View Full Version : Please Help! Virtumonde, MalwareAlarm (SecCenter), etc.
My computer is infected with Virtumonde, MalwareAlarm (SecCenter) and some other stuff as well (my computer has slowed down to an absolute crawl). I can't run a Kaspersky scan because IE keeps shutting down on me. I started to run the scan last night hoping that it would be done when I woke up in the morning but there was an IE error. I ran several S&D scans in safe mode and I got rid of everthing except Virtumonde, which I can't seem to get rid of no matter how many times I scan with S&D (it always says it was fixed but it continues to show up in my scans). Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:58 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\WINDOWS\system32\hkcmd .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\WINDOWS\system32\igfxtray .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\WINDOWS\system32\hphmon04 .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide .exe
C:\WINDOWS\SM1BG .EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch .exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrospect.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tsc.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PccUpdUI.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pcclient.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\BitTorrent_DNA\dna .exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [zotcridi] rundll32.exe "C:\Program Files\fubszkho\vczmferq.dll",Init
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1F8E.tmp .exe
O4 - HKLM\..\Run: [lotqzorg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lotqzorg.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [xwpcpefy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwpcpefy.dll"
O4 - HKLM\..\Run: [vilsrcfe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vilsrcfe.dll"
O4 - HKLM\..\Run: [xorevota] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xorevota.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
--
End of file - 11755 bytes
Hi psywzrd and welcome to Safer Networking Forums :)
Rename HijackThis.exe to psywzrd.exe and post back a fresh HijackThis log, please.
I know I wasn't supposed to do this but I posted a thread on another site as well (I really need to get this computer cleaned up and I had no idea when someone was going to reply to my message here). Anyway, I ran Vundofix.exe, Combofix.exe and produced another HijackThis log. Should I post it here or should I just continue on the other site?
Hi
If you are getting help from another forum, this thread will be closed.
Posting to multiple forums is wasting of helpers time.
I understand. Thank you anyway.
Would it be ok if I continue with getting help here? The other site I posted to doesn't seem to be quite as active as this one and I would really like to get my computer fixed. If that's ok, please let me know and I will post my most recent HJT log from last night. Thank you.
Hi
You will have to choose; if you decide to continue here then you should let the other site know that topic there can be closed and vice versa.
So let me know your decision :)
Thank you. I'll continue here if that's ok. Here is my latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:04 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress .exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\BitTorrent_DNA\dna .exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"
O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
--
End of file - 10939 bytes
Hi
Rename HijackThis.exe to psywzrd.exe and post back a fresh HijackThis log, Vundofix log and combofix report (C:\ComboFix.txt), please.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:17 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc .exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\SM1BG .EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide .exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\BitTorrent_DNA\dna.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7596D03A-A6D5-4788-AC7A-063D66D7A28B} - C:\WINDOWS\system32\rqrpp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna .exe"
O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
--
End of file - 11315 bytes
VundoFix V6.7.7
Checking Java version...
Scan started at 9:01:08 PM 12/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\winsfg32.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\dla\tfswctrl.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\hphmon04.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\winsfg32.dll
C:\WINDOWS\system32\winsfg32.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Scan started at 10:24:56 PM 12/23/2007
Listing files found while scanning....
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.exe Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Scan started at 11:35:18 AM 12/26/2007
Listing files found while scanning....
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.exe Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.dll Has been deleted!
Performing Repairs to the registry.
Done!
ComboFix 07-12-21.4 - **** 2007-12-26 10:50:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.
2007-12-26 11:14 . 2007-12-26 11:14 388,608 --a------ C:\WINDOWS\system32\cmd .exe
2007-12-24 20:56 . 2007-12-26 11:13 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe
2007-12-24 20:34 . 2007-12-26 11:06 331,776 --------- C:\WINDOWS\system32\rqrpp.dll
2007-12-23 12:53 . 2007-12-23 12:53 <DIR> d-------- C:\WINDOWS\ppqvmpqr
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-20 18:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-19 20:48 . 2007-12-19 20:48 <DIR> d-------- C:\WINDOWS\system32\njprckha
2007-12-19 19:45 . 2007-12-22 23:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-19 19:43 . 2007-12-24 20:45 94,208 --a------ C:\WINDOWS\MXOALDR .EXE
2007-12-19 19:42 . 2007-12-24 20:44 94,208 --a------ C:\WINDOWS\SM1BG .EXE
2007-12-19 19:41 . 2007-12-22 14:00 339,968 --a------ C:\WINDOWS\system32\hphmon04 .exe
2007-12-19 19:39 . 2007-12-22 13:58 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-19 19:39 . 2007-12-22 13:57 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-17 20:10 . 2007-12-17 21:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-17 20:10 . 2007-12-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-26 02:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-26 16:13 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-26 16:13 --------- d-----w C:\Program Files\QuickTime
2007-12-26 16:12 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-26 16:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-26 16:12 --------- d-----w C:\Program Files\ltmoh
2007-12-26 16:12 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-20 23:41 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]
2007-12-26 11:06 331776 --------- C:\WINDOWS\system32\rqrpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
"SpriteService"="" []
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" []
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]
C:\Documents and Settings\..............................................................................................................................................................................................................................................\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2006-01-27 05:12 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqrpp.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
2005-10-04 18:09 57344 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
2005-10-04 18:10 155757 --a------ C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 11:17:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\pprqr.ini 493 bytes
C:\WINDOWS\system32\pprqr.ini2 493 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
Completion time: 2007-12-26 11:33:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-24 20:42
C:\ComboFix3.txt ... 2007-12-24 01:34
.
2007-12-21 14:19:06 --- E O F ---
Hi
You seem to have file infecting vundo.
I have to ask first that you have CDs/DVDs for these programs?
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:12]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-26 11:21]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna .exe" [2007-12-26 11:25]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 11:12]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 11:12]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-12-26 11:12]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 11:12]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 11:12]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-26 11:12]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [2007-12-26 11:19]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-26 11:12]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2007-12-26 11:12]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe" [2007-12-26 11:13]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-26 11:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-12-26 11:13]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-26 11:13]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-26 11:13]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-26 11:13]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-26 11:13]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2007-12-26 11:13]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2007-12-26 11:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:21]
They are all infected and need to be replaced with fresh copies.
I'm not even sure what some of those things are. A bunch of them look like programs that came pre-installed with my computer and some of them are programs that I installed myself.
The Scansoft entries are for my scanner so I definitely have the discs.
Retrosoft is for my external USB drive that I use to back up my computer so I definitely have that.
I'm not sure what PCGUIDE is but it appears to be related to my Trend Micro PC-Cillin so I can definitely reinstall that.
What can I do if I don't have discs for some of these or if I have no clue what they are?
Hi
Well if you don't have, then you may not be able to use those programs anymore, unfortunately.
We need to do some scans next:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\WINDOWS\system32\ndaTqsVqrX.dll
Repeat step for this:
C:\WINDOWS\system32\ctfmon .exe (note space before .exe)
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Does my Trend Micro anti-virus software need to be disabled before I run either of those programs?
I couldn't even find C:\WINDOWS\system32\ndaTqsVqrX.dll (I'm 100% sure I'm showing all hidden files including protected operating system files). I even went in through Explorer to look for it and it's definitely not there.
For C:\WINDOWS\system32\ctfmon .exe, all of the results on Jotti said "Found nothing". At the top of the window though it says Bit9 reports: High Threat Detected.
On VirusTotal, FileAdvisor reported "High threat detected". The rest on there just have a "-" under result and the total result says 1/32 (3.13%).
Hi
Thanks for info.
This is the next step:
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Anapod CopyGear (remove only)
Anapod Explorer (remove only)
ArcSoft Software Suite
BT8010 Control Center version 1.3
CD/DVD Drive Acoustic Silencer
CodeWallet Pro 2006 for Windows Mobile
Cypress USB Mass Storage Driver Installation
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD-RAM Driver
eMule
English skin
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB926239)
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
iGuidance
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Maxtor OneTouch
mCore
MediaJoin
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
mXML
mZConfig
Notebook Maximizer
OfotoNow
OneTouch 4.0
PdaNet for Windows Mobile 1.80
PeerGuardian 2.0
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Picsel File Viewer
Quicken 2005
QuickTime
RealPlayer Basic
Retrospect Express HD 1.1
Roxio Burn Engine
Roxio Easy Media Creator 7
ScanSoft OmniPage Pro 14.0
ScanSoft PaperPort 11
SD Secure Module
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB944653)
SlingPlayer
Sonic DLA
Sonic RecordNow!
SoundMAX
Sprite Backup
Spybot - Search & Destroy
Synaptics Pointing Device Driver
SyncBack
TCPMP
Texas Instruments PCIxx21/x515 drivers.
Time Zone Data Update Tool for Microsoft Office Outlook
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
USB Storage Adapter FX (MXO)
USB Storage Adapter FX (SM1)
Videora iPod Converter 0.91
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
XviD 1.1 final uninstall
Hi
Uninstall these:
Intel(R) PROSet/Wireless Software
Maxtor OneTouch
Microsoft ActiveSync
Notebook Maximizer
QuickTime
Retrospect Express HD 1.1
ScanSoft OmniPage Pro 14.0
ScanSoft PaperPort 11
SoundMAX
Trend Micro PC-cillin Internet Security 2007
Viewpoint Media Player
After that, enable Windows own firewall.
Open notepad and copy/paste the text in the quotebox below into it:
Rootkit::
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
File::
C:\WINDOWS\system32\cmd .exe
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\hphmon04 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\hkcmd .exe
Folder::
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\system32\njprckha
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"=-
"H/PC Connection Agent"=-
"BitTorrent DNA"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="-
"SynTPEnh"="-
"THotkey"=-
"LtMoh"=-
"SmoothView"=-
"Tvs"=-
"SoundMAXPnP"=-
"SoundMAX"=-
"Pinger"="-
"Notebook Maximizer"=-
"pccguide.exe"=-
"IntelZeroConfig"=-
"IntelWireless"=-
"SSBkgdUpdate"=-
"PaperPort PTD"=-
"IndexSearch"=-
"MXOBG"=-
"RetroExpress"=-
"QuickTime Task"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE8297E5-2CA0-46EF-BD44-6EFDDA4A96E2}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Ok. Combofix took almost exactly 20 minutes from the time I started it to the time it rebooted and finally showed the report (because it took about 19 minutes total, I didn't stop any of the processes you mentioned even though several of them randomly popped up in the task manager).
ComboFix 07-12-21.4 - **** 2007-12-27 15:28:57.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222 [GMT -5:00]
Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\cmd .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\hphmon04 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\MXOALDR .EXE
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\cmd .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\hphmon04 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\njprckha\bg1.gif
C:\WINDOWS\system32\njprckha\bgtop.gif
C:\WINDOWS\system32\njprckha\bottom1.gif
C:\WINDOWS\system32\njprckha\essentials.gif
C:\WINDOWS\system32\njprckha\icon1.ico
C:\WINDOWS\system32\njprckha\install1.gif
C:\WINDOWS\system32\njprckha\left1.gif
C:\WINDOWS\system32\njprckha\li.gif
C:\WINDOWS\system32\njprckha\logo.gif
C:\WINDOWS\system32\njprckha\main.htm
C:\WINDOWS\system32\njprckha\mainframe.htm
C:\WINDOWS\system32\njprckha\reinstall1.gif
C:\WINDOWS\system32\njprckha\right1.gif
C:\WINDOWS\system32\njprckha\s1.htm
C:\WINDOWS\system32\njprckha\s2.htm
C:\WINDOWS\system32\njprckha\s3.htm
C:\WINDOWS\system32\njprckha\SMTop1.gif
C:\WINDOWS\system32\njprckha\SMTop2.gif
C:\WINDOWS\system32\njprckha\SMTop3.gif
C:\WINDOWS\system32\njprckha\SMTop4.gif
C:\WINDOWS\system32\njprckha\soft1_off.gif
C:\WINDOWS\system32\njprckha\soft1_off_ext.gif
C:\WINDOWS\system32\njprckha\soft1_on.gif
C:\WINDOWS\system32\njprckha\soft1_on_ext.gif
C:\WINDOWS\system32\njprckha\soft2_off.gif
C:\WINDOWS\system32\njprckha\soft2_off_ext.gif
C:\WINDOWS\system32\njprckha\soft2_on.gif
C:\WINDOWS\system32\njprckha\soft2_on_ext.gif
C:\WINDOWS\system32\njprckha\soft3_off.gif
C:\WINDOWS\system32\njprckha\soft3_off_ext.gif
C:\WINDOWS\system32\njprckha\soft3_on.gif
C:\WINDOWS\system32\njprckha\soft3_on_ext.gif
C:\WINDOWS\system32\njprckha\softbottom_off.gif
C:\WINDOWS\system32\njprckha\softbottom_on.gif
C:\WINDOWS\system32\njprckha\softleft_off.gif
C:\WINDOWS\system32\njprckha\softleft_on.gif
C:\WINDOWS\system32\njprckha\top1.gif
C:\WINDOWS\system32\njprckha\top2.gif
C:\WINDOWS\system32\njprckha\turnoff1.gif
C:\WINDOWS\system32\njprckha\turnon1.gif
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.
2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 12:29 . 2007-12-27 12:34 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 20:30 --------- d-----w C:\Program Files\QuickTime
2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-27 20:29 --------- d-----w C:\Program Files\ltmoh
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
2007-12-27 19:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
2007-12-27 19:14 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-27 17:34 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2007-12-27 20:42:41 352,256 ----a-w C:\WINDOWS\system32\ctfmon.exe
- 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045F79C1-1726-4671-92AC-68CABF8963F3}]
2007-12-27 15:42 331776 --a------ C:\WINDOWS\system32\rqrpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"SpriteService"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-27 15:29]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-27 15:29]
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-27 15:42]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-27 15:29]
C:\Documents and Settings\******\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqrpp.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 15:42:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\TEMP
C:\WINDOWS\system32\rqrpp.exe 335360 bytes executable
C:\WINDOWS\system32\ctfmon .exe 15360 bytes executable
C:\WINDOWS\system32\pprqr.ini 391 bytes
C:\WINDOWS\system32\pprqr.ini2 319 bytes
scan completed successfully
hidden files: 5
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\rqrpp.dll
.
