PDA

View Full Version : CLick.Giftloader Re-appearing and possible rootkit infection.



super.duper
2011-04-23, 20:43
Hi,

I have been reading other forums and it seems this has been reading around alot.
Well basically i have a click.Giftload that re-appears every time it is "removed."

The windows OS is legitimate nothing is torrent-ed:angel:.
hears is my DDS.txt

Thank you very much for your help it is greatly appreciated.:thanks:


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 10:29:36.47 on Sat 04/23/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.513 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\search toolbar\tbhelper.dll
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - Windows Live ID Sign-in Helper
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - JQSIEStartDetectorImpl Class
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\search toolbar\tbcore3.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [EPSON WorkForce 500 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieqa.exe /fu "c:\windows\temp\E_S308.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uExplorerRun: [Policies] c:\windows\install\javaupdate.exe
mExplorerRun: [Policies] c:\windows\install\javaupdate.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: &Search - ?s=100000341&p=GRxdm136YYUS&si=&a=4dVGR09GIOBoyvmLASuKpA&n=2010040317
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256651880125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
mASetup: {08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} - c:\windows\install\javaupdate.exe
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ljvrwzqo.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\microsoft.net\framework\v4.0.20506\wpf\NPWPF.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v4.0.20506\wpf\DotNetAssistantExtension
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-27 54752]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-10-27 135168]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110423.002\naveng.sys [2011-4-23 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110423.002\navex15.sys [2011-4-23 1393144]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-10-26 6016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\microsoft.net\framework\v4.0.20506\mscorsvw.exe [2009-5-6 104272]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
.
=============== Created Last 30 ================
.
2011-04-22 16:07:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Trusteer
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-22 04:00:17 -------- d-----w- c:\docume~1\user\applic~1\Trusteer
2011-04-22 04:00:11 -------- d-----w- c:\program files\Trusteer
2011-04-22 03:58:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2011-04-21 23:25:23 53248 ----a-w- c:\windows\system32\6to4v32.dll
2011-04-21 23:25:19 34816 ----a-w- c:\windows\system32\itlnfw32.dll
2011-04-21 23:25:19 215552 ----a-w- c:\windows\system32\itlpfw32.dll
2011-04-20 04:37:34 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{14A884BB-57A8-45D0-A887-9F388313E24B}
2011-04-08 17:17:38 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_7Y250P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6654F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a66b7d0]; MOV EAX, [0x8a66b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A691AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000069[0x8A68EF18]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A68D940]
\Driver\atapi[0x8A697B78] -> IRP_MJ_CREATE -> 0x8A6654F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A66533B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:34:01.59 ===============

Sorry, for the post , i was not able to edit the above.
I did some research and some of my other registry keys are altered, the same keys in the same way as the "TR/Alureon.DX.236"
the following is my S&D report. I removed some of it because this will only allow me to post 64000 characters.
--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-05-12 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-03-29 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-04-19 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti (*)
2010-12-28 Includes\Trojans.sbi (*)
2011-04-20 Includes\TrojansC-02.sbi (*)
2011-04-18 Includes\TrojansC-03.sbi (*)
2011-04-18 Includes\TrojansC-04.sbi (*)
2011-04-11 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

This is not a complete list i tried to fit what i could.

ken545
2011-04-26, 01:42
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


Your infected with a nasty Rootkit , I am going to ask you to run TDSSKiller but the variant you have may prevent it from running and if thats the case we will use another method to remove it


Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

super.duper
2011-04-26, 02:46
great your online. and May i Thank you once again for your help. You where right The TDSSkiller did not work.

Also after i attemptted it i restarted my computer and got this Spy bot SD mesage:


Process ID 208
Scchost.exe

C:\\Windows\system32\win32.Shark.bw


This has a very severe threat level if i am correct.
his backdoor is related to the other problem?

thanks. I will disconnect my internt and leav it only connected when i check this forum.

ken545
2011-04-26, 03:36
Whats going on is your Master Boot Record is infected, I need you to run Combofix, when Combofix runs it will check to see if you have a Recovery Console and if not it will prompt you to install one, do so because we are going to need to fix your MBR through the Recovery Console

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

super.duper
2011-04-26, 03:59
i will do it now. Ill be back when it is done, in the case that this does not work? what would be next? I just hope it doesn't come to that.

:rockon::thanks:

super.duper
2011-04-26, 04:03
before it is actually saved it has to be renamed "Combo-Fix" correct? do i need to add an extension such as "exe" ?

super.duper
2011-04-26, 05:05
ComboFix 11-04-25.02 - User 04/25/2011 18:33:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1304 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\p18_812875.dll
c:\documents and settings\All Users\Application Data\Toolbar4
c:\documents and settings\User\Application Data\logs.dat
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\install.rdf
c:\documents and settings\User\WINDOWS
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\tbcore3.dll
c:\program files\Search Toolbar\tbhelper.dll
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\uninstall.exe
c:\program files\Search Toolbar\update.exe
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\windows\Install
c:\windows\system32\certstore.dat
c:\windows\system32\itlnfw32.dll
c:\windows\wuasirvy.dll
.
Infected copy of c:\windows\system32\clipsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\clipsrv.exe
.
Infected copy of c:\windows\system32\alg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\alg.exe
.
Infected copy of c:\windows\system32\cisvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cisvc.exe
.
Infected copy of c:\windows\system32\dllhost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dllhost.exe
.
Infected copy of c:\windows\system32\dmadmin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dmadmin.exe
.
Infected copy of c:\windows\system32\imapi.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imapi.exe
.
Infected copy of c:\windows\system32\locator.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\locator.exe
.
Infected copy of c:\windows\system32\mnmsrvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mnmsrvc.exe
.
Infected copy of c:\windows\system32\msdtc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msdtc.exe
.
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msiexec.exe
.
Infected copy of c:\windows\system32\netdde.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe
.
Infected copy of c:\windows\system32\rsvp.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rsvp.exe
.
Infected copy of c:\windows\system32\scardsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\scardsvr.exe
.
Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sessmgr.exe
.
Infected copy of c:\windows\system32\smlogsvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\smlogsvc.exe
.
Infected copy of c:\windows\system32\tlntsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\tlntsvr.exe
.
Infected copy of c:\windows\system32\ups.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ups.exe
.
Infected copy of c:\windows\system32\vssvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\vssvc.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-26 01:52 . 2011-04-26 01:52 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-04-26 01:52 . 2011-04-26 01:52 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-04-26 01:52 . 2011-04-26 01:52 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-04-26 01:52 . 2011-04-26 01:52 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-04-26 01:52 . 2011-04-26 01:52 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-04-26 01:52 . 2011-04-26 01:52 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-04-26 01:52 . 2011-04-26 01:52 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-04-26 01:52 . 2011-04-26 01:52 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-04-26 01:52 . 2011-04-26 01:52 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-04-26 01:52 . 2011-04-26 01:52 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-04-26 01:52 . 2011-04-26 01:52 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-04-26 01:52 . 2011-04-26 01:52 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-04-26 01:51 . 2011-04-26 01:51 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-04-26 01:51 . 2011-04-26 01:51 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-04-26 01:51 . 2011-04-26 01:51 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-04-26 01:51 . 2011-04-26 01:51 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-04-26 01:51 . 2011-04-26 01:51 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-04-23 22:01 . 2011-04-23 22:01 -------- d-----w- c:\program files\Safer Networking
2011-04-23 17:23 . 2011-04-23 17:23 -------- d-----w- c:\program files\ERUNT
2011-04-23 00:39 . 2011-04-23 00:39 -------- d-----w- c:\documents and settings\Administrator.INTEL\Application Data\Trusteer
2011-04-22 16:07 . 2011-04-22 16:07 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Trusteer
2011-04-22 15:58 . 2011-04-22 15:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-22 05:30 . 2011-04-22 05:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2011-04-22 05:29 . 2011-04-22 05:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-22 04:00 . 2011-04-22 04:00 -------- d-----w- c:\documents and settings\User\Application Data\Trusteer
2011-04-22 04:00 . 2011-04-22 04:00 -------- d-----w- c:\program files\Trusteer
2011-04-22 03:58 . 2011-04-22 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2011-04-22 03:42 . 2011-04-22 03:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-04-20 15:52 . 2011-04-22 03:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-19 20:35 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-04-16 03:50 . 2011-04-16 03:50 -------- d-----w- c:\documents and settings\User\Application Data\EPSON
2011-04-08 17:17 . 2011-04-08 17:17 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 01:53 . 2004-08-04 07:56 400384 ----a-w- c:\windows\system32\vssvc.exe
2011-04-26 01:53 . 2004-08-04 07:56 129024 ----a-w- c:\windows\system32\ups.exe
2011-04-26 01:53 . 2004-08-04 07:56 183808 ----a-w- c:\windows\system32\tlntsvr.exe
2011-04-26 01:53 . 2004-08-04 07:56 200192 ----a-w- c:\windows\system32\smlogsvc.exe
2011-04-26 01:53 . 2004-08-04 07:56 206336 ----a-w- c:\windows\system32\scardsvr.exe
2011-04-26 01:53 . 2004-08-04 07:56 185856 ----a-w- c:\windows\system32\locator.exe
2011-04-26 01:52 . 2004-08-04 07:56 221696 ----a-w- c:\windows\system32\netdde.exe
2011-04-26 01:52 . 2009-10-27 06:55 116736 ----a-w- c:\windows\system32\msdtc.exe
2011-04-26 01:52 . 2004-08-04 07:56 143872 ----a-w- c:\windows\system32\clipsrv.exe
2011-04-26 01:52 . 2004-08-04 07:56 116224 ----a-w- c:\windows\system32\cisvc.exe
2011-04-26 01:52 . 2004-08-04 07:56 155136 ----a-w- c:\windows\system32\alg.exe
2011-03-07 05:33 . 2009-10-27 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 07:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-03 23:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2004-08-03 22:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-03 23:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-03 23:14 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-10-27 11:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 07:56 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 07:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 07:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 07:56 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 07:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-10-27 06:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-10-27 06:55 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" [2011-04-08 1550136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-10-27 25214]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= "qvphook.dll" [2002-04-10 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ijjiOptimizer.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58954:TCP"= 58954:TCP:Pando Media Booster
"58954:UDP"= 58954:UDP:Pando Media Booster
.
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [10/27/2009 1:33 AM 135168]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/1/2011 8:02 PM 102448]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [10/26/2009 12:34 PM 6016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [5/6/2009 10:08 AM 104272]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-04-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2002-08-30 05:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ljvrwzqo.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
AddRemove-Yahoo! BrowserPlus - c:\documents and settings\User\Local Settings\Application Data\Yahoo!\BrowserPlus\BrowserPlusUninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 18:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_7Y250P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A66633B
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3252)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
c:\windows\system32\sessmgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\NORTON~1\SPEEDD~1\nopdb.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-25 19:00:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-26 02:00
.
Pre-Run: 186,559,680,512 bytes free
Post-Run: 187,589,365,760 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 355F0270281334F237357C2A4E659BE0

super.duper
2011-04-26, 07:36
anything on what changes to registry to allow Spybot to change?

ken545
2011-04-26, 11:31
You have a lot of nasty things going on on this system and its most likely caused by sharing files during the games your playing

Lets disable the teatimer


Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect






Earlier on ComboFix installed the Recovery Console. We're going to use that now.


Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RC_BootMenu.gif


When you get to the above screen, take note of the number that references your operating system.

http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_A.png

If it's '1' like the picture above, type 1 and press Enter
It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.


http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_Fixmbr.png


Next type FIXMBR


http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_FixmbrB.png

If it asks if you're sure you want to write a new MBR, answer 'Y'
Then type EXIT to reboot the machine.

super.duper
2011-04-27, 02:22
Done. :rockon:

ken545
2011-04-27, 03:06
:bigthumb: Nice job. These Rootkits sometimes bring friends along with them, lets check

First run DDS and post a new log and lets make sure its gone

Then run these in order

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

super.duper
2011-04-27, 03:23
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 17:17:05.29 on Tue 04/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1247 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page =
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - Windows Live ID Sign-in Helper
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256651880125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ljvrwzqo.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\microsoft.net\framework\v4.0.20506\wpf\NPWPF.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v4.0.20506\wpf\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-27 54752]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-10-27 135168]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110425.002\naveng.sys [2011-4-25 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110425.002\navex15.sys [2011-4-25 1393144]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-10-26 6016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\microsoft.net\framework\v4.0.20506\mscorsvw.exe [2009-5-6 104272]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
.
=============== Created Last 30 ================
.
2011-04-26 04:41:31 160768 ----a-w- c:\windows\system32\utilman.vir
2011-04-26 01:31:30 -------- d-sha-r- C:\cmdcons
2011-04-26 01:26:00 98816 ----a-w- c:\windows\sed.exe
2011-04-26 01:26:00 89088 ----a-w- c:\windows\MBR.exe
2011-04-26 01:26:00 256512 ----a-w- c:\windows\PEV.exe
2011-04-26 01:26:00 161792 ----a-w- c:\windows\SWREG.exe
2011-04-23 22:01:11 -------- d-----w- c:\program files\Safer Networking
2011-04-22 16:07:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Trusteer
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-22 04:00:17 -------- d-----w- c:\docume~1\user\applic~1\Trusteer
2011-04-22 04:00:11 -------- d-----w- c:\program files\Trusteer
2011-04-22 03:58:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2011-04-08 17:17:38 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2011-04-27 00:17:28 143360 ----a-w- c:\windows\system32\mnmsrvc.vir
2011-04-27 00:17:21 261120 ----a-w- c:\windows\system32\imapi.exe
2011-04-26 23:59:56 146432 ----a-w- c:\windows\system32\rcimlby.exe
2011-04-26 23:59:31 457728 ----a-w- c:\windows\system32\tourstart.exe
2011-04-26 23:59:27 253952 ----a-w- c:\windows\system32\mobsync.exe
2011-04-26 23:59:22 179712 ----a-w- c:\windows\system32\notepad.exe
2011-04-26 23:59:03 499712 ----a-w- c:\windows\system32\cmd.exe
2011-04-26 04:41:31 160768 ----a-w- c:\windows\system32\utilman.exe
2011-04-26 04:41:26 326144 ----a-w- c:\windows\system32\osk.exe
2011-04-26 04:41:20 164352 ----a-w- c:\windows\system32\narrator.exe
2011-04-26 04:41:13 183296 ----a-w- c:\windows\system32\magnify.exe
2011-04-26 01:53:44 400384 ----a-w- c:\windows\system32\vssvc.exe
2011-04-26 01:53:34 129024 ----a-w- c:\windows\system32\ups.exe
2011-04-26 01:53:25 183808 ----a-w- c:\windows\system32\tlntsvr.exe
2011-04-26 01:53:16 200192 ----a-w- c:\windows\system32\smlogsvc.exe
2011-04-26 01:53:03 206336 ----a-w- c:\windows\system32\scardsvr.exe
2011-04-26 01:53:02 185856 ----a-w- c:\windows\system32\locator.exe
2011-04-26 01:52:57 221696 ----a-w- c:\windows\system32\netdde.exe
2011-04-26 01:52:48 116736 ----a-w- c:\windows\system32\msdtc.exe
2011-04-26 01:52:22 143872 ----a-w- c:\windows\system32\clipsrv.exe
2011-04-26 01:52:14 116224 ----a-w- c:\windows\system32\cisvc.exe
2011-04-26 01:52:03 155136 ----a-w- c:\windows\system32\alg.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 17:18:25.18 ===============


PS. When making psto adding peas my add body and give it a slightly sweeter flavor. If you buy pre-made pesto such as kirkland for ex. Adding peas is an excellent idea. :D: :rockon:

super.duper
2011-04-27, 03:29
i have these 2 files in my local disk. that i believe may be associated to the problem their each roughly 2million-3 million kb

super.duper
2011-04-27, 05:25
i have these 2 files in my local disk. that i believe may be associated to the problem their each roughly 2million-3 million kb

hiberfil.sys
and

pagefile.sys I will not touch them, but do you suggest using file assassin, that comes with malwareBytes? I DID previously try using file shredder with spybot, because at that moment i felt 100% sure they where bad because I have never seen them before. Ill wait for your advice.

Here is my Malware bytes report, i did a full scan, I do hope that is OK with you.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 7:00:36 PM
mbam-log-2011-04-26 (19-00-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 248252
Time elapsed: 58 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
c:\WINDOWS\system32\notepad.exe (Trojan.FakeMS) -> 1936 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\notepad.exe (Trojan.FakeMS) -> Delete on reboot.
c:\program files\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\WINDOWS\aputumuf.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\calc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\utilman.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\utilman.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.



I cleaned the risks and they where deleted.

This a quickscan i ran after i re-booted the system to fix some problems.
:thanks:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 7:20:59 PM
mbam-log-2011-04-26 (19-20-59).txt

Scan type: Quick scan
Objects scanned: 180837
Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
:thanks::rockon:

super.duper
2011-04-27, 05:37
just in case your interested.

My Symantec picks up this on the auto-protect.
Suspicious.MH690

Location is Microsoft outlook.

I am going to run a full scan using this anti-virus however i wont take any action on the files.

:banana::wav::wav::thanks: sorry the emotes are tempting.:red:

ken545
2011-04-27, 11:35
Those files you mentioned are legit windows files so leave them be

You may have a email in Outlook with a bad link or attachment, you may want to open all those folders and delete what you dont need

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

super.duper
2011-04-27, 20:19
C:\111\D865PERL\LAN_allOS_11.2_PV_TL3_132319_FULL\APPS\ASF\Win32\AGENT\Setup.exe a variant of Win32/Expiro.T virus
C:\111\D865PERL\LAN_allOS_11.2_PV_TL3_132319_FULL\APPS\iSCSI\Win32\iSCSIApp.exe a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ljvrwzqo.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js JS/Redirector.NBI trojan
C:\Documents and Settings\User\Desktop\iFunBox.exe a variant of Win32/Expiro.T virus
C:\Documents and Settings\User\Desktop\iFunBox.vir a variant of Win32/Expiro.T virus
C:\Documents and Settings\User\Local Settings\Tempwinconfig.vbs VBS/TrojanDownloader.Agent.NDV trojan
C:\Documents and Settings\User\temp\TeamViewer\Version5\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Sprint.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\TrigrammsInstaller.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Scan\ScanMan6.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Scan\Twain\TWUNK_32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Support\Ainfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\plug_ins\PaperCapture\Server\Roman\capserve.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\Acrobat Elements.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\AEEnable.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\DLSLdr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\RemADI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\RemDev.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\Remove.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMAgentI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMAgentX.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMax4Wiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreations.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsCF.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsDL.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsUP.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\Help\htmindex.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CAL\CALMAIN.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CAL\CALWLESS.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncherDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraWindowCompDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CamSetDlg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\DirectTransfer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\MyCameraDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\CameraLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\MyCamera\MyCamera.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\MyCameraDC\MyCameraDC.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\RCTask.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPBatch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPEditor.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPLensViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPPrinter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPRenamer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPStamp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPTrimmer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPWorker.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\360View.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\stitch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\STLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\STViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\dbconverter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\ZbScreenSaver.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCU.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher_UL.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\copier.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\patchsdk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\zipper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0.b105\patchjre.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0.b105\zipper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\DJSActiv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LOGBOOK.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LOGGER.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\sevinst.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\SYMUNDO.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\IraLrShl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\VcCleanUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe a variant of Win32/Expiro.T virus
C:\Program Files\epson\escndv\escndv