PDA

View Full Version : Command.exe, Virtumonde, Smitfraud & More?



XLegion
2008-07-13, 04:40
Many of these viruses re-occur. I'm hoping I can get some help to be able to remove them all forever.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:50 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [Bomgar Support Helper [1203468505]] "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-47BB78D9\bomgar-scc.exe" -service:helper
O4 - HKLM\..\Run: [Bomgar Support Helper [1206799211]] "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-47EE4B6B\bomgar-scc.exe" -service:helper
O4 - HKLM\..\Run: [BM73b1e5c7] Rundll32.exe "C:\WINDOWS\system32\iublbxcm.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA7548] command /c del "C:\WINDOWS\b157.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1488] cmd /c del "C:\WINDOWS\b157.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4108] command /c del "C:\WINDOWS\b148.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8294] cmd /c del "C:\WINDOWS\b148.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7555] command /c del "C:\WINDOWS\b116.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9797] cmd /c del "C:\WINDOWS\b116.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5327] command /c del "C:\WINDOWS\b103.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4139] cmd /c del "C:\WINDOWS\b103.exe_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [SpybotDeletingB8991] command /c del "C:\WINDOWS\b157.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD446] cmd /c del "C:\WINDOWS\b157.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4035] command /c del "C:\WINDOWS\b148.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1750] cmd /c del "C:\WINDOWS\b148.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB653] command /c del "C:\WINDOWS\b116.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8795] cmd /c del "C:\WINDOWS\b116.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8194] command /c del "C:\WINDOWS\b103.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2327] cmd /c del "C:\WINDOWS\b103.exe_old"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SpeedRunner] C:\Documents and Settings\feng\Application Data\SpeedRunner\SpeedRunner.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SfKg6wIP] C:\Documents and Settings\feng\Application Data\Microsoft\Windows\ewwkfr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [riff] C:\Program Files\Common Files\riff\riffm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mhhs.org
O15 - Trusted Zone: www.newphysicianlink.org
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6283 bytes

pskelley
2008-07-15, 03:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1) Make sure your are not running TeaTimer, if you are follow these instructions: We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT.exe, call it XLegion.exe that will work. The hackers hide their junk from HJT and we should see it after a restart.

3) Post all HJT logs in Normal Mode unless I request otherwise, start with a new HJT log.

Thanks

XLegion
2008-07-18, 05:46
My father got on the computer two days ago and I assume went on-line (and to his dismay had a poor poor computer performance)

Just thought to mention that

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:36 PM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\XLegion.exe

O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {0A60E68A-0AEF-4866-BA92-7C9D9E8742BF} - (no file)
O2 - BHO: (no name) - {149813CF-AFC1-4AC2-A404-B8AA402F323A} - C:\WINDOWS\system32\jkkigfcy.dll
O2 - BHO: (no name) - {2245D55B-CD02-4DAC-B0CE-6A3F2AA7CEB7} - C:\WINDOWS\system32\nnnljghG.dll
O2 - BHO: (no name) - {3322f01f-9431-4708-9a95-d1e3ce2e5e81} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F859AD3-20CF-4B29-AB70-98358E4C9FAD} - C:\WINDOWS\system32\ddcBRhhG.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AE9C719B-02E2-4D07-B189-15AE52D0026E} - (no file)
O2 - BHO: (no name) - {BC7E4FD8-8465-454A-9AF3-38896C476C7F} - (no file)
O2 - BHO: (no name) - {C661DE9D-5773-483B-85BF-572E7C50EF57} - (no file)
O2 - BHO: (no name) - {f75129fc-fbfa-4a9b-b29e-a54ace65b756} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [Bomgar Support Helper [1203468505]] "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-47BB78D9\bomgar-scc.exe" -service:helper
O4 - HKLM\..\Run: [Bomgar Support Helper [1206799211]] "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-47EE4B6B\bomgar-scc.exe" -service:helper
O4 - HKLM\..\Run: [7082d65b] rundll32.exe "C:\WINDOWS\system32\jhgthyfm.dll",b
O4 - HKLM\..\Run: [BM73b1e5c7] Rundll32.exe "C:\WINDOWS\system32\afislphg.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SpeedRunner] C:\Documents and Settings\feng\Application Data\SpeedRunner\SpeedRunner.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SfKg6wIP] C:\Documents and Settings\feng\Application Data\Microsoft\Windows\ewwkfr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [riff] C:\Program Files\Common Files\riff\riffm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mhhs.org
O15 - Trusted Zone: www.newphysicianlink.org
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: cteyrial - C:\WINDOWS\
O20 - Winlogon Notify: iiffEvSK - iiffEvSK.dll (file missing)
O20 - Winlogon Notify: jkkigfcy - C:\WINDOWS\SYSTEM32\jkkigfcy.dll
O20 - Winlogon Notify: olgawve - C:\WINDOWS\Fonts\olgawve.dll (file missing)
O20 - Winlogon Notify: pqsscfnl - pqsscfnl.dll (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6633 bytes

pskelley
2008-07-18, 15:01
Thanks for returning your information and the feedback, please follow all directions carefully.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

XLegion
2008-07-18, 20:27
Pskelly,

(My name is Michael, by the way)

I just wanted to say thank you for helping me as well. I followed your instructions, but I clicked the link last. I realized that it said to also download Windows Service Pack and drag it to ComboFix. I didn't do so, though.

I also have done the last two HJT logs and Combofix Log while NOT under Safemode. Is this okay?

ComboFix 08-07-17.4 - feng 2008-07-18 12:13:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.241 [GMT -5:00]
Running from: C:\Documents and Settings\feng\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\feng\Application Data\SpeedRunner
C:\Documents and Settings\feng\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\feng\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\feng\Application Data\SpeedRunner\SRUninstall.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\riff
C:\Program Files\Common Files\riff\riffa.exe
C:\Program Files\Common Files\riff\riffa.lck
C:\Program Files\Common Files\riff\riffd\class-barrel
C:\Program Files\Common Files\riff\riffd\riffc.dll
C:\Program Files\Common Files\riff\riffd\vocabulary
C:\Program Files\Common Files\riff\riffl.exe
C:\Program Files\Common Files\riff\riffl.lck
C:\Program Files\Common Files\riff\riffm.exe
C:\Program Files\Common Files\riff\riffm.lck
C:\Program Files\Common Files\riff\riffp.exe
C:\WINDOWS\BM73b1e5c7.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\riff
C:\WINDOWS\riff\riff.dat
C:\WINDOWS\riff\wu
C:\WINDOWS\system32\afislphg.dll
C:\WINDOWS\system32\aryvrj.dll
C:\WINDOWS\system32\azhody.dll
C:\WINDOWS\system32\biahfgqv.dll
C:\WINDOWS\system32\cfebqulc.dll
C:\WINDOWS\system32\dgxwdjld.dll
C:\WINDOWS\system32\fdrlap.dll
C:\WINDOWS\system32\fnlxikuh.ini
C:\WINDOWS\system32\Ghgjlnnn.ini
C:\WINDOWS\system32\Ghgjlnnn.ini2
C:\WINDOWS\system32\GhhRBcdd.ini
C:\WINDOWS\system32\GhhRBcdd.ini2
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hukixlnf.dll
C:\WINDOWS\system32\iublbxcm.dll
C:\WINDOWS\system32\jhgthyfm.dll
C:\WINDOWS\system32\jkkigfcy.dll
C:\WINDOWS\system32\khfdaArS.dll
C:\WINDOWS\system32\lwtyxmqd.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfyhtghj.ini
C:\WINDOWS\system32\moerpwgy.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nnnljghG.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qwuajd.dll
C:\WINDOWS\system32\qxlhfnxm.dll
C:\WINDOWS\system32\rqdrohab.dll
C:\WINDOWS\system32\SrAadfhk.ini
C:\WINDOWS\system32\SrAadfhk.ini2
C:\WINDOWS\system32\urqQiiFW.dll
C:\WINDOWS\system32\vqgfhaib.ini
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-12 21:06 . 2008-07-12 21:06 167,976 --a--c--- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-07-12 19:01 . 2008-07-12 19:01 <DIR> d----c--- C:\Program Files\microsoft frontpage
2008-07-11 09:37 . 2008-07-12 18:17 1,881,724 --ahsc--- C:\WINDOWS\system32\lqcgfrcg.ini
2008-07-11 09:31 . 2008-07-11 09:31 81,408 -----c--- C:\WINDOWS\system32\~.exe
2008-07-09 22:21 . 2008-07-09 22:21 139,264 --a--c--- C:\WINDOWS\War3Unin.exe
2008-07-09 22:21 . 2008-07-10 20:23 23,454 --a--c--- C:\WINDOWS\War3Unin.dat
2008-07-09 22:21 . 2008-07-09 22:21 2,829 --a--c--- C:\WINDOWS\War3Unin.pif
2008-07-09 18:44 . 2008-07-09 22:15 <DIR> d----c--- C:\Program Files\Magic Workstation
2008-07-09 08:53 . 2008-07-09 08:53 <DIR> d----c--- C:\Documents and Settings\Michael\Application Data\Canon
2008-07-07 22:21 . 2008-07-07 22:21 <DIR> d--hsc--- C:\WINDOWS\YWRtaW4
2008-07-07 10:38 . 2008-07-07 07:38 102,400 --a--c--- C:\WINDOWS\b152.exe
2008-07-06 23:58 . 2008-07-06 23:58 55,296 --a--c--- C:\WINDOWS\17PHolmes1001186.exe
2008-07-06 21:47 . 2008-07-06 22:41 120,832 --a--c--- C:\WINDOWS\mrofinu1001186.exe
2008-07-06 21:47 . 2008-06-22 08:43 88,064 --a--c--- C:\WINDOWS\mrofinu1001186.exe.tmp
2008-07-04 23:47 . 2008-07-04 23:47 <DIR> d----c--- C:\Nexon
2008-07-04 19:14 . 2008-07-10 21:05 <DIR> d----c--- C:\Program Files\Warcraft III
2008-07-02 05:32 . 2008-07-02 02:32 118,272 --a--c--- C:\WINDOWS\b155.exe
2008-06-25 10:47 . 2008-06-25 07:47 85,504 --a--c--- C:\WINDOWS\b156.exe
2008-06-19 07:57 . 2008-06-19 07:57 <DIR> d----c--- C:\Documents and Settings\Michael\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 04:22 --------- dc----w C:\Program Files\Java
2008-07-09 13:48 --------- dc----w C:\Program Files\Common Files\Adobe
2008-07-07 17:48 --------- dc----w C:\Documents and Settings\feng\Application Data\Canon
2008-07-02 22:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\Avira
2008-07-01 19:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-06-18 02:08 --------- dc----w C:\Program Files\Yahoo!
2008-06-18 02:07 --------- dc----w C:\Documents and Settings\feng\Application Data\My Games
2008-06-18 02:05 --------- dc----w C:\Program Files\Google
2008-06-18 01:59 --------- dc----w C:\Program Files\Common Files\AOL
2008-06-18 01:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-13 13:10 272,128 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 03:04 --------- dc----w C:\Documents and Settings\feng\Application Data\mIRC
2008-05-27 22:09 --------- dc----w C:\Documents and Settings\feng\Application Data\InstallShield
2006-11-13 03:22 1,467,532 -csha-w C:\WINDOWS\Fonts\evwaglo.bak1
2006-11-12 02:21 1,468,514 -csha-w C:\WINDOWS\Fonts\evwaglo.bak2
2005-08-02 21:46 187,904 -csha-r C:\WINDOWS\YWRtaW4\asappsrv.dll
2005-08-02 21:58 373,248 -csha-r C:\WINDOWS\YWRtaW4\command.exe
2005-07-29 21:24 472 -csha-r C:\WINDOWS\YWRtaW4\sqlQuqb.vbs
.

------- Sigcheck -------

2007-06-13 05:23 1043968 4860d4698c7c5445719e9f57b2202bb1 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1043968 0e843a8a558841a52ba842d1117a7236 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1042944 094349c4f7cb60a2b7b45df2056f7bce C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1043968 6edf3dc45cb7ed1ebfa68061b751de7e C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 07:00 26112 1ae736278d000c0f3e71925676e88576 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 07:00 26112 c3a0fcca05694621a1f87fa601f276c5 C:\WINDOWS\system32\dllcache\ctfmon.exe

2005-06-10 19:17 68608 d0cba0827f03d7007c982255ea3c3263 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 68608 69da3ebce29899cddcf6411f959a4f2a C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 18:53 68608 b7856078b278dd7b21dce677c0fb7693 C:\WINDOWS\system32\spoolsv.exe
2005-06-10 18:53 68608 2d4b5a2bbb382baf9e4235698ac17ca8 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 26112]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3817472]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 221240]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 498688]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 498688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 19:44 192557]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 167936]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-12 02:09 1908224]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-01-07 05:15 251376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 26112]
"SfKg6wIP"="C:\Documents and Settings\feng\Application Data\Microsoft\Windows\ewwkfr.exe" [2008-07-07 22:17 146944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 hidclasss;hidclasss;C:\WINDOWS\system32\drivers\hidclasss.sys [2008-04-08 23:19]
S2 DP1112;DP1112;C:\WINDOWS\system32\Drivers\DP.sys []
S3 XDva076;XDva076;C:\WINDOWS\system32\XDva076.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d851317-5cf1-11dc-a4b9-000d875455f7}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9441085-25a8-11db-a452-000d875455f7}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{5F859AD3-20CF-4B29-AB70-98358E4C9FAD} - C:\WINDOWS\system32\ddcBRhhG.dll
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Bomgar Support Helper [1203468505] - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-47BB78D9\bomgar-scc.exe
HKLM-Run-Bomgar Support Helper [1206799211] - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-47EE4B6B\bomgar-scc.exe
HKLM-Run-7082d65b - C:\WINDOWS\system32\jhgthyfm.dll
HKLM-Run-BM73b1e5c7 - C:\WINDOWS\system32\afislphg.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
HKU-Default-Run-mjc - C:\Program Files\mjc\mjc.exe
HKU-Default-Run-Sakora - C:\Program Files\Sakora\Sakora.exe
HKU-Default-Run-GetPack19 - C:\Program Files\GetPack\GetPack19.exe
HKU-Default-Run-SpeedRunner - C:\Documents and Settings\feng\Application Data\SpeedRunner\SpeedRunner.exe
HKU-Default-Run-riff - C:\Program Files\Common Files\riff\riffm.exe
Notify-olgawve - C:\WINDOWS\Fonts\olgawve.dll
Notify-cteyrial - (no file)
Notify-iiffEvSK - iiffEvSK.dll
Notify-pqsscfnl - pqsscfnl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 12:19:29
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-18 12:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 17:22:44

Pre-Run: 17,022,189,568 bytes free
Post-Run: 18,615,013,376 bytes free

212 --- E O F --- 2008-06-20 05:51:12


-------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:48 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\XLegion.exe

O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mhhs.org
O15 - Trusted Zone: www.newphysicianlink.org
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4187 bytes

pskelley
2008-07-18, 21:08
Hello Michael, don't worry about a thing, you did right what I wanted you to. If you read the tutorial, that information deals with the installation of Recovery Console, you may want to read that information again a little more carefully. We will get that installed before we finish if you need that to be done.

The HJT log looks good, this is all I see: O2 - BHO: (no name) - rsion - (no file) and it is nothing but a leftover that can be left alone.