Completion time: 2007-12-27 15:46:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-27 13:08
C:\ComboFix3.txt ... 2007-12-26 11:33
.
2007-12-21 14:19:06 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:22 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O2 - BHO: (no name) - {045F79C1-1726-4671-92AC-68CABF8963F3} - C:\WINDOWS\system32\rqrpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 6562 bytes
Hi
Not 100% successful yet but bit better.
Open HijackThis, click do a system scan only and checkmark this:
O4 - HKLM\..\Policies\Explorer\Run: [lB8v7JNIMp] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
Close all windows including browser and press fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Rootkit::
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
File::
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\ndaTqsVqrX.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045F79C1-1726-4671-92AC-68CABF8963F3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=-
"SynTPEnh"=-
"PadTouch"=
"Pinger"=-
"SM1BG"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
CalamityJane
2007-12-28, 16:48
Looks like we are both working this same topic:
http://www.lavasoftsupport.com/index.php?showtopic=14873&
No wonder the logs are puzzling because you are doing stuff here also
CalamityJane
2007-12-28, 17:00
Ok, I read back on the past pages and it appears that this user wants to continue here so I am going to close the other active topic - there is a KAV scan log over there you might want to review Shaba.
Both of us working on this at once is non-productive so we'll let you continue here and I'll close the other one.
I apologize for that. I got completely confused and thought that the two sites were the same sites but under different names (I noticed similar user names on both sites too) - now I understand that they are two completely different sites. I had started a thread on another site and got no response whatsoever - that was the site I was referring to that was not active. I guess I got confused too because the tools being used were the same and I figured that wasn't unusual because they were coming from the same site.
Anyway, please feel free to close whichever topic should not be open so I can continue troubleshooting my computer. And again, I'm so sorry about this but I really didn't realize I was duplicating this on two completely unrelated sites (I'm posting this on the other site too just to make sure everyone sees it).
ComboFix 07-12-21.4 - **** 2007-12-28 10:34:24.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.159 [GMT -5:00]
Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ndaTqsVqrX.dll
C:\WINDOWS\system32\rqrpp.dll
.
Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\kselymrp.dll
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\prmylesk.ini
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\tferhkjy.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.
2007-12-28 10:51 . 2007-12-28 10:51 331,776 --------- C:\WINDOWS\system32\rqrpp.dll
2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-27 22:42 . 2007-12-28 10:54 354,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 22:42 . 2007-12-28 10:55 9,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-27 22:42 . 2007-12-28 10:49 5,588 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 22:42 . 2007-12-28 10:49 1,748 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-27 15:43 . 2007-12-27 23:35 94,208 --a------ C:\WINDOWS\SM1BG .EXE
2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-28 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 15:52 352,256 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-28 15:52 335,360 ----a-w C:\WINDOWS\system32\rqrpp.exe
2007-12-28 15:35 430,592 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-27 21:06 --------- d-----w C:\Program Files\Java
2007-12-27 20:30 --------- d-----w C:\Program Files\QuickTime
2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-27 20:29 --------- d-----w C:\Program Files\ltmoh
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
2007-12-27 19:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
2007-12-27 19:14 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-27 17:34 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
- 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31E239B4-B58F-44A6-8C14-9517015DCBE3}]
2007-12-28 10:51 331776 --------- C:\WINDOWS\system32\rqrpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"SpriteService"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-28 10:52]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
C:\Documents and Settings\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqrpp.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 10:55:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-28 11:00:21 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-27 15:46
C:\ComboFix3.txt ... 2007-12-27 13:08
.
2007-12-21 14:19:06 --- E O F ---
CalamityJane
2007-12-28, 18:04
I closed the other topic and you can continue in this one here with Shaba. You can see that some of us help at many different forums. Posting at more than one without closing the others is not only a duplication of efforts but also can complicate the removal process - especially when are following two sets of directions. Shaba has the link to the other site that he can review and see where you are now. He might need new logs from you if you followed the instruction to download and scan with KAV 7.0 personal trial. That will change the picture somewhat here. Let's let Shaba decide what to do next.
It would help him if you would let him know what steps you have taken at this point.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:14 AM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {31E239B4-B58F-44A6-8C14-9517015DCBE3} - C:\WINDOWS\system32\rqrpp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 6796 bytes
Hi
Thank you CalamityJane :)
psywzrd, please post log from KAV 7.0 scan next if you already scanned with it.
I did install the free 30-day trial of Kaspersky but I haven't run a scan with it yet because I'm not quite sure how to do it (I'm scared that it's going to delete files I need or something and I don't want to screw anything up). The only scan I did do was the online scan. If I need to do the scan with Kaspersky 7.0, please let me know how to proceed so I don't mess anything up.
Hi
If so, we try this first:
Open NOTEPAD and copy/paste the text in the quotebox below into it:
@echo off
Vfind.exe -ltf "%systemdrive%\* .exe" > Log.txt
Start notepad log.txt
Save this as check.bat Choose to "Save type as - All Files" to a location where you can find it easily (eg. Desktop).
It should look like this: http://img.photobucket.com/albums/v666/sUBs/bat_icon.gif
Double click on check.bat & allow it to run.
It shall produce a log which you must attach (do not post the log) in your next reply.
Hi
Download and save to RenV.exe from following link to Desktop:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
Doubleclick RenV.exe.
When finished, it shall produce a new log for you. Post that log in your next reply.
Ran on Fri 12/28/2007 - 12:19:30.40
----a-w 1,205,248 2007-12-27 19:49:38 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-27 19:34:12 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-27 17:49:33 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-27 16:13:07 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-26 18:50:12 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-26 16:12:50 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-25 01:35:17 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-24 06:04:17 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-24 05:02:31 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 22:55:17 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 19:01:29 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 17:40:56 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 04:54:11 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 03:56:39 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-22 18:56:30 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-22 04:09:59 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-21 05:35:27 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-20 03:50:40 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-20 02:02:02 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 860,160 2007-12-27 19:52:50 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,388,544 2007-12-27 19:37:14 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
----a-w 286,016 2007-12-27 16:19:45 C:\Program Files\BitTorrent_DNA\dna .exe
----a-w 155,648 2007-12-27 19:59:45 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
----a-w 155,648 2007-12-27 20:08:36 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBKGD~1 .EXE
----a-w 132,496 2007-12-28 15:51:51 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 184,320 2007-12-27 20:24:16 C:\Program Files\ltmoh\Ltmoh .exe
----a-w 823,296 2007-12-23 04:01:51 C:\Program Files\Maxtor\OneTouch\Utils\Onetouch .exe
----a-w 1,694,208 2007-12-27 19:11:47 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-27 17:49:24 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-27 16:12:53 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-26 18:49:37 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-26 16:12:32 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-25 01:34:49 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-24 06:03:14 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-24 05:01:45 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 22:54:57 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 19:01:09 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 17:40:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 04:53:49 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 03:56:05 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-22 18:55:58 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-22 04:09:31 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-21 05:34:58 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-20 03:50:13 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-20 02:01:38 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-20 01:04:58 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 28,672 2007-12-27 17:58:59 C:\Program Files\Notebook Maximizer\maximizer_startup .exe
----a-w 518,144 2007-12-27 20:30:03 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 20:23:01 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 19:35:29 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 17:50:42 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 16:14:19 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-26 18:52:53 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-26 16:13:54 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-25 01:36:32 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-24 06:07:12 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-24 05:04:35 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 22:56:54 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 19:03:28 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 17:42:22 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 04:55:36 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 03:59:08 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-22 18:58:47 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-22 04:11:31 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-21 05:36:59 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-20 03:52:52 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-20 02:03:24 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-20 01:06:45 C:\Program Files\QuickTime\qttask .exe
----a-w 18,583,552 2007-12-27 19:41:27 C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
----a-w 40,960 2007-12-27 19:38:45 C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
----a-w 36,864 2007-12-27 20:09:09 C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
----a-w 688,218 2007-12-28 04:35:47 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 98,394 2007-12-28 04:35:39 C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w 65,536 2007-12-27 20:24:49 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
----a-w 368,640 2007-12-27 20:24:15 C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey .exe
----a-w 135,168 2007-12-27 20:24:21 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
----a-w 1,077,301 2007-12-20 00:41:31 C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
----a-w 73,728 2007-12-27 20:24:22 C:\Program Files\TOSHIBA\Tvs\TvsTray .exe
----a-w 3,112,960 2007-12-27 19:38:15 C:\Program Files\Trend Micro\Internet Security 2007\pccguide .exe
----a-w 151,552 2007-12-28 04:35:44 C:\TOSHIBA\IVP\ISM\pinger .exe
----a-w 94,208 2007-12-28 04:35:44 C:\WINDOWS\SM1BG .EXE
----a-w 122,939 2007-12-22 18:59:54 C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w 188,416 2007-12-22 19:00:29 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
Entries: 83 (83)
Directories: 0 Files: 83
Bytes: 94,823,924 Blocks: 185,207
Hi
Open NOTEPAD and copy/paste the text in the quotebox below into it:
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\BitTorrent_DNA\dna .exe
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBKGD~1 .EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\Maxtor\OneTouch\Utils\Onetouch .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Notebook Maximizer\maximizer_startup .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\Program Files\TOSHIBA\Tvs\TvsTray .exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide .exe
C:\TOSHIBA\IVP\ISM\pinger .exe
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
Save this as Log.txt to Desktop.
http://img.photobucket.com/albums/v666/sUBs/RenV.gif
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you. Post that log in your next reply.
Re-run combofix.
Post:
- a fresh HijackThis log
- RenV log
- combofix report
Ok - here are the requested logs. I keep getting all sorts of pop-ups from Kaspersky AV and I have no idea what to do with them so I just keep hitting "skip" or "allow". Please let me know if I should just disable Kaspers ky for now since the infected computer is completely offline. Aso, I keep getting tons of "RUNDLL" pop-ups (Error loading The Specified module could not be found.). I'm getting literally dozens of these and they won't stop (popping up every few seconds).
Ran on Fri 12/28/2007 - 12:38:01.06
----a-w 1,205,248 2007-12-27 19:49:38 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-27 19:34:12 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-27 17:49:33 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-27 16:13:07 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-26 18:50:12 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-26 16:12:50 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-25 01:35:17 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-24 06:04:17 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-24 05:02:31 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 22:55:17 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 19:01:29 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 17:40:56 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 04:54:11 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-23 03:56:39 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-22 18:56:30 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-22 04:09:59 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-21 05:35:27 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-20 03:50:40 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w 1,205,248 2007-12-20 02:02:02 C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
------w 132,496 2007-12-28 17:23:23 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,694,208 2007-12-27 19:11:47 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-27 17:49:24 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-27 16:12:53 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-26 18:49:37 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-26 16:12:32 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-25 01:34:49 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-24 06:03:14 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-24 05:01:45 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 22:54:57 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 19:01:09 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 17:40:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 04:53:49 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-23 03:56:05 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-22 18:55:58 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-22 04:09:31 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-21 05:34:58 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-20 03:50:13 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,694,208 2007-12-20 02:01:38 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 518,144 2007-12-27 20:30:03 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 20:23:01 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 19:35:29 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 17:50:42 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-27 16:14:19 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-26 18:52:53 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-26 16:13:54 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-25 01:36:32 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-24 06:07:12 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-24 05:04:35 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 22:56:54 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 19:03:28 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 17:42:22 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 04:55:36 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-23 03:59:08 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-22 18:58:47 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-22 04:11:31 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-21 05:36:59 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-20 03:52:52 C:\Program Files\QuickTime\qttask .exe
----a-w 518,144 2007-12-20 02:03:24 C:\Program Files\QuickTime\qttask .exe
------w 18,583,552 2007-12-27 19:41:27 C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
----a-w 15,360 2007-12-28 17:23:24 C:\WINDOWS\system32\ctfmon .exe
Entries: 60 (60)
Directories: 0 Files: 60
Bytes: 82,489,744 Blocks: 161,113
ComboFix 07-12-21.4 - **** 2007-12-28 12:40:48.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.215 [GMT -5:00]
Running from: C:\Documents and Settings\**** \Desktop\ComboFix.exe
.
Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.
2007-12-28 12:54 . 2007-12-28 12:54 319 --ahs---- C:\WINDOWS\system32\pprqr.ini2
2007-12-28 12:54 . 2007-12-28 12:56 319 --ahs---- C:\WINDOWS\system32\pprqr.ini
2007-12-28 12:23 . 2007-12-28 12:23 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-28 12:22 . 2007-12-28 12:55 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe
2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-27 22:42 . 2007-12-28 12:56 430,112 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 22:42 . 2007-12-28 12:56 12,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-27 22:42 . 2007-12-28 12:51 6,740 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 22:42 . 2007-12-28 12:51 2,132 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-28 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 17:54 352,256 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-28 17:36 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-28 17:36 --------- d-----w C:\Program Files\ltmoh
2007-12-28 17:35 --------- d-----w C:\Program Files\QuickTime
2007-12-28 17:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-28 17:35 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-28 04:35 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-27 21:06 --------- d-----w C:\Program Files\Java
2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-22 18:59:54 122,939 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
+ 2007-12-28 17:53:48 122,939 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
+ 2007-12-28 17:54:53 484,864 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
- 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
- 2007-12-22 19:00:29 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
+ 2007-12-28 17:53:56 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
+ 2007-12-28 17:55:16 525,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"SpriteService"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-12-28 12:54]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2007-12-28 12:55]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2007-12-28 12:55]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-28 12:55]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
C:\Documents and Settings\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\rqrpp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 12:55:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\rqrpp.dll
.
Completion time: 2007-12-28 12:59:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-28 11:00
C:\ComboFix3.txt ... 2007-12-27 15:46
.
2007-12-21 14:19:06 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:46 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
C:\WINDOWS\system32\rundll32.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 6723 bytes
Hi
"Please let me know if I should just disable Kaspers ky for now since the infected computer is completely offline"
Yes, that is fine.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.dll
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Re-run RenV.
Post:
- a fresh HijackThis log
- RenV log
- combofix report
ComboFix 07-12-21.4 - **** 2007-12-28 13:29:57.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.207 [GMT -5:00]
Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Retrospect\Retrospect Express HD 1.1\RetroExpress .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.
2007-12-28 13:43 . 2007-12-28 13:43 331,776 --------- C:\WINDOWS\system32\rqrpp.dll
2007-12-28 13:43 . 2007-12-28 13:45 391 --ahs---- C:\WINDOWS\system32\pprqr.ini
2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-27 22:42 . 2007-12-28 13:45 516,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 22:42 . 2007-12-28 13:45 17,696 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-27 22:42 . 2007-12-28 13:40 7,916 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 22:42 . 2007-12-28 13:40 2,660 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-28 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
continued from above
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 18:37 --------- d-----w C:\Program Files\QuickTime
2007-12-28 18:36 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-28 17:36 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-28 17:36 --------- d-----w C:\Program Files\ltmoh
2007-12-28 17:35 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-28 04:35 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-27 21:06 --------- d-----w C:\Program Files\Java
2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-22 18:59:54 122,939 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
+ 2007-12-28 18:43:26 122,939 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
+ 2007-12-28 18:30:29 484,864 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
- 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
- 2007-12-22 19:00:29 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
+ 2007-12-28 18:43:31 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
+ 2007-12-28 18:44:09 525,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE4F29A-F6DD-43A8-B7CC-B67F71896333}]
2007-12-28 13:43 331776 --------- C:\WINDOWS\system32\rqrpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"SpriteService"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-12-28 13:30]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2007-12-28 13:43]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2007-12-28 13:44]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-28 13:44]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
C:\Documents and Settings\****\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqrpp.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 13:45:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\pprqr.ini2 391 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
-> C:\WINDOWS\system32\rqrpp.dll
.
Completion time: 2007-12-28 13:48:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-28 12:59
C:\ComboFix3.txt ... 2007-12-28 11:00
.
2007-12-21 14:19:06 --- E O F ---
Ran on Fri 12/28/2007 - 13:49:21.17
----a-w 1,077,301 2007-12-28 18:43:33 C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
----a-w 122,939 2007-12-28 18:43:26 C:\WINDOWS\system32\dla\tfswctrl .exe
----a-w 188,416 2007-12-28 18:43:31 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 1,388,656 Blocks: 2,714
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:37 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {ABE4F29A-F6DD-43A8-B7CC-B67F71896333} - C:\WINDOWS\system32\rqrpp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 6793 bytes
Hi
Open notepad and copy/paste the text in the quotebox below into it:
Rootkit::
C:\WINDOWS\system32\pprqr.ini2
File::
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\pprqr.ini
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"=-
"PadTouch"=-
"HPDJ Taskbar Utility"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE4F29A-F6DD-43A8-B7CC-B67F71896333}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Re-run RenV.
Post:
- a fresh HijackThis log
- RenV log
- combofix report
Does it matter what order I run these in? I was planning on running ComboFix first, then RenV, then HJT. Is that ok?
Hi
That order is just fine and right one :)
ComboFix 07-12-21.4 - **** 2007-12-28 14:18:47.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -5:00]
Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05 .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.
2007-12-28 14:19 . 2007-12-28 14:19 335,360 --a------ C:\WINDOWS\system32\rqrpp.exe
2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-27 22:42 . 2007-12-28 14:29 546,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 22:42 . 2007-12-28 14:27 20,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-27 22:42 . 2007-12-28 14:27 8,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 22:42 . 2007-12-28 14:27 2,924 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-28 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 18:37 --------- d-----w C:\Program Files\QuickTime
2007-12-28 18:36 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-28 17:36 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-28 17:36 --------- d-----w C:\Program Files\ltmoh
2007-12-28 17:35 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-28 04:35 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-27 21:06 --------- d-----w C:\Program Files\Java
2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
- 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD28BF7F-017F-4885-ABBC-406C3096AEEA}]
2007-12-28 14:30 331776 --a------ C:\WINDOWS\system32\rqrpp.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"SpriteService"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-28 14:31]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
C:\Documents and Settings\****\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\rqrpp.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 14:30:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\pprqr.ini2 319 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2007-12-28 14:34:42 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-28 13:48
C:\ComboFix3.txt ... 2007-12-28 12:59
.
2007-12-21 14:19:06 --- E O F ---
Ran on Fri 12/28/2007 - 14:35:35.43
----a-w 132,496 2007-12-28 19:30:23 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 132,496 Blocks: 259
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:39 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
F3 - REG:win.ini: load=C:\WINDOWS\system32\rqrpp.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {BD28BF7F-017F-4885-ABBC-406C3096AEEA} - C:\WINDOWS\system32\rqrpp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 6519 bytes
Hi
Almost there.
Open notepad and copy/paste the text in the quotebox below into it:
Rootkit::
C:\WINDOWS\system32\pprqr.ini2
File::
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\rqrpp.exe
C:\WINDOWS\system32\rqrpp.dll
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD28BF7F-017F-4885-ABBC-406C3096AEEA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
ComboFix 07-12-21.4 - **** 2007-12-28 14:52:50.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -5:00]
Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\pprqr.ini
C:\WINDOWS\system32\pprqr.ini2
C:\WINDOWS\system32\rqrpp.dll
C:\WINDOWS\system32\rqrpp.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.
2007-12-27 22:44 . 2007-12-27 23:03 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-27 22:44 . 2007-12-27 23:03 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-27 22:42 . 2007-12-27 22:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-27 22:42 . 2007-12-28 15:02 571,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-27 22:42 . 2007-12-28 15:00 22,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-27 22:42 . 2007-12-28 15:00 8,684 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-27 22:42 . 2007-12-28 15:00 3,140 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-27 22:39 . 2007-12-27 22:39 <DIR> d-------- C:\KAV
2007-12-27 16:06 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 16:04 . 2007-12-27 16:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 23:45 . 2007-12-28 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 18:37 --------- d-----w C:\Program Files\QuickTime
2007-12-28 18:36 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-28 17:36 --------- d-----w C:\Program Files\Notebook Maximizer
2007-12-28 17:36 --------- d-----w C:\Program Files\ltmoh
2007-12-28 17:35 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-12-28 04:35 94,208 ----a-w C:\WINDOWS\SM1BG.EXE
2007-12-27 21:06 --------- d-----w C:\Program Files\Java
2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-23 04:50 --------- d-----w C:\Documents and Settings****\Application Data\BitTorrent DNA
2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-24 00:42:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 03:57:21 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-24 00:42:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 03:57:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 21:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 04:05:07 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 19:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 17:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
- 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-11-16 05:04:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-11-16 05:04:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2004-11-16 05:04:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-06-28 17:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
"SpriteService"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"NDSTray.exe"="NDSTray.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
C:\Documents and Settings\Start Menu\Programs\Startup\
Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
\Shell\AutoRun\command - E:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
\Shell\AutoRun\command - setupSNK.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 15:03:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-28 15:06:18 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-28 14:34
C:\ComboFix3.txt ... 2007-12-28 13:48
.
2007-12-21 14:19:06 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:08 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 6226 bytes
Hi
That looks good :)
Re-scan with kaspersky online scan.
Post:
- a fresh HijackThis log
- kaspersky report
Kaspersky still seems to be finding a lot of problems - hopefully there's an easy way to clean those up without messing anything up. The Kapsersky log is way too long to post (almost 93000 characters). Should I just attach it? Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:39 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 6226 bytes
Hi
First you can try to edit out all lines with object locked skipped.
If no, please attach it.
Just to be clear, you want me to edit out lines that shows that the object is both locked AND skipped?
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 29, 2007 1:05:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/12/2007
Kaspersky Anti-Virus database records: 499833
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Z:\
Scan Statistics:
Total number of scanned objects: 74437
Number of viruses found: 7
Number of infected objects: 570
Number of suspicious objects: 0
Duration of the scan process: 02:26:19
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\image5[1].gif.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP129.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP200B.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP206F.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\TMP20D2.tmp.bac_a01008 Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp .exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp .exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win1F8E.tmp.exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\win206F.tmp.exe.bac_a01008 Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\****\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\****\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\****\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\****\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2df40f00-36d53853.zip ZIP: infected - 3 skipped
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Messenger\msmsgs.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\Smax4 .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\dla\tfswctrl.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drvweg.dll.vir Infected: Trojan.Win32.Dialer.yz skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ljjkjgf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\OLD54.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\RCX8C.tmp.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rqrpp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rqrpp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip/rqrpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip/xxyyvuv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped
C:\qoobox\Quarantine\catchme2007-12-24_203800.27.zip ZIP: infected - 2 skipped
C:\qoobox\Quarantine\catchme2007-12-27_154140.12.zip/rqrpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\qoobox\Quarantine\catchme2007-12-27_154140.12.zip ZIP: infected - 1 skipped
C:\qoobox\Quarantine\catchme2007-12-28_105142.96.zip/rqrpp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\qoobox\Quarantine\catchme2007-12-28_105142.96.zip ZIP: infected - 1 skipped
C:\qoobox\Quarantine\catchme2007-12-28_125335.66.zip/rqrpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\qoobox\Quarantine\catchme2007-12-28_125335.66.zip ZIP: infected - 1 skipped
C:\SDFix\backups_old1\backups.zip/backups/ctfmon.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\SDFix\backups_old1\backups.zip/backups/spoolsv.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100169.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100170.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100171.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100172.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100176.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100177.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100190.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100191.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100193.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100194.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100195.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100196.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100197.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100198.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100199.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100200.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100201.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100203.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100205.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100206.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100207.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100208.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100209.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100210.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100211.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100212.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100213.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100215.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100218.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100293.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100296.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100297.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100298.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100299.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100300.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100301.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100302.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100304.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100305.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100306.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100307.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100308.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100309.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100311.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100312.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100313.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100314.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100315.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100321.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100328.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100329.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100330.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100331.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100333.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100334.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100335.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100336.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100337.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100338.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100339.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100342.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100343.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100345.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100347.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100348.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100349.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100351.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100353.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100355.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100360.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100361.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101329.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101330.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101331.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101332.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101333.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101334.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101335.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101336.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101337.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101338.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101339.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101341.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101342.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101344.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101345.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101347.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101348.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101349.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101350.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101351.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101352.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101353.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101421.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101422.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101423.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101424.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101425.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101426.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101427.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101428.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101429.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101430.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101431.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101432.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101433.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101434.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101435.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101436.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101437.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101438.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101439.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101440.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101441.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101443.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101445.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101519.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101520.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101522.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101523.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101524.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101525.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101526.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101527.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101528.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101529.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101531.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101576.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101577.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101578.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101579.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101580.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101581.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101582.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101583.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101585.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101586.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101596.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101638.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1004\A0101741.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102430.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102431.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102433.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102434.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102435.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102436.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102437.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102438.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102439.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102440.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102441.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102442.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102443.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102444.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102445.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102446.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102447.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102448.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102449.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1006\A0102486.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1007\A0102494.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1007\A0102498.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1008\A0102536.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1010\A0102824.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1010\A0102858.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1010\A0102964.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103565.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103619.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103621.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103622.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103623.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103624.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103625.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103626.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103627.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103628.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103629.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103630.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103631.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103650.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103652.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103653.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103654.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103656.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103658.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103659.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103660.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103661.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103662.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103664.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103694.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103695.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103696.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103697.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103698.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103732.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103733.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103734.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103735.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103736.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103861.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103862.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103863.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103864.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103865.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103871.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103880.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103885.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103887.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103888.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103889.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103893.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103903.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103904.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103905.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103906.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103907.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103927.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103929.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103930.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103931.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103932.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103933.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103953.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103954.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103955.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103956.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103957.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103969.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103970.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103971.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103972.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103973.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103975.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103981.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103982.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103983.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103984.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103994.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103995.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103997.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103998.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103999.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0104006.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0104007.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0104008.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104035.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104037.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104038.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104039.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104040.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104041.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1020\A0104042.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1020\A0104046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1020\A0104068.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104070.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104073.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104075.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104076.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104077.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0105063.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105068.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105071.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105072.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105073.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105075.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105076.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105077.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105081.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105085.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105091.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105093.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105096.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105100.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105103.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105105.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105134.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105136.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105137.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105138.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105139.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105140.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105143.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105144.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105190.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105192.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105193.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105194.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105195.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105196.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105200.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105201.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105203.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105204.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105205.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105210.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105211.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105212.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105213.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105216.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105218.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105219.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105220.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105221.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105222.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105223.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105224.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105225.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105226.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105227.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105228.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105229.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105230.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105231.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105232.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105233.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105234.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105235.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105236.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105237.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105239.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105240.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105241.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105242.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105243.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105244.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105245.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105246.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105247.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105248.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105249.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105250.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105251.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105252.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105253.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105254.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105255.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105256.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105257.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105258.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105259.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105260.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105261.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105262.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105263.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105264.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105265.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105266.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105267.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105268.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105269.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105270.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105271.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105272.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105273.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105274.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105275.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105276.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105292.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105293.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105294.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105296.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105301.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105302.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105303.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105304.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105305.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105306.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1029\A0105344.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1029\A0105345.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1029\A0105346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105347.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105350.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105353.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105370.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105371.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105372.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105375.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105376.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105377.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105378.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1032\A0105419.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1032\A0105420.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105424.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105426.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105441.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105442.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\change.log Object is locked skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099983.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099985.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099986.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099988.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099989.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099990.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099991.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099992.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099993.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099994.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099996.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099997.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099998.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099999.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100002.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100003.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100004.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100005.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100006.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100007.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100009.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100010.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100011.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100012.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100013.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100015.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100032.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100033.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100035.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100036.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100038.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100039.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100040.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100041.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100042.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100043.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100044.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100045.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100046.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100047.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100049.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100050.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100051.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100052.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100053.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100054.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100056.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100062.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100127.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100128.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100131.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100132.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100133.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100134.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100135.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100136.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100137.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100141.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100142.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100143.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100146.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100147.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100148.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100161.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100162.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100163.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100164.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100165.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\VundoFix Backups\rqrpp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\VundoFix Backups\rqrpp.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\MXOALDR.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\ctfmon.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
Hi
I say first that situation is not that bad as it looks.
Majority of baddies are either in system restore (C:\System Volume Information) or in quarantines.
Uninstall via add/remove programs if present:
QuickTime
Java Runtime Environment 6 update 3
TOSHIBA Touch and Launch
Empty these folders:
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\
C:\Documents and Settings\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
C:\qoobox\Quarantine
C:\VundoFix Backups\
C:\SDFix\backups_old1\
Delete these:
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
If I uninstall TOSHIBA Touch and Launch, won't it disable my Touchpad?
Hi
Yes it will, at least partially. But PadExe.exe is infected and it needs to be deleted.
You can re-install that software after you're clean.
Clean version is here (http://www.laptopvideo2go.com/forum/index.php?showtopic=6786)
Can I just iunnstall it and then immediately reinstall it? Otherwise, how am I supposed to effectively navigate around to do everything?
It's actually ok - it didn't uninstall my Touchpad completely so it's still working. I'm having some problems emptying the C:\qoobox\Quarantine folder though. When I try to delete the last couple folders, files, etc., Kaspersky keeps popping up and it doesn't seem to matter if I click Delete or Skip - those files and folders won't delete.
Hi
If so, please boot in safe mode and empty that folder there :)
I actually just disabled Kaspersky and that seemed to work ok. I just need to finish up with the other stuff. I guess I won't hear from you until tomorrow now though since Kaspersky online scan takes a couple of hours.
Hi
Great :)
Remember to re-enable it now.
I'll be waiting logs, if not today, then tomorrow :)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 29, 2007 6:08:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/12/2007
Kaspersky Anti-Virus database records: 499999
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Z:\
Scan Statistics:
Total number of scanned objects: 73367
Number of viruses found: 5
Number of infected objects: 479
Number of suspicious objects: 0
Duration of the scan process: 02:24:03
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a7_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a9_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\****\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\****\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\****\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\****\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\****\Local Settings\History\History.IE5\MSHist012007122920071230\index.dat Object is locked skipped
C:\Documents and Settings\****\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\****\ntuser.dat Object is locked skipped
C:\Documents and Settings\****\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100169.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100170.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100171.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100172.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100176.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100177.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100190.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100191.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100193.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100194.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100195.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100196.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100197.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100198.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100199.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100200.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100201.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100203.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100205.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100206.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100207.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100208.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100209.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100210.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100211.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100212.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100213.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100215.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100218.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100293.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100296.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100297.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100298.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100299.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100300.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100301.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100302.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100304.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100305.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100306.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100307.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100308.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100309.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100311.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100312.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100313.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100314.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100315.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100321.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100328.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100329.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100330.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100331.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100333.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100334.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100335.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100336.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100337.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100338.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100339.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100342.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100343.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100345.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100347.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100348.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100349.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100351.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100353.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100355.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100360.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0100361.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101329.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101330.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101331.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101332.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101333.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101334.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101335.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101336.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101337.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101338.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101339.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101341.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101342.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101344.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101345.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101347.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101348.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101349.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101350.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101351.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101352.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1000\A0101353.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101421.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101422.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101423.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101424.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101425.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101426.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101427.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101428.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101429.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101430.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101431.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101432.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101433.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101434.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101435.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101436.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101437.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101438.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101439.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101440.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101441.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101443.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1001\A0101445.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101519.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101520.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101522.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101523.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101524.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101525.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101526.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101527.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101528.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101529.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101531.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101576.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101577.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101578.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101579.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101580.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101581.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101582.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101583.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101585.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101586.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101596.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1002\A0101638.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1004\A0101741.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102430.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102431.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102433.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102434.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102435.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102436.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102437.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102438.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102439.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102440.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102441.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102442.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102443.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102444.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102445.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102446.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102447.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102448.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1005\A0102449.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1006\A0102486.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1007\A0102494.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1007\A0102498.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1008\A0102536.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1010\A0102824.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1010\A0102858.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1010\A0102964.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103565.rbf Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103619.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103621.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103622.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103623.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103624.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103625.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103626.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103627.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103628.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103629.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103630.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1011\A0103631.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103650.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103652.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103653.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103654.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103656.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103658.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103659.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103660.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1012\A0103661.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103662.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103664.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103694.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103695.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103696.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1013\A0103697.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103698.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103732.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103733.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103734.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103735.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1014\A0103736.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103861.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103862.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103863.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103864.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103865.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1016\A0103871.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103880.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103885.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103887.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103888.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103889.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103893.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103903.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103904.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103905.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103906.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1017\A0103907.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103927.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103929.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103930.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103931.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103932.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103933.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103953.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103954.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103955.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103956.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103957.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103969.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103970.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103971.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103972.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103973.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103975.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103981.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103982.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103983.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103984.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103994.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103995.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103997.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103998.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0103999.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0104006.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0104007.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1018\A0104008.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104035.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104037.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104038.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104039.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104040.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1019\A0104041.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1020\A0104042.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1020\A0104046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1020\A0104068.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104070.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104073.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104075.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104076.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0104077.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1021\A0105063.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105068.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105071.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105072.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105073.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105075.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105076.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105077.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105081.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105085.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105091.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105093.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105096.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105100.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105103.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1022\A0105105.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105134.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105136.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1023\A0105137.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105138.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105139.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105140.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105143.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105144.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105190.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105192.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105193.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105194.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1024\A0105195.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105196.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105200.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105201.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105203.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105204.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1025\A0105205.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105210.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105211.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105212.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1026\A0105213.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105216.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105218.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105219.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105220.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105221.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105222.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105223.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105224.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105225.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105226.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105227.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105228.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105229.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105230.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105231.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105232.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105233.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105234.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105235.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105236.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105237.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105239.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105240.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105241.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105242.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105243.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105244.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105245.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105246.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105247.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105248.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105249.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105250.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105251.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105252.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105253.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105254.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105255.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105256.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105257.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105258.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105259.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105260.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105261.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105262.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105263.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105264.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105265.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105266.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105267.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105268.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105269.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105270.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105271.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105272.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105273.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105274.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105275.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105276.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105292.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105293.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105294.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1027\A0105296.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105301.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105302.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105303.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105304.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105305.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1028\A0105306.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1029\A0105344.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1029\A0105345.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1029\A0105346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105347.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105350.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105353.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105370.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1030\A0105371.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105372.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105375.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105376.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105377.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1031\A0105378.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1032\A0105419.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1032\A0105420.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105424.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105426.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105441.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105442.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1033\A0105497.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1034\A0105504.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1034\A0105613.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1034\A0105623.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1034\A0105628.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1034\A0105629.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1034\A0105630.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP1034\change.log Object is locked skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099983.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099985.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099986.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099988.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099989.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099990.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP997\A0099991.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099992.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099993.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099994.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099996.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099997.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099998.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0099999.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100002.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100003.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100004.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100005.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100006.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100007.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100009.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100010.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100011.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100012.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100013.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100015.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100032.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100033.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100035.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100036.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100038.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100039.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100040.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100041.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100042.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100043.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100044.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100045.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100046.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100047.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100049.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100050.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100051.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100052.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100053.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100054.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100056.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP998\A0100062.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100127.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100128.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100131.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100132.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100133.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100134.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100135.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100136.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100137.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100141.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100142.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100143.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100146.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100147.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100148.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100161.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100162.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100163.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100164.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{145A78D9-30F3-4441-A76F-9F54405CDEA6}\RP999\A0100165.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:01 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\psywzrd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 5880 bytes
Hi
Logs look good.
All viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
I'm still getting pop-up alerts from Kaspersky AV but I assume those will disappear once you tell me how to get rid of that stuff in system restore. The other thing I'm concerned with is how I can reattach my external hard drive so I can start doing backups of my system again. As I mentioned earlier, I've been doing nightly backups of my system and those backups are most definitely infected. Is there any way for me to reattach that drive and just reformat it without reinfecting my computer? I'm not concerned with losing any of the data on the external drive since it's strictly a backup drive so reformatting it would be fine with me.
Also, after getting an infection like this, I'm more than a bit concerned about my TrendMicro Internet Security. I find it a bit disconcerting that this nasty infection wasn't caught by the TrendMicro software. Since it's coming up for renewal anyway, I'm considering other options (Norton Internet Security, ZoneAlarm, Kaspersky suite, etc.). Do you have a strong opinion about any of those? I'm leaning toward Norton but it seems like all of them have their weak points.
Hi
"The other thing I'm concerned with is how I can reattach my external hard drive so I can start doing backups of my system again. As I mentioned earlier, I've been doing nightly backups of my system and those backups are most definitely infected. Is there any way for me to reattach that drive and just reformat it without reinfecting my computer? I'm not concerned with losing any of the data on the external drive since it's strictly a backup drive so reformatting it would be fine with me."
It should be fine as long as autorun is off. That is essential. See here (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true)
"Also, after getting an infection like this, I'm more than a bit concerned about my TrendMicro Internet Security. I find it a bit disconcerting that this nasty infection wasn't caught by the TrendMicro software. Since it's coming up for renewal anyway, I'm considering other options (Norton Internet Security, ZoneAlarm, Kaspersky suite, etc.). Do you have a strong opinion about any of those? I'm leaning toward Norton but it seems like all of them have their weak points."
No IS or AV can find all infections.
Kaspersky IS is very lightweight unlike Norton and has excellent detection so that gets my vote.
Thanks for that. Based on that article you linked me to, it looks like autoplay shoud be disable for my external drive by default - I should be ok to reattach it and format it then. I guess all that's left it getting rid of that stuff in system restore, right?
Hi
Yes :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can you re-install softwares we deleted, at least these:
Intel(R) PROSet/Wireless Software
Maxtor OneTouch
Microsoft ActiveSync
Notebook Maximizer
QuickTime
Retrospect Express HD 1.1
ScanSoft OmniPage Pro 14.0
ScanSoft PaperPort 11
SoundMAX
Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnerable for infections.
Please download the newest version here:
http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&platform=WinXPSP2&esdcanbeused=0&esdcanhandle=0&hasjavascript=1&dlm=nos
Install it, then go to Add/Remove Programs and remove any older versions that may remain.
Next we remove all used tools.
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) and save it to desktop.
Double-click OTMoveIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware 2007 to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean! :bigthumb:
Wow - amazing work! Sorry about the confusion I caused in the beginning. Hopefully, this type of thing won't happen to me again. If it does though, at least I know the proper way to go about getting help:bigthumb:.
Thank you so much for your time, your patience and your knowledge. You have no idea how much I appreciate all of the assistance you've given me over the last week or so. Happy New Year!
psywzrd
Since this issue appears resolved ... this Topic is closed. Glad I could help.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Re-opened upon request.
psywzrd, please post spybot report and a fresh HijackThis log next :)
Where are the Spybot reports located? I'd like to include a report on the scan that found Virtumonde.
Hi
They should be here -> C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
31.12.2007 18:09:23 - ##### check started #####
31.12.2007 18:09:23 - ### Version: 1.5
31.12.2007 18:09:23 - ### Date: 12/31/2007 6:09:23 PM
31.12.2007 18:09:27 - ##### checking bots #####
31.12.2007 18:23:09 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings
31.12.2007 18:30:53 - found: Virtumonde.Crack User settings
31.12.2007 18:38:13 - found: DoubleClick Tracking cookie (Internet Explorer: ****)
31.12.2007 18:38:16 - found: Statcounter Tracking cookie (Internet Explorer:****)
31.12.2007 18:38:18 - found: WebTrends live Tracking cookie (Internet Explorer: ****)
31.12.2007 18:38:22 - found: HitBox Tracking cookie (Internet Explorer: ****)
31.12.2007 18:38:25 - found: HitBox Tracking cookie (Internet Explorer: ****)
31.12.2007 18:38:33 - ##### check finished #####
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:06 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www3.wirelesssync.vzw.com/en/SyncInstall.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
--
End of file - 9099 bytes
Hi
If you re-scan with spybot, does it still find Virtumonde?
Nope - it only finds HitBox, Statcounter and WebTrends live. And I just finished a Kaspersky online scan and that came up totally clean too. Does that mean I'm ok? I got worried when I saw Virtumonde show up in my S&D scan so I'm wondering if it's still lingering somewhere.
Hi
Yes, it means that :)
For preventing those tracking cookies, see here (http://www.spybot.info/en/faq/37.html)
Any problems left?
My computer is still running slowly but if you say I'm all clear, there must be something else that is causing it. I'll try to troubleshoot that problem on my own. Thanks again.
Hi
For general slowness, see here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html) and post back if it helped :)
I'll have to get back to you about this. My computer's screen crapped out on me so I have it in pieces right now while I wait for a new inverter to come. Hopefully that will take care of this problem and then I can address the slowness issue. Thanks again.
Hi
That's ok, take your time :)
Closing this topic, psywzrd if you need it re-opened please send Shaba a PM.
Cheers.