Dear expert,

I was going to use an expert to help me remove the Virtumonde.dll spyware that Spybot found. I downloaded the Hijack This and ERUNT software. I was going to try to use the Combofix program myself but then discovered I shouldn’t without help. So I have Combofix in my computer already with a shortcut on the desktop.

I ran quite a few Spybot scans finding Virtumonde.dll every time but it could not get rid of it permanently. But, when I downloaded Hijack This and ERUNT and then ran Spybot again after updating, it did not find Virtumonde.dll. Could it be hiding deeper in my system or is it gone? I never ran a scan in safe mode. This happened a week ago.

Now, a week later, Spybot found the Virtumonde.dll spyware again. So, I would like help getting rid of it.

I use Mozilla Firefox as my browser and recently upgraded to the newest version before I got Virtumonde.dll.

My computer seems to be running normally except sometimes internet windows won’t open and I have to unplug the DSL modem line and the line into the computer and plug them back in and start Firefox again. Then it works properly. I also sometimes have a problem trying to type a search term into google.


Every time I turn on my computer I get the following message:

“Unable to create file:

C:\Windows\ERDNT\AutoBackup\8-4-2009\ERDNT.INF

Registry Backup will continue, but no restore information for the ERDNT program will be saved. This means that later restoration of the registry can only be done manually, by
Using another OS to copy back to files.”

And then when I ok the above message a number of error messages come up such as:

“Error saving file

C:\Windows\ERDNT\Autobackup\8-4-2009\Security!

Continue with the next file?

[RegCreateKeyEx:5 – Access is denied]”

How can I fix this problem?

I Installed and ran Hijack This and an error message came up that said “For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, Hijack This may NOT be able to fix this.” Since I have Vista it says to run it as administrator. The following log is not a “Run as Administrator.”

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:04 PM, on 7/29/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\BigFix\bigfix.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 8706 bytes

:thanks:

Hi,

Where does Spybot detect the infection in?

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

Hi Blade 81,

When Spybot finds Virtumonde.dll the location is C:\Windows\System32\zipfldr.dll

I didn't find "script blocker" per se but did find "disable script debugging" for both "Internet explorer" and "other" and the boxes were already checked so I think they were disabled for as long as I owned this computer.

I didn't see dds.scr but opened the DDS file and it ran the check and the log popped up.

The Attach log is:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/31/2007 3:50:27 AM
System Uptime: 8/17/2009 7:23:12 PM (3 hours ago)

Motherboard: ELITEGROUP | | 945GCT-M3
Processor: Genuine Intel(R) CPU 2140 @ 1.60GHz | Socket 775 | 1600/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 219.368 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.022 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

3ivx MPEG-4 5.0.1 Decoder (remove only)
7-Zip 4.60 beta
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Agere Systems PCI-SV92PP Soft Modem
Bejeweled 2 Deluxe
BigFix
Browser Address Error Redirector
Business Contact Manager for Outlook 2007
Corel Task Manager
Digital Court Player 5.0 (build 183)
Digital Media Reader
Diner Dash
ERUNT 1.1j
Family Feud 2
FATE
Gateway Connect
Gateway Recovery Center Installer
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Java(TM) SE Runtime Environment 6 Update 1
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Subscription
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee Plugin 1.0
Napster
Napster Burn Engine
Penguins!
Power2Go 5.0
Realtek High Definition Audio Driver
Spare Backup
Spybot - Search & Destroy
Tradewinds
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Virtual Villagers - A New Home
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WordPerfect - MAIL
WordPerfect Office X3
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

==== End Of File ===========================

Here is the DDS log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Richard at 22:25:50.92 on Mon 08/17/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1010 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\BigFix\bigfix.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Richard\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [SpybotDeletingB9071] command /c del "c:\windows\system32\zipfldr.dll"
uRunOnce: [SpybotDeletingD4539] cmd /c del "c:\windows\system32\zipfldr.dll"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [BigFix] c:\program files\bigfix\bigfix.exe /atstartup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Skytel] Skytel.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA5309] command /c del "c:\windows\system32\zipfldr.dll"
mRunOnce: [SpybotDeletingC8987] cmd /c del "c:\windows\system32\zipfldr.dll"
StartupFolder: c:\users\richard\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\erunt\AUTOBACK.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\richard\appdata\roaming\mozilla\firefox\profiles\rxxfi0r7.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-27 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-12 210216]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-6 810320]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-31 29744]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-08-11 22:51 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 22:51 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-08-11 22:51 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 22:51 213,504 a------- c:\windows\system32\msv1_0.dll
2009-08-11 22:51 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 22:51 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 22:51 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 22:51 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 13:57 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 13:57 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 13:56 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 13:56 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 13:56 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 13:56 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 13:56 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 13:56 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 13:56 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 13:56 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 13:56 160,256 a------- c:\windows\system32\wkssvc.dll
2009-07-29 16:32 <DIR> -cd----- c:\program files\Trend Micro
2009-07-29 16:22 <DIR> -cd----- C:\ERUNT
2009-07-29 14:09 318,976 a------- c:\windows\system32\CF14342.exe
2009-07-29 13:30 318,976 a------- c:\windows\system32\CF6609.exe
2009-07-27 18:22 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-27 18:22 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-27 18:21 <DIR> -cd----- c:\program files\SUPERAntiSpyware
2009-07-27 18:21 <DIR> --d----- c:\users\richard\appdata\roaming\SUPERAntiSpyware.com
2009-07-26 02:48 884 a------- c:\windows\wininit.ini

==================== Find3M ====================

2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 11:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 11:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 11:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-05-30 16:34 15,688 a------- c:\windows\system32\lsdelete.exe
2008-06-12 13:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-12 13:09 51,200 a------- c:\windows\inf\infpub.dat
2008-06-12 13:09 86,016 a------- c:\windows\inf\infstrng.dat
2008-06-12 13:09 86,016 a------- c:\windows\inf\infstor.dat
2008-03-30 01:27 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-07-28 18:51 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-07-28 18:51 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-07-28 18:51 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-01-24 17:49 8 ---shr-- c:\windows\system32\08436304EA.sys
2009-04-23 03:05 4,598 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-10-14 16:31 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-10-14 16:31 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-10-14 16:31 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:27:45.42 ===============


Thanks,

Wednesday

Hi,

That may be a false positive. Please upload C:\Windows\System32\zipfldr.dll file here (http://www.virustotal.com) and post back the results or a link to the results.


Update your Adobe Reader to version 8.1.6 here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date. If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 16 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Post a fresh dds.txt log.

Hi,

I am a couple of days late.

Analysis of C:\Windows\System32\zipfldr.dll from Virus Total website:

MD5: f41857e440a9df3fd5a543c8b2a53048 First received: 2009.02.23 19:23:42 UTC Date: 2009.08.09 14:53:51 UTC [>9D] Results: 0/41 Permalink: analisis/72bf120c6e9df344d6b794f8fd84fff1eecdc37b9e548b93bf5c51da095bb6ad-1249829631

It said on the Virus Total website that the file had already been analyzed. I clicked on “show last report” and this is what I got:

File 319FEB5400CC004D38E2054E651FF8007BB9DAA0.dll received on 2009.08.09 14:53:51 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.09 -
AhnLab-V3 5.0.0.2 2009.08.08 -
AntiVir 7.9.0.248 2009.08.07 -
Antiy-AVL 2.0.3.7 2009.08.07 -
Authentium 5.1.2.4 2009.08.09 -
Avast 4.8.1335.0 2009.08.08 -
AVG 8.5.0.406 2009.08.09 -
BitDefender 7.2 2009.08.09 -
CAT-QuickHeal 10.00 2009.08.08 -
ClamAV 0.94.1 2009.08.07 -
Comodo 1859 2009.08.09 -
DrWeb 5.0.0.12182 2009.08.09 -
eSafe 7.0.17.0 2009.08.09 -
eTrust-Vet 31.6.6667 2009.08.08 -
F-Prot 4.4.4.56 2009.08.09 -
F-Secure 8.0.14470.0 2009.08.09 -
Fortinet 3.120.0.0 2009.08.09 -
GData 19 2009.08.09 -
Ikarus T3.1.1.64.0 2009.08.09 -
Jiangmin 11.0.800 2009.08.09 -
K7AntiVirus 7.10.814 2009.08.08 -
Kaspersky 7.0.0.125 2009.08.09 -
McAfee 5703 2009.08.08 -
McAfee+Artemis 5703 2009.08.08 -
McAfee-GW-Edition 6.8.5 2009.08.09 -
Microsoft 1.4903 2009.08.09 -
NOD32 4319 2009.08.09 -
Norman 2009.08.07 -
nProtect 2009.1.8.0 2009.08.09 -
Panda 10.0.0.14 2009.08.09 -
PCTools 4.4.2.0 2009.08.09 -
Prevx 3.0 2009.08.09 -
Rising 21.41.62.00 2009.08.09 -
Sophos 4.44.0 2009.08.09 -
Sunbelt 3.2.1858.2 2009.08.09 -
Symantec 1.4.4.12 2009.08.09 -
TheHacker 6.3.4.3.378 2009.08.08 -
TrendMicro 8.950.0.1094 2009.08.08 -
VBA32 3.12.10.9 2009.08.09 -
ViRobot 2009.8.8.1875 2009.08.08 -
VirusBuster 4.6.5.0 2009.08.09 -
Additional information
File size: 342016 bytes
MD5 : f41857e440a9df3fd5a543c8b2a53048
SHA1 : ae73fc3a7c3170f59ce2b046adbe20f4aa8cb256
SHA256: 72bf120c6e9df344d6b794f8fd84fff1eecdc37b9e548b93bf5c51da095bb6ad
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6D854CC8
timedatestamp.....: 0x4791A789 (Sat Jan 19 08:32:25 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30311 0x30400 6.68 952bdf55b356fde02cf6554bc7ed69d9
.data 0x32000 0x2108 0x1A00 4.93 2e34eb38ce14fd8001cb20d760079b7c
.rsrc 0x35000 0x1EBC8 0x1EC00 6.84 5bf8e3b7e2579b040f5955ad8f9d223f
.reloc 0x54000 0x2908 0x2A00 4.70 cbaf2d883ac719d54d3691e36f73114d

( 0 imports )


( 0 exports )
TrID : File type identification
DirectShow filter (65.5%)
Win64 Executable Generic (27.8%)
Win32 Executable Generic (2.7%)
Win32 Dynamic Link Library (generic) (2.4%)
Generic Win/DOS Executable (0.6%)
ssdeep: 6144:cou5fXeOZsb507TEXuK/DIIXJqfh6fAZkoJDsTDDfJDsTDDl:coqG0jGX/asls
PEiD : -
RDS : NSRL Reference Data Set



I clicked “Reanalyze File Now” and this is what I got:

File zipfldr.dll received on 2009.08.18 21:29:44 (UTC)
Current status: finished
Result: 0/41 (0%)
Compact
Print results
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:



Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.18 -
AhnLab-V3 5.0.0.2 2009.08.18 -
AntiVir 7.9.1.3 2009.08.18 -
Antiy-AVL 2.0.3.7 2009.08.18 -
Authentium 5.1.2.4 2009.08.18 -
Avast 4.8.1335.0 2009.08.18 -
AVG 8.5.0.406 2009.08.18 -
BitDefender 7.2 2009.08.18 -
CAT-QuickHeal 10.00 2009.08.18 -
ClamAV 0.94.1 2009.08.18 -
Comodo 2015 2009.08.18 -
DrWeb 5.0.0.12182 2009.08.18 -
eSafe 7.0.17.0 2009.08.18 -
eTrust-Vet 31.6.6685 2009.08.18 -
F-Prot 4.4.4.56 2009.08.18 -
F-Secure 8.0.14470.0 2009.08.18 -
Fortinet 3.120.0.0 2009.08.18 -
GData 19 2009.08.18 -
Ikarus T3.1.1.68.0 2009.08.18 -
Jiangmin 11.0.800 2009.08.18 -
K7AntiVirus 7.10.821 2009.08.18 -
Kaspersky 7.0.0.125 2009.08.18 -
McAfee 5713 2009.08.18 -
McAfee+Artemis 5713 2009.08.18 -
McAfee-GW-Edition 6.8.5 2009.08.18 -
Microsoft 1.4903 2009.08.18 -
NOD32 4346 2009.08.18 -
Norman 6.01.09 2009.08.18 -
nProtect 2009.1.8.0 2009.08.18 -
Panda 10.0.0.14 2009.08.18 -
PCTools 4.4.2.0 2009.08.18 -
Prevx 3.0 2009.08.18 -
Rising 21.43.14.00 2009.08.18 -
Sophos 4.44.0 2009.08.18 -
Sunbelt 3.2.1858.2 2009.08.18 -
Symantec 1.4.4.12 2009.08.18 -
TheHacker 6.3.4.3.383 2009.08.13 -
TrendMicro 8.950.0.1094 2009.08.18 -
VBA32 3.12.10.9 2009.08.18 -
ViRobot 2009.8.18.1889 2009.08.18 -
VirusBuster 4.6.5.0 2009.08.18 -
Additional information
File size: 342016 bytes
MD5...: f41857e440a9df3fd5a543c8b2a53048
SHA1..: ae73fc3a7c3170f59ce2b046adbe20f4aa8cb256
SHA256: 72bf120c6e9df344d6b794f8fd84fff1eecdc37b9e548b93bf5c51da095bb6ad
ssdeep: 6144:cou5fXeOZsb507TEXuK/DIIXJqfh6fAZkoJDsTDDfJDsTDDl:coqG0jGX/a
sls
PEiD..: -
TrID..: File type identification
DirectShow filter (65.5%)
Win64 Executable Generic (27.8%)
Win32 Executable Generic (2.7%)
Win32 Dynamic Link Library (generic) (2.4%)
Generic Win/DOS Executable (0.6%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14cc8
timedatestamp.....: 0x4791a789 (Sat Jan 19 07:32:25 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30311 0x30400 6.68 952bdf55b356fde02cf6554bc7ed69d9
.data 0x32000 0x2108 0x1a00 4.93 2e34eb38ce14fd8001cb20d760079b7c
.rsrc 0x35000 0x1ebc8 0x1ec00 6.84 5bf8e3b7e2579b040f5955ad8f9d223f
.reloc 0x54000 0x2908 0x2a00 4.70 cbaf2d883ac719d54d3691e36f73114d

( 11 imports )
> msvcrt.dll: memset, swscanf_s, _vsnwprintf, _ismbstrail, memcpy, _XcptFilter, malloc, free, _errno, _getdrive, strchr, _vsnprintf, _getdcwd, _initterm, _amsg_exit, _adjust_fdiv, _except_handler4_common, mktime, atoi, calloc, time, gmtime, localtime, qsort, strncmp, memmove, _access
> ntdll.dll: WinSqmAddToStream
> KERNEL32.dll: GlobalFree, CompareStringW, LocalFree, CloseHandle, GetFileSizeEx, CreateFileW, LocalAlloc, FindClose, FindNextFileW, SetCurrentDirectoryW, FindFirstFileW, GetCurrentDirectoryW, lstrcmpiW, GetFileAttributesW, DeleteFileW, GetDiskFreeSpaceExW, GetShortPathNameW, GetTempPathW, InterlockedIncrement, InitializeSRWLock, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, InterlockedDecrement, GetFileAttributesExW, RemoveDirectoryW, GlobalUnlock, GlobalLock, SetFileTime, GetFileInformationByHandle, HeapAlloc, GetProcessHeap, HeapFree, DeleteCriticalSection, InitializeCriticalSection, DisableThreadLibraryCalls, CompareFileTime, GetLastError, GetFileTime, CreateDirectoryW, FormatMessageW, SetFileAttributesW, LeaveCriticalSection, EnterCriticalSection, lstrcmpW, TlsGetValue, TlsAlloc, TlsFree, InterlockedExchange, Sleep, InterlockedCompareExchange, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetDriveTypeW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GlobalHandle, GetDriveTypeA, ReadFile, CreateFileA, GlobalReAlloc, GlobalSize, SetFilePointer, FileTimeToDosDateTime, FileTimeToLocalFileTime, GetFileAttributesExA, IsDBCSLeadByte, DeleteFileA, GetFileAttributesA, lstrcmpiA, lstrlenA, lstrcmpA, CreateDirectoryA, SetFileAttributesA, WriteFile, DosDateTimeToFileTime, GetVolumeInformationA, GetCurrentDirectoryA, ReplaceFileA, RemoveDirectoryA, MoveFileA, SetVolumeLabelA, FindNextFileA, FindFirstFileA, GetDiskFreeSpaceA, GetDiskFreeSpaceExA, SetCurrentDirectoryA, GetTempFileNameA, FlushFileBuffers, GlobalAlloc, SystemTimeToFileTime, LocalFileTimeToFileTime, lstrlenW, GetCurrentThreadId, TlsSetValue, GetProcAddress, LoadLibraryW, GetModuleFileNameW, DeactivateActCtx, ActivateActCtx, ReleaseActCtx, CreateActCtxW, GetModuleHandleW, GetSystemTimeAsFileTime
> GDI32.dll: GetStockObject
> USER32.dll: CreateWindowExW, LoadStringW, CharNextW, InsertMenuW, RegisterClipboardFormatW, OemToCharBuffA, CharToOemA, GetAsyncKeyState, DestroyMenu, SetMenuDefaultItem, GetParent, GetWindowLongW, SetWindowLongW, PostMessageW, EnableWindow, GetDlgItem, SendMessageW, GetWindowTextW, GetWindowTextLengthW, SetWindowTextW, IsDlgButtonChecked, SetFocus, SetDlgItemTextW, DispatchMessageW, TranslateMessage, PeekMessageW, EndDialog, DeleteMenu, ShowCursor, SetCursor, LoadCursorW, CheckDlgButton, SendDlgItemMessageW, GetDlgItemTextW, SetForegroundWindow, DestroyIcon, GetWindowRect, DefWindowProcW, RegisterClassW, DestroyWindow, TrackPopupMenu, GetForegroundWindow, RemoveMenu, CharToOemBuffA, PeekMessageA, DispatchMessageA, CharLowerA, CharUpperA, CharNextA, CharPrevA, CharUpperBuffA, GetDesktopWindow, DialogBoxParamW, LoadMenuW, GetSubMenu
> ADVAPI32.dll: EventEnabled, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, EventUnregister, EventRegister, EventWrite
> SHELL32.dll: SHBrowseForFolderW, -, -, -, ShellExecuteExW, SHBindToParent, -, -, ExtractIconExW, SHGetStockIconInfo, SHGetFolderPathEx, SHGetSpecialFolderPathW, -, SHCreateItemFromIDList, -, AssocCreateForClasses, -, SHCreateDataObject, SHBindToFolderIDListParent, SHAddToRecentDocs, SHParseDisplayName, SHFileOperationA, -, SHBindToObject, ShellExecuteW, -, SHChangeNotifySuspendResume, -, -, -, -, -, -, -, SHFileOperationW, SHCreateItemFromParsingName, -, -, DragQueryFileW, SHGetPathFromIDListW, SHChangeNotify, -, SHGetFileInfoW, SHBindToFolderIDListParentEx, -
> PROPSYS.dll: VariantToBuffer, VariantCompare, VariantToPropVariant, PSFormatForDisplay, InitVariantFromFileTime, InitVariantFromBuffer
> ole32.dll: PropVariantClear, CoInitializeEx, CoUninitialize, CreateBindCtx, OleGetClipboard, CoAllowSetForegroundWindow, CoCreateInstance, CoTaskMemFree, CoGetInterfaceAndReleaseStream, CoMarshalInterThreadInterfaceInStream, ReleaseStgMedium, CoTaskMemAlloc, OleSetClipboard
> OLEAUT32.dll: -, -, -
> SHLWAPI.dll: -, StrCmpIW, StrCmpNIW, PathRemoveBlanksW, PathRemoveBackslashW, PathIsDirectoryW, PathFileExistsW, PathIsRelativeW, PathAddBackslashW, StrTrimW, SHCreateStreamOnFileEx, -, -, PathRemoveExtensionW, PathCompactPathW, StrChrW, StrCmpW, SHStrDupW, PathIsPrefixW, StrDupW, PathGetDriveNumberW, PathCanonicalizeW, PathMatchSpecExA, -, -, -, -, -, -, -, -, -, StrRetToBufW, -, -, PathStripToRootW, PathRemoveFileSpecW, PathSkipRootW, PathCombineW, PathFindExtensionW, -, PathIsUNCW, PathFindFileNameW, -, -, -, PathAppendW, StrFormatKBSizeW, -, -, -

( 3 exports )
DllCanUnloadNow, DllGetClassObject, RouteTheCall
PDFiD.: -
RDS...: NSRL Reference Data Set
-



I tried to update Adobe Reader but the following message appeared:

“Windows Installer

The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.”

There wasn’t any way I could figure out how to upgrade so I Installed Adobe Reader 9.1


I uninstalled Adobe Flash Player and installed version 10.0.32.18.

I uninstalled Java and installed the version you told me to install.





Here is the DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Richard at 14:05:04.72 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.958 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\BigFix\bigfix.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
c:\Users\Richard\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [BigFix] c:\program files\bigfix\bigfix.exe /atstartup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Skytel] Skytel.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\richard\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\erunt\AUTOBACK.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\richard\appdata\roaming\mozilla\firefox\profiles\rxxfi0r7.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-27 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-12 210216]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-6 810320]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-31 29744]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-08-20 13:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-11 22:51 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 22:51 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-08-11 22:51 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 22:51 213,504 a------- c:\windows\system32\msv1_0.dll
2009-08-11 22:51 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 22:51 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 22:51 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 22:51 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 13:57 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 13:57 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 13:56 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 13:56 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 13:56 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 13:56 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 13:56 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 13:56 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 13:56 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 13:56 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 13:56 160,256 a------- c:\windows\system32\wkssvc.dll
2009-07-29 16:32 <DIR> -cd----- c:\program files\Trend Micro
2009-07-29 16:22 <DIR> -cd----- C:\ERUNT
2009-07-29 14:09 318,976 a------- c:\windows\system32\CF14342.exe
2009-07-29 13:30 318,976 a------- c:\windows\system32\CF6609.exe
2009-07-27 18:22 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-27 18:22 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-27 18:21 <DIR> -cd----- c:\program files\SUPERAntiSpyware
2009-07-27 18:21 <DIR> --d----- c:\users\richard\appdata\roaming\SUPERAntiSpyware.com
2009-07-26 02:48 1,096 a------- c:\windows\wininit.ini

==================== Find3M ====================

2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 11:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 11:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 11:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-05-30 16:34 15,688 a------- c:\windows\system32\lsdelete.exe
2008-06-12 13:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-12 13:09 51,200 a------- c:\windows\inf\infpub.dat
2008-06-12 13:09 86,016 a------- c:\windows\inf\infstrng.dat
2008-06-12 13:09 86,016 a------- c:\windows\inf\infstor.dat
2008-03-30 01:27 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-07-28 18:51 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-07-28 18:51 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-07-28 18:51 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-01-24 17:49 8 ---shr-- c:\windows\system32\08436304EA.sys
2009-04-23 03:05 4,598 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-10-14 16:31 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-10-14 16:31 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-10-14 16:31 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:07:59.17 ===============

Thanks for your help.

Yep. Looks like a false positive. Please update Spybot definitions and see if that file is still detected. If yes, then post here (http://forums.spybot.info/forumdisplay.php?f=16), please.

Thanks for all your help. I posted the Spybot report that showed Virtumonde in the false positive section. Do I get replies in that section that tell me how to fix the false positive problem?

Yes, you'll be assisted there (I see Matt already posted some instructions for you) :)

Thanks again

You're welcome :) I'll archive this topic now.