(careful with these steps)

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\lqcgfrcg.ini
C:\WINDOWS\b152.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the combofix log from CFScript, contents of the MBAM file & a new HJT log in your next reply.

Tell me how the computer is running now.

Thanks...Phil

XLegion
2008-07-19, 00:33
I'm sorry I forgot to mention this

The computer runs fine now. A little jittery, but it isn't exactly a new computer.

If I do encounter more problems, should I reply here or make a new thread?

If this is the last time we converse, thank you immensely, Phil.

I wish I could hire you as our IT guy haha.

pskelley
2008-07-19, 00:39
Michael, if I confused you, I am sorry, we are not yet finished with your computer. Please complete the instructions I posted last and post the logs I requested in red.

Thanks

XLegion
2008-07-19, 05:34
Wow. I don't know what happened. I had these in two different tabs so maybe the logs got cut off.

Sorry!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:57 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\XLegion.exe

O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mhhs.org
O15 - Trusted Zone: www.newphysicianlink.org
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4086 bytes




----------------------------------------------------------------



ComboFix 08-07-17.4 - feng 2008-07-18 15:18:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.273 [GMT -5:00]
Running from: C:\Documents and Settings\feng\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\feng\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\lqcgfrcg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\BM73b1e5c7.xml
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\lqcgfrcg.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-12 21:06 . 2008-07-12 21:06 167,976 --a--c--- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-07-12 19:01 . 2008-07-12 19:01 <DIR> d----c--- C:\Program Files\microsoft frontpage
2008-07-11 09:31 . 2008-07-11 09:31 81,408 -----c--- C:\WINDOWS\system32\~.exe
2008-07-09 22:21 . 2008-07-09 22:21 139,264 --a--c--- C:\WINDOWS\War3Unin.exe
2008-07-09 22:21 . 2008-07-10 20:23 23,454 --a--c--- C:\WINDOWS\War3Unin.dat
2008-07-09 22:21 . 2008-07-09 22:21 2,829 --a--c--- C:\WINDOWS\War3Unin.pif
2008-07-09 18:44 . 2008-07-09 22:15 <DIR> d----c--- C:\Program Files\Magic Workstation
2008-07-09 08:53 . 2008-07-09 08:53 <DIR> d----c--- C:\Documents and Settings\Michael\Application Data\Canon
2008-07-07 22:21 . 2008-07-07 22:21 <DIR> d--hsc--- C:\WINDOWS\YWRtaW4
2008-07-04 23:47 . 2008-07-04 23:47 <DIR> d----c--- C:\Nexon
2008-07-04 19:14 . 2008-07-10 21:05 <DIR> d----c--- C:\Program Files\Warcraft III
2008-06-19 07:57 . 2008-06-19 07:57 <DIR> d----c--- C:\Documents and Settings\Michael\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 04:22 --------- dc----w C:\Program Files\Java
2008-07-09 13:48 --------- dc----w C:\Program Files\Common Files\Adobe
2008-07-07 17:48 --------- dc----w C:\Documents and Settings\feng\Application Data\Canon
2008-07-02 22:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\Avira
2008-07-01 19:47 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-06-18 02:08 --------- dc----w C:\Program Files\Yahoo!
2008-06-18 02:07 --------- dc----w C:\Documents and Settings\feng\Application Data\My Games
2008-06-18 02:05 --------- dc----w C:\Program Files\Google
2008-06-18 01:59 --------- dc----w C:\Program Files\Common Files\AOL
2008-06-18 01:59 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-13 13:10 272,128 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 03:04 --------- dc----w C:\Documents and Settings\feng\Application Data\mIRC
2008-05-27 22:09 --------- dc----w C:\Documents and Settings\feng\Application Data\InstallShield
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2006-11-13 03:22 1,467,532 -csha-w C:\WINDOWS\Fonts\evwaglo.bak1
2006-11-12 02:21 1,468,514 -csha-w C:\WINDOWS\Fonts\evwaglo.bak2
2005-08-02 21:46 187,904 -csha-r C:\WINDOWS\YWRtaW4\asappsrv.dll
2005-08-02 21:58 373,248 -csha-r C:\WINDOWS\YWRtaW4\command.exe
2005-07-29 21:24 472 -csha-r C:\WINDOWS\YWRtaW4\sqlQuqb.vbs
.

------- Sigcheck -------

2007-06-13 05:23 1043968 4860d4698c7c5445719e9f57b2202bb1 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1043968 0e843a8a558841a52ba842d1117a7236 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1042944 094349c4f7cb60a2b7b45df2056f7bce C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1076736 2360e182877f97c0ce0232861f1c623b C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 07:00 26112 1ae736278d000c0f3e71925676e88576 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 07:00 26112 c3a0fcca05694621a1f87fa601f276c5 C:\WINDOWS\system32\dllcache\ctfmon.exe

2005-06-10 19:17 101376 7776607dfcd955fb9fe8cb091f0989ae C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 101376 1f2353c458bbb36774e4d924cf318fa6 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 18:53 68608 b7856078b278dd7b21dce677c0fb7693 C:\WINDOWS\system32\spoolsv.exe
2005-06-10 18:53 68608 2d4b5a2bbb382baf9e4235698ac17ca8 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-18_12.22.29.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-06-11 00:17:13 57,856 -c--a-w C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
+ 2005-06-11 00:17:13 101,376 -c--a-w C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
- 2007-06-13 11:26:03 1,033,216 ----a-w C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
+ 2007-06-13 11:26:03 1,043,968 ----a-w C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
- 2004-08-04 12:00:00 57,856 -c----w C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
+ 2004-08-04 12:00:00 101,376 -c----w C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
- 2004-08-04 12:00:00 1,032,192 -c----w C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
+ 2004-08-04 12:00:00 1,042,944 -c----w C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
- 2005-10-21 01:02:28 163,328 -c--a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-21 01:02:28 177,664 -c--a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2000-08-31 13:00:00 89,504 -c--a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 13:00:00 101,792 -c--a-w C:\WINDOWS\fdsv.exe
- 2000-08-31 13:00:00 80,412 -c--a-w C:\WINDOWS\grep.exe
+ 2000-08-31 13:00:00 91,164 -c--a-w C:\WINDOWS\grep.exe
- 2000-08-31 13:00:00 41,472 -c--a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,672 -c--a-w C:\WINDOWS\Nircmd.exe
- 2000-08-31 13:00:00 98,816 -c--a-w C:\WINDOWS\sed.exe
+ 2000-08-31 13:00:00 109,568 -c--a-w C:\WINDOWS\sed.exe
- 2000-08-31 13:00:00 136,704 -c--a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 13:00:00 148,480 -c--a-w C:\WINDOWS\swsc.exe
- 2000-08-31 13:00:00 212,480 -c--a-w C:\WINDOWS\swxcacls.exe
+ 2000-08-31 13:00:00 223,232 -c--a-w C:\WINDOWS\swxcacls.exe
- 2008-07-18 17:18:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-18 20:14:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-18 17:18:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-18 20:14:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-18 17:18:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-18 20:14:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2000-08-31 13:00:00 68,096 -c--a-w C:\WINDOWS\zip.exe
+ 2000-08-31 13:00:00 78,848 -c--a-w C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 26112]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3817472]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 221240]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 498688]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 498688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 19:44 192557]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 167936]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-12 02:09 1908224]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-01-07 05:15 251376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 26112]
"SfKg6wIP"="C:\Documents and Settings\feng\Application Data\Microsoft\Windows\ewwkfr.exe" [2008-07-07 22:17 146944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 hidclasss;hidclasss;C:\WINDOWS\system32\drivers\hidclasss.sys [2008-04-08 23:19]
S2 DP1112;DP1112;C:\WINDOWS\system32\Drivers\DP.sys []
S3 XDva076;XDva076;C:\WINDOWS\system32\XDva076.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d851317-5cf1-11dc-a4b9-000d875455f7}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9441085-25a8-11db-a452-000d875455f7}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 15:19:51
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-18 15:20:47
ComboFix-quarantined-files.txt 2008-07-18 20:20:34
ComboFix2.txt 2008-07-18 17:23:02

Pre-Run: 17,541,668,864 bytes free
Post-Run: 17,523,662,848 bytes free

175 --- E O F --- 2008-06-20 05:51:12






---------------------------------------






Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

4:20:51 PM 7/18/2008
mbam-log-7-18-2008 (16-20-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 102170
Time elapsed: 20 minute(s), 25 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 3
Registry Keys Infected: 19
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 14
Files Infected: 52

Memory Processes Infected:
C:\Program Files\Sakora\Sakora.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\feng\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> Unloaded process successfully.
C:\Documents and Settings\feng\Application Data\F¦Ïnts\mmc.exe (Adware.ClickSpring) -> Unloaded process successfully.
C:\Program Files\Common Files\riff\riffm.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\Common Files\riff\riffa.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Common Files\riff\riffd\riffc.dll (Adware.TargetServer) -> Unloaded module successfully.
C:\Program Files\Webtools\webtools.dll (Adware.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\rfqjkjq.dll (Adware.ClickSpring) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ab6ebc3e-2288-292b-fe39-7ca2e0ec42b3} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab6ebc3e-2288-292b-fe39-7ca2e0ec42b3} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA (Adware.TargetSaver) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sakora (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SpeedRunner) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riff (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mjc (Adware.MJC) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ExTmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IDE2 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pinz1 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bharebio01 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Sakora (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\mjc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\feng\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Sakora\Sakora.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\feng\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> Quarantined and deleted successfully.
C:\Documents and Settings\feng\Application Data\F¦Ïnts\mmc.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\riff\riffm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\riff\riffa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\riff\riffd\riffc.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Adware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\rfqjkjq.dll (Adware.ClickSpring) -> Delete on reboot.
C:\WINDOWS\system32\drivers\hidclasss.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\mrofinu1001186.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Program Files\mjc\mjc.exe (Adware.MJC) -> Quarantined and deleted successfully.
C:\Documents and Settings\feng\Application Data\SpeedRunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\feng\Local Settings\Temporary Internet Files\Content.IE5\OXHV1Z8U\sruninstaller.prod.v12000.11jan2008.exe[1].1ac39aea6b22cdb4e6ed0c75f1d83467 (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\feng\Local Settings\Temporary Internet Files\Content.IE5\PTD37TNJ\17PHolmes[1].cmt (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\riff\riffl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\riff\riffp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\feng\Application Data\SpeedRunner\SRUninstall.exe.vir (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\riff\riffp.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\riff\riffd\riffc.dll.vir (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe.vir (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP2\A0000007.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP2\A0000035.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP2\A0000042.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP2\A0000043.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000439.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000440.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000441.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b103.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b104.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b116.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b155.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b156.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\b157.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1001186.exe.tmp (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tsuninst.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\tsinstall_4_0_4_0_b4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\tsupdate_4_0_4_1_b3.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\VRR2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\VRR5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\YWRtaW4\asappsrv.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Documents and Settings\feng\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\b152.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.

pskelley
2008-07-19, 16:15
It turns out you had a badly infected computer, any idea where you got all of this junk? I have concerns we may have hidden infection because of this item:
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
To my knowledge there is always a hidden driver associated with it. This may also be an issue:
C:\WINDOWS\system32\~.exe <<< would you navigate to that file and scan it here: http://virusscan.jotti.org/ please also scan these files and post the results:
C:\WINDOWS\system32\drivers\hidclasss.sys
C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\XDva076.sys

Don't do anything with them until we are sure they are malware.

Next do this:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with the jotti results.

Make sure your internet activity is limited to troubleshooting until we clear up these issues.

Thanks

XLegion
2008-07-20, 00:52
Phil,

I couldn't find DP.sys or XDva076.sys. Once again, I'm not in safe mode. I did find hidclass.sys, and it showed as no problem (no problem from all the virus scanners).

I've done the Kaspersky before, but this time I had some problems... I don't know why.

My logs are different I think. I know this isn't exactly what you wanted, tell me if I need to redo it. I'm sorry!

It did say my computer was infected.

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 19, 2008 16:31:29
Records in database: 972754
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics
Files scanned 68054
Threat name 16
Infected objects 564
Suspicious objects 0
Duration of the scan 00:54:13

File name Threat name Threats count
C:\WINDOWS\system32\spoolsv.exe/C:\WINDOWS\system32\spoolsv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Explorer.EXE/C:\WINDOWS\Explorer.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wscntfy.exe/C:\WINDOWS\system32\wscntfy.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\System32\alg.exe/C:\WINDOWS\System32\alg.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Real\Update_OB\realsched.exe/C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ctfmon.exe/C:\WINDOWS\system32\ctfmon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\conime.exe/C:\WINDOWS\system32\conime.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Google\Google Talk\googletalk.exe/C:\Program Files\Google\Google Talk\googletalk.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\iexplore.exe/C:\Program Files\Internet Explorer\iexplore.exe Infected: Virus.Win32.Virut.n 1
C:\Documents and Settings\feng\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.31242 Infected: Trojan-Downloader.Win32.PurityScan.fj 1
C:\Documents and Settings\feng\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.41414 Infected: Trojan.Win32.Scapur.k 1
C:\Documents and Settings\feng\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.93798 Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\Documents and Settings\feng\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.99409 Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\Documents and Settings\feng\Application Data\Microsoft\Installer\{7A512A34-F4E8-43C4-BD80-43A022B31BF6}\MapleStory.exe_7A512A34F4E843C4BD8043A022B31BF6.exe Infected: Virus.Win32.Virut.n 1
C:\Documents and Settings\feng\Application Data\Microsoft\Windows\ewwkfr.exe Infected: Virus.Win32.Virut.n 1
C:\Documents and Settings\feng\Desktop\ATF-Cleaner.exe Infected: Virus.Win32.Virut.n 1
C:\Documents and Settings\feng\Desktop\flashdrive\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\feng\Local Settings\Temporary Internet Files\Content.IE5\1XWK29PF\ctxad-580[1].0000 Infected: Backdoor.Win32.Small.emn 1
C:\Nexon\MapleStory\FinalStory.exe Infected: Virus.Win32.Virut.n 1
C:\Nexon\MapleStory\MapleStory.exe Infected: Virus.Win32.Virut.n 1
C:\Nexon\MapleStory\Patcher.exe Infected: Virus.Win32.Virut.n 1
C:\Nexon\MapleStory\Setup.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Adobe\Adobe Device Central CS3\DeviceCentral.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit 2\ExtendScript Toolkit 2.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\CoverDesigner\CoverDes.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero\nero.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero BackItUp\BackItUp.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero BackItUp\NBR.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero Toolkit\CDSpeed.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero Toolkit\DriveSpeed.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Ahead\Nero Toolkit\InfoTool.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\C-Media 3D Audio\Driver\Win_XP\SmWizard.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Canon\MF Toolbox Ver4.7\MfTBox.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Citrix\icaweb32\wfica32.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Common Files\Real\Update_OB\rnxproc.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Google\Google Talk\googletalk.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\InstallShield Installation Information\{01B93B3A-283F-411B-A648-69CABCACC986}\Setup.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\InstallShield Installation Information\{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}\Setup.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\iedw.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Internet Explorer\iexplore.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Magic Workstation\Autoupdater.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Magic Workstation\Data\MWSChat.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Magic Workstation\Data\Updates\autopatch.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Magic Workstation\MagicWorkstation.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Magic Workstation\MWSPlay.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Magic Workstation\ResourceEditor.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Messenger\msmsgs.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Movie Maker\moviemk.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\LF2_v1.9\lf2.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\dumphive.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\exit.exe Infected: Virus.Win32.Virut.q 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\GenericRenosFix.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\HostsChk.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\IEDFix.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: Virus.Win32.Virut.q 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\SmiUpdate.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\swreg.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\swsc.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\swxcacls.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\unzip.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Mozilla Firefox\SmitfraudFix\WS2Fix.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Outlook Express\msimn.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Outlook Express\wab.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\PartitionMagic Pro 7.0\PMagicNT.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Real\RealPlayer\realjbox.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Real\RealPlayer\realplay.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Trend Micro\HijackThis\XLegion.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\VIA\RAID\raid_tool.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Warcraft III\war3.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Warcraft III\Warcraft III.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Warcraft III\World Editor.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Warcraft III\worldedit.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\migrate.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\mplayer2.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\setup_wm.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmdbexport.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmlaunch.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmpenc.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmplayer.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmpnetwk.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmpnscfg.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmpshare.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows Media Player\wmsetsdk.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows NT\Accessories\wordpad.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows NT\hypertrm.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\Windows NT\Pinball\PINBALL.EXE Infected: Virus.Win32.Virut.n 1
C:\Program Files\WinRAR\WinRAR.exe Infected: Virus.Win32.Virut.n 1
C:\Program Files\WinZip\WINZIP32.EXE Infected: Virus.Win32.Virut.n 1
C:\Program Files\WinZip\WZSEPE32.EXE Infected: Virus.Win32.Virut.n 1
C:\Program Files\ѕystem32\wіnword.exe Infected: not-a-virus:AdWare.Win32.PurityScan.id 1
C:\QooBox\Quarantine\C\Documents and Settings\feng\Application Data\SpeedRunner\SpeedRunner.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\Program Files\Common Files\riff\riffa.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\Program Files\Common Files\riff\riffl.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\Program Files\Common Files\riff\riffm.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\WINDOWS\17PHolmes1001186.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\WINDOWS\b155.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\WINDOWS\b156.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1001186.exe.tmp.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1001186.exe.vir Infected: Virus.Win32.Virut.n 1
C:\QooBox\Quarantine\C\WINDOWS\system32\afislphg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aalp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cfebqulc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aalp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iublbxcm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aakq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\khfdaArS.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aalw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\moerpwgy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aajw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnljghG.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aajy 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000400.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000401.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000402.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000403.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000404.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000411.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000443.dll Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000453.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000455.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000457.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000458.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000459.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000460.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000461.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000462.EXE Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000463.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000464.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000465.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000468.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000469.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000474.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000475.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000476.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000479.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000480.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000482.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000483.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000484.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000485.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000486.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000487.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000488.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000489.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000490.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000491.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000492.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000495.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000496.scr Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000497.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000499.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000500.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000501.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000502.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000503.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000504.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000505.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000506.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000507.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000511.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000512.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000513.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000515.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000516.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000518.exe Infected: Virus.Win32.Virut.n 1
C:\System Volume Information\_restore{CE2FC368-8553-4082-B359-97F32659A678}\RP3\A0000520.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$hf_mig$\KB873339\spuninst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$hf_mig$\KB873339\update\update.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$hf_mig$\KB885250\spuninst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$hf_mig$\KB885250\update\update.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$hf_mig$\KB885835\spuninst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\CmiRmRedundDir.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\CMIUninstall.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\erdnt\subs\ERDNT.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\explorer.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\fdsv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\grep.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\hh.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\ime\IMJP8_1\imjpmig.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\inf\unregmp2.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Infected: Virus.Win32.Virut.q 1
C:\WINDOWS\IsUn0804.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\IsUninst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ngen.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\msagent\agentsvr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\NOTEPAD.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\regedit.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Samsung\CLP-550\DATA\SSLang.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Samsung\CLP-550\DATA\SSManual.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\Samsung\CLP-550\SETUP.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\sed.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\swsc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\swxcacls.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\accwiz.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\actmovie.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ahui.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\alg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\arp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\asr_fmt.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\asr_ldm.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\asr_pfu.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\at.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\atmadm.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\attrib.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\auditusr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\blastcln.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\bootcfg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\bootok.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\bootvrfy.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cacls.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\calc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\charmap.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\chkdsk.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\chkntfs.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cidaemon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cipher.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cisvc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ckcnv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cleanmgr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cliconfg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\clipbrd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\clipsrv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cmd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cmdl32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cmirmdrv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cmmon32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cmstp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\comp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\compact.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UUQVY83B\unpr[1].exe Infected: Trojan-Dropper.Win32.Small.bkz 1
C:\WINDOWS\system32\conime.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\control.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\convert.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\cscript.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ctfmon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ctxsetup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dcomcnfg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ddeshare.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\defrag.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dfrgfat.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dfrgntfs.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\diantz.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\diskpart.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\diskperf.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dllcache\ctfmon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dllcache\explorer.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dllcache\odbcconf.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dllcache\spoolsv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dllhost.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dllhst3g.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dmadmin.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dmremote.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dns-sd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\doskey.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dplaysvr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dpnsvr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dpvsetup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\driverquery.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\drivers\etc\hosts Infected: Trojan.Win32.Qhost.akg 1
C:\WINDOWS\system32\drmupgds.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\drwtsn32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dumphive.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dumprep.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dvdplay.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dvdupgrd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dwwin.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\dxdiag.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\esentutl.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\eudcedit.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\eventcreate.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\eventtriggers.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\eventvwr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\expand.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\extrac32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\fc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\find.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\findstr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\finger.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\fixmapi.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\fltmc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\fontview.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\forcedos.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\freecell.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\fsquirt.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\fsutil.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ftp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\getmac.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\gpresult.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\gpupdate.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\grpconv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\help.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\hostname.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ie4uinit.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ieudinit.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\iexpress.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\imapi.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\IME\UNISPIM\AddWords.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\IME\UNISPIM\SPDefine.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\IME\UNISPIM\unispimcfg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\IME\UNISPIM\WLBackup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ipconfig.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ipsec6.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ipv6.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ipxroute.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\irftp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\label.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\lights.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\lnkstub.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\locator.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\lodctr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\logagent.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\logman.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\logoff.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\logon.scr Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\logonui.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\lpq.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\lpr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\magnify.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\makecab.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\migpwd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mmc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mnmsrvc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mobsync.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mountvol.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mplay32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mpnotify.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mqbkup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mqsvc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mqtgsvc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mrinfo.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\msdtc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\msfeedssync.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\msg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mshearts.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mshta.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\msiexec.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mspaint.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\msswchx.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mstinit.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\mstsc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\narrator.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\nbtstat.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\nddeapir.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\NeroCheck.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\net.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\net1.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\netdde.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\netsetup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\netsh.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\netstat.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\notepad.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\nslookup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ntbackup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ntsd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ntvdm.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\nwscript.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\odbcad32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\odbcconf.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\openfiles.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\osk.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\osuninst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\packager.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\pathping.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\pentnt.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\perfmon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ping.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ping6.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\powercfg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\print.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\Process.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\progman.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\proquota.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\proxycfg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\qappsrv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\qprocess.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\qwinsta.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rasautou.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rasdial.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rasphone.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rcimlby.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rcp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rdpclip.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rdsaddin.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rdshost.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\recover.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\reg.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\regedt32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\regini.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\regsvr32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\REGTLIB.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\regwiz.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\relog.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\replace.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\reset.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\Restore\rstrui.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rexec.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\route.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\routemon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rsh.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rsm.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rsmsink.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rsmui.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rsnotify.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rsopprov.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rsvp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rtcshare.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\runas.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rundll32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\runonce.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\rwinsta.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\savedump.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\scardsvr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\schtasks.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\scrnsave.scr Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sdbinst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\secedit.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sessmgr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sethc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\setup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sfc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\shadow.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\shmgrate.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\shrpubw.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\shutdown.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sigverif.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\skeys.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\smbinst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\smlogsvc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sndrec32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sndvol32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sol.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sort.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\spider.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\spiisupd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\spnpinst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\spoolsv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ssbezier.scr Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ssflwbox.scr Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ssmarque.scr Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ssmyst.scr Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\SSRemove.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sstext3d.scr Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\stimon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\subst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\syncapp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\syskey.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\sysocmgr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\systeminfo.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\systray.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\taskkill.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tasklist.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\taskman.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\taskmgr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tcmsetup.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tcpsvcs.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\telnet.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tftp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tlntadmn.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tlntsess.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tlntsvr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tourstart.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tracerpt.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tracert.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tracert6.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tscon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tscupgrd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tsdiscon.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tskill.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tsshutdn.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tswpfwrp.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\TWUNK_32.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\typeperf.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\tzchange.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\unlodctr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\upengine.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\upnpcont.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\ups.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\userinit.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\usmt\migwiz.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\usrmlnka.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\usrprbda.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\usrshuta.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\utilman.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\uwdf.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\verclsid.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\verifier.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\vssadmin.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\vssvc.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\w32tm.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wbem\wmiapsrv.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wbem\wmiprvse.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wdfmgr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wextract.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wiaacmgr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\WinFXDocObj.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\winhlp32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\winmine.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\winmsd.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\winver.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\WISPTIS.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wpabaln.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wpdshextautoplay.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wpnpinst.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\write.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wscntfy.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wscript.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\WudfHost.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\wupdmgr.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\system32\xcopy.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\TASKMAN.EXE Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\twunk_32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\UninstallFirefox.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\unvise32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\VFind.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\War3Unin.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\winhlp32.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\YWRtaW4\command.exe Infected: Virus.Win32.Virut.n 1
C:\WINDOWS\zip.exe Infected: Virus.Win32.Virut.n 1
The selected area was scanned.

pskelley
2008-07-20, 01:33
Bad news, and it is good we ran Kaspersky to find out. This is a file infecter virus that really does a job on your files. see this information:
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=PE_VIRUT&alt=1
http://www.google.com/search?hl=en&q=Virus.Win32.Virut.n+&btnG=Google+Search

My suggest at this point is to reformat this computer:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Be very careful with what you try to save, see this:
This file infector arrives as an attachment to email messages mass-mailed by another malware or a malicious user. It infects .EXE and .SCR files and appends its code in unused spaces in t...

Thanks:sad: