0.1 www.americanautobargains.com
    127.0.0.1 americancarbargains.com
    127.0.0.1 www.americancarbargains.com
    127.0.0.1 american-teens.net
    127.0.0.1 amigeek.com
    127.0.0.1 amigobore.com
    127.0.0.1 www.amigobore.com
    127.0.0.1 amisbusiness.com
    127.0.0.1 ampmsearch.com
    127.0.0.1 www.ampmsearch.com
    127.0.0.1 analcord.com
    127.0.0.1 www.analcord.com
    127.0.0.1 analmovi.com
    127.0.0.1 anarchylolita.com
    127.0.0.1 www.anarchylolita.com
    127.0.0.1 anarchyporn.com
    127.0.0.1 andromedical.com
    127.0.0.1 www.andromedical.com
    127.0.0.1 animepornmag.com
    127.0.0.1 www.animepornmag.com
    127.0.0.1 anin.org
    127.0.0.1 anjpn-avxiz.biz
    127.0.0.1 www.anjpn-avxiz.biz
    127.0.0.1 anjpnzqav.biz
    127.0.0.1 www.anjpnzqav.biz
    127.0.0.1 anjpn-zqav.biz
    127.0.0.1 www.anjpn-zqav.biz
    127.0.0.1 annaromeo.com
    127.0.0.1 antiddos.us
    127.0.0.1 www.antiddos.us
    127.0.0.1 Antiespiadorado.com
    127.0.0.1 www.Antiespiadorado.com
    127.0.0.1 Antiespionspack.com
    127.0.0.1 www.Antiespionspack.com
    127.0.0.1 Antigusanos2008.com

    127.0.0.1 update.shareaza.com
    127.0.0.1 updatemysettings.com
    127.0.0.1 www.updatemysettings.com
    127.0.0.1 updates.spywarequake.com
    127.0.0.1 www.upereva.it
    127.0.0.1 upereva.it
    127.0.0.1 uploads.180solutions.com
    127.0.0.1 upspiral.com
    127.0.0.1 www.upspiral.com
    127.0.0.1 www.uptodateprotect.com
    127.0.0.1 uptodateprotect.com
    127.0.0.1 www.uptodatesecurity.com
    127.0.0.1 uptodatesecurity.com
    127.0.0.1 uptofind.com
    127.0.0.1 www.uptofind.com
    127.0.0.1 upx.tsx.org
    127.0.0.1 uralitel.ru
    127.0.0.1 urgentsystemupdate.biz
    127.0.0.1 www.urgentsystemupdate.biz
    127.0.0.1 www.urgentsystemupdate.com
    127.0.0.1 urgentsystemupdate.com
    127.0.0.1 www.url.cpvfeed.com
    127.0.0.1 urlstat.com
    127.0.0.1 urlstat.ru
    127.0.0.1 ursie.net
    127.0.0.1 www.usecodec.com
    127.0.0.1 usecodec.com
    127.0.0.1 usefullsoft.net
    127.0.0.1 use-play.com
    127.0.0.1 www.use-play.com
    127.0.0.1 utahsweet.com
    127.0.0.1 utiledeprotection.com
    127.0.0.1 www.utiledeprotection.com
    127.0.0.1 utils.errorsafe.com
    127.0.0.1 utils.winantivirus.com
    127.0.0.1 www.utils.winfixer.com
    127.0.0.1 utils.winfixer.com
    127.0.0.1 utopicportal.com
    127.0.0.1 uusocialjustice.org
    127.0.0.1 uvu-channel.com
    127.0.0.1 www.uvu-channel.com
    127.0.0.1 uydsiygeds.com
    127.0.0.1 www.uydsiygeds.com
    127.0.0.1 www.uzoogle.com
    127.0.0.1 uzoogle.com
    127.0.0.1 v-224.com
    127.0.0.1 v61.com
    127.0.0.1 www.v61.com
    127.0.0.1 v8irgilio.it
    127.0.0.1 www.v8irgilio.it
    127.0.0.1 v8rgilio.it
    127.0.0.1 www.v8rgilio.it
    127.0.0.1 v9irgilio.it
    127.0.0.1 www.v9irgilio.it
    127.0.0.1 v9rgilio.it
    127.0.0.1 www.v9rgilio.it
    127.0.0.1 vac-soft.com
    127.0.0.1 www.vac-soft.com
    127.0.0.1 vacwebsoft.com
    127.0.0.1 www.vacwebsoft.com
    127.0.0.1 www.vadesrunhdefunnjansdeikin.com
    127.0.0.1 vadesrunhdefunnjansdeikin.com
    127.0.0.1 vaginpics.com
    127.0.0.1 valmyers.com
    127.0.0.1 vapochille.com
    127.0.0.1 www.vapochille.com
    127.0.0.1 www.vaserjungenfujinas.com
    127.0.0.1 vaserjungenfujinas.com
    127.0.0.1 www.vaulimited.com
    127.0.0.1 vaulimited.com
    127.0.0.1 vaxcodec.com
    127.0.0.1 www.vaxcodec.com
    127.0.0.1 www.vaxdownload.com
    127.0.0.1 vaxdownload.com
    127.0.0.1 www.vaxobject.com
    127.0.0.1 vaxobject.com
    127.0.0.1 www.vaxobjectinstall.com
    127.0.0.1 vaxobjectinstall.com
    127.0.0.1 vbirgilio.it
    127.0.0.1 www.vbirgilio.it
    127.0.0.1 vcirgilio.it
    127.0.0.1 www.vcirgilio.it
    127.0.0.1 www.vcodec.com
    127.0.0.1 vcodec.com
    127.0.0.1 v-codec.com
    127.0.0.1 www.v-codec.com
    127.0.0.1 vcodec2007.com
    127.0.0.1 www.vcodec2007.com
    127.0.0.1 www.vcorriere.it
    127.0.0.1 vcorriere.it
    127.0.0.1 vegas-free.com
    127.0.0.1 vegbuy.com
    127.0.0.1 veloventures.com
    127.0.0.1 verkaufen.wegvonviren.com
    127.0.0.1 vertionkinhunfenrunhasde.com
    127.0.0.1 www.vertionkinhunfenrunhasde.com
    127.0.0.1 veryeasysearch.com
    127.0.0.1 verzila.com
    127.0.0.1 vesbiz.biz
    127.0.0.1 www.veyyhlucwa.net
    127.0.0.1 veyyhlucwa.net
    127.0.0.1 vfirgilio.it
    127.0.0.1 www.vfirgilio.it
    127.0.0.1 vgazzetta.it
    127.0.0.1 www.vgazzetta.it
    127.0.0.1 vgirgilio.it
    127.0.0.1 www.vgirgilio.it
    127.0.0.1 vgoogle.it
    127.0.0.1 www.vgoogle.it
    127.0.0.1 vi4gilio.it
    127.0.0.1 www.vi4gilio.it
    127.0.0.1 vi4rgilio.it
    127.0.0.1 www.vi4rgilio.it
    127.0.0.1 www.vi5gilio.it
    127.0.0.1 vi5gilio.it
    127.0.0.1 www.vi5rgilio.it
    127.0.0.1 vi5rgilio.it
    127.0.0.1 vi8rgilio.it
    127.0.0.1 www.vi8rgilio.it
    127.0.0.1 www.vi9rgilio.it
    127.0.0.1 vi9rgilio.it
    127.0.0.1 vicodec.com
    127.0.0.1 www.vicodec.com
    127.0.0.1 victoriaadam.com
    127.0.0.1 vidaccess.net
    127.0.0.1 www.vidaccess.net
    127.0.0.1 www.vidcodecs.com
    127.0.0.1 vidcodecs.com
    127.0.0.1 www.videoaccessactivex.com
    127.0.0.1 videoaccessactivex.com
    127.0.0.1 www.videoactivexlist.com
    127.0.0.1 videoactivexlist.com
    127.0.0.1 videoactivexmode.com
    127.0.0.1 www.videoactivexmode.com
    127.0.0.1 videoactivexnote.com
    127.0.0.1 www.videoactivexnote.com
    127.0.0.1 videoactivexsetup.com
    127.0.0.1 www.videoactivexsetup.com
    127.0.0.1 videoactivexsoft.com
    127.0.0.1 www.videoactivexsoft.com
    127.0.0.1 videoactivexsoftware.com
    127.0.0.1 www.videoactivexsoftware.com
    127.0.0.1 videoadaptation.com
    127.0.0.1 www.videoadaptation.com
    127.0.0.1 www.videoaxdata.com
    127.0.0.1 videoaxdata.com
    127.0.0.1 www.videoaxdownload.com
    127.0.0.1 videoaxdownload.com
    127.0.0.1 www.videoaxobject.com
    127.0.0.1 videoaxobject.com
    127.0.0.1 videoaxproject.com
    127.0.0.1 www.videoaxproject.com
    127.0.0.1 videoaxsoftware.com
    127.0.0.1 www.videoaxsoftware.com
    127.0.0.1 videoaxsolution.com
    127.0.0.1 www.videoaxsolution.com
    127.0.0.1 videocategories.com
    127.0.0.1 video-clips.in
    127.0.0.1 www.video-clips.in
    127.0.0.1 www.videoobjectax.com
    127.0.0.1 videoobjectax.com
    127.0.0.1 videoobjectmedia.com
    127.0.0.1 www.videoobjectmedia.com
    127.0.0.1 videoplayersite.com
    127.0.0.1 www.videoplayersite.com
    127.0.0.1 videos-access.com
    127.0.0.1 www.videos-access.com
    127.0.0.1 www.videosaccess.net
    127.0.0.1 videosaccess.net
    127.0.0.1 videoscodec.com
    127.0.0.1 www.videoscodec.com
    127.0.0.1 videosfan.com
    127.0.0.1 www.videosfan.com
    127.0.0.1 videosoftonline.com
    127.0.0.1 www.videosoftonline.com
    127.0.0.1 videosoftwareax.com
    127.0.0.1 www.videosoftwareax.com
    127.0.0.1 www.videossoftware.com
    127.0.0.1 videossoftware.com
    127.0.0.1 www.videowebproject.com
    127.0.0.1 videowebproject.com
    127.0.0.1 videowebsoft.com
    127.0.0.1 www.videowebsoft.com
    127.0.0.1 www.videozapping.com
    127.0.0.1 videozapping.com
    127.0.0.1 www.vidrgilio.it
    127.0.0.1 vidrgilio.it
    127.0.0.1 vids-access.com
    127.0.0.1 www.vids-access.com
    127.0.0.1 www.vidscodec.com
    127.0.0.1 vidscodec.com
    127.0.0.1 www.vidsfest.com
    127.0.0.1 vidsfest.com
    127.0.0.1 viegilio.it
    127.0.0.1 www.viegilio.it
    127.0.0.1 www.viergilio.it
    127.0.0.1 viergilio.it
    127.0.0.1 www.viewdevice.com
    127.0.0.1 viewdevice.com
    127.0.0.1 www.viewimageonline.com
    127.0.0.1 viewimageonline.com
    127.0.0.1 viewutility.com
    127.0.0.1 www.viewutility.com
    127.0.0.1 vifgilio.it
    127.0.0.1 www.vifgilio.it
    127.0.0.1 www.vifrgilio.it
    127.0.0.1 vifrgilio.it
    127.0.0.1 vigrgilio.it
    127.0.0.1 www.vigrgilio.it
    127.0.0.1 vigrilio.it
    127.0.0.1 www.vigrilio.it
    127.0.0.1 vijrgilio.it
    127.0.0.1 www.vijrgilio.it
    127.0.0.1 vikrgilio.it
    127.0.0.1 www.vikrgilio.it
    127.0.0.1 vilrgilio.it
    127.0.0.1 www.vilrgilio.it
    127.0.0.1 viorgilio.it
    127.0.0.1 www.viorgilio.it
    127.0.0.1 www.vipcodecvip.com
    127.0.0.1 vipcodecvip.com
    127.0.0.1 www.vipru.com
    127.0.0.1 vipru.com
    127.0.0.1 www.vir4gilio.it
    127.0.0.1 vir4gilio.it
    127.0.0.1 vir5gilio.it
    127.0.0.1 www.vir5gilio.it
    127.0.0.1 virbgilio.it
    127.0.0.1 www.virbgilio.it
    127.0.0.1 virbilio.it
    127.0.0.1 www.virbilio.it
    127.0.0.1 virdgilio.it
    127.0.0.1 www.virdgilio.it
    127.0.0.1 viregilio.it
    127.0.0.1 www.viregilio.it
    127.0.0.1 virfgilio.it
    127.0.0.1 www.virfgilio.it
    127.0.0.1 www.virg8ilio.it
    127.0.0.1 virg8ilio.it
    127.0.0.1 www.virg8lio.it
    127.0.0.1 virg8lio.it
    127.0.0.1 virg9ilio.it
    127.0.0.1 www.virg9ilio.it
    127.0.0.1 www.virg9lio.it
    127.0.0.1 virg9lio.it
    127.0.0.1 www.virgbilio.it
    127.0.0.1 virgbilio.it
    127.0.0.1 virgfilio.it
    127.0.0.1 www.virgfilio.it
    127.0.0.1 www.virghilio.it
    127.0.0.1 virghilio.it
    127.0.0.1 www.virgi8lio.it
    127.0.0.1 virgi8lio.it
    127.0.0.1 virgi9lio.it
    127.0.0.1 www.virgi9lio.it
    127.0.0.1 www.virgiilo.it
    127.0.0.1 virgiilo.it
    127.0.0.1 www.virgiio.it
    127.0.0.1 virgiio.it
    127.0.0.1 virgijlio.it
    127.0.0.1 www.virgijlio.it
    127.0.0.1 www.virgiklio.it
    127.0.0.1 virgiklio.it
    127.0.0.1 www.virgil8io.it
    127.0.0.1 virgil8io.it
    127.0.0.1 www.virgil9io.it
    127.0.0.1 virgil9io.it
    127.0.0.1 virgili0.it
    127.0.0.1 www.virgili0.it
    127.0.0.1 virgili8o.it
    127.0.0.1 www.virgili8o.it
    127.0.0.1 www.virgili9.it
    127.0.0.1 virgili9.it
    127.0.0.1 www.virgili9o.it
    127.0.0.1 virgili9o.it
    127.0.0.1 virgilijo.it
    127.0.0.1 www.virgilijo.it
    127.0.0.1 www.virgiliko.it
    127.0.0.1 virgiliko.it
    127.0.0.1 virgilil.it
    127.0.0.1 www.virgilil.it
    127.0.0.1 virgililo.it
    127.0.0.1 www.virgililo.it
    127.0.0.1 virgilio0.it
    127.0.0.1 www.virgilio0.it
    127.0.0.1 www.virgilio9.it
    127.0.0.1 virgilio9.it
    127.0.0.1 virgilioi.it
    127.0.0.1 www.virgilioi.it
    127.0.0.1 virgiliok.it
    127.0.0.1 www.virgiliok.it
    127.0.0.1 virgiliol.it
    127.0.0.1 www.virgiliol.it
    127.0.0.1 virgiliop.it
    127.0.0.1 www.virgiliop.it
    127.0.0.1 virgilipo.it
    127.0.0.1 www.virgilipo.it
    127.0.0.1 virgiliuo.it
    127.0.0.1 www.virgiliuo.it
    127.0.0.1 www.virgiljio.it
    127.0.0.1 virgiljio.it
    127.0.0.1 www.virgilkio.it
    127.0.0.1 virgilkio.it
    127.0.0.1 www.virgiloio.it
    127.0.0.1 virgiloio.it
    127.0.0.1 www.virgiloo.it
    127.0.0.1 virgiloo.it
    127.0.0.1 www.virgilpio.it
    127.0.0.1 virgilpio.it
    127.0.0.1 virgiluio.it
    127.0.0.1 www.virgiluio.it
    127.0.0.1 virgiluo.it
    127.0.0.1 www.virgiluo.it
    127.0.0.1 virgin-tgp.net
    127.0.0.1 virgioio.it
    127.0.0.1 www.virgioio.it
    127.0.0.1 virgiolio.it
    127.0.0.1 www.virgiolio.it
    127.0.0.1 www.virgiplio.it
    127.0.0.1 virgiplio.it

    127.0.0.1 www.yourcodec.com
    127.0.0.1 yourcodec.com
    127.0.0.1 yourieprotect.com
    127.0.0.1 www.yourieprotect.com
    127.0.0.1 youriesafety.com
    127.0.0.1 www.youriesafety.com
    127.0.0.1 www.youriesecure.com
    127.0.0.1 youriesecure.com
    127.0.0.1 www.yourphotozone.com
    127.0.0.1 yourphotozone.com
    127.0.0.1 your-prescriptions.net
    127.0.0.1 www.yoursearchspace.com
    127.0.0.1 yoursearchspace.com
    127.0.0.1 yoursitebar.com
    127.0.0.1 you-search.com
    127.0.0.1 you-search.com.ru
    127.0.0.1 ypir.com
    127.0.0.1 ysa-info.net
    127.0.0.1 ysbweb.com
    127.0.0.1 www.ysbweb.com
    127.0.0.1 www.ytiscali.it
    127.0.0.1 ytiscali.it
    127.0.0.1 ytrenitalia.it
    127.0.0.1 www.ytrenitalia.it
    127.0.0.1 yukohamano.com
    127.0.0.1 www.yunibo.it
    127.0.0.1 yunibo.it
    127.0.0.1 ywebsearch.info
    127.0.0.1 www.zabywjwzlr.biz.biz
    127.0.0.1 zabywjwzlr.biz.biz
    127.0.0.1 www.zalitalia.it
    127.0.0.1 zalitalia.it
    127.0.0.1 www.zangcodec.net
    127.0.0.1 zangcodec.net
    127.0.0.1 zangocash.com
    127.0.0.1 www.zangocash.com
    127.0.0.1 zapros.com
    127.0.0.1 zcodec.com
    127.0.0.1 www.zcodec.com
    127.0.0.1 zdrqmpad.com
    127.0.0.1 www.zdrqmpad.com
    127.0.0.1 zelaznyworld.com
    127.0.0.1 www.zelaznyworld.com
    127.0.0.1 www.zenotecnico.com
    127.0.0.1 zenotecnico.com
    127.0.0.1 www.zenotecnico2.com
    127.0.0.1 zenotecnico2.com
    127.0.0.1 zero.bestmanage.org
    127.0.0.1 zero.bestmanage0.org
    127.0.0.1 zero.bestmanage1.org
    127.0.0.1 zero.bestmanage2.org
    127.0.0.1 zero.bestmanage3.org
    127.0.0.1 zero.bestmanage4.org
    127.0.0.1 zero.bestmanage5.org
    127.0.0.1 zero.bestmanage6.org
    127.0.0.1 zero.bestmanage7.org
    127.0.0.1 zero.bestmanage8.org
    127.0.0.1 zero.bestmanage9.org
    127.0.0.1 zero.serverc.org
    127.0.0.1 zero.sisdotnet.com
    127.0.0.1 zerocodec.com
    127.0.0.1 www.zerocodec.com
    127.0.0.1 zero-codec.com
    127.0.0.1 www.zero-codec.com
    127.0.0.1 zesearch.com
    127.0.0.1 www.zestyfind.com
    127.0.0.1 zestyfind.com
    127.0.0.1 www.zfxaqzkevi.com
    127.0.0.1 zfxaqzkevi.com
    127.0.0.1 zhmbscwdgk.biz
    127.0.0.1 www.zhmbscwdgk.biz
    127.0.0.1 zipcodec.com
    127.0.0.1 www.zipcodec.com
    127.0.0.1 ziportal.com
    127.0.0.1 zipportal.com
    127.0.0.1 www.zippy-lookup.com
    127.0.0.1 zippy-lookup.com
    127.0.0.1 www.zjkjw.gov.cn
    127.0.0.1 zjkjw.gov.cn
    127.0.0.1 znext.com
    127.0.0.1 www.znext.com
    127.0.0.1 zonealarm-download-now.com
    127.0.0.1 www.zonealarm-download-now.com
    127.0.0.1 www.zonealarm-stop.com
    127.0.0.1 zonealarm-stop.com
    127.0.0.1 zone-media.com
    127.0.0.1 www.zone-media.com
    127.0.0.1 zoneoffreeporn.com
    127.0.0.1 zoofil.com
    127.0.0.1 zoomegasite.com
    127.0.0.1 zpwebsource.com
    127.0.0.1 www.zpwebsource.com
    127.0.0.1 zqavanjpn.biz
    127.0.0.1 www.zqavanjpn.biz
    127.0.0.1 z-quest.com
    127.0.0.1 www.z-quest.com
    127.0.0.1 www.zsupereva.it
    127.0.0.1 zsupereva.it
    127.0.0.1 zsvcompany.com
    127.0.0.1 www.zsvcompany.com
    127.0.0.1 www.zurrusco.com
    127.0.0.1 zurrusco.com
    127.0.0.1 zvimigdal.com
    127.0.0.1 www.zxcsolution.com
    127.0.0.1 zxcsolution.com
    127.0.0.1 www.zxlinks.com
    127.0.0.1 zxlinks.com
    127.0.0.1 zyban-zocor-levitra.com

    And many others...

    # This list is Copyright 2000-2008 Safer Networking Limited
    # End of entries inserted by Spybot - Search & Destroy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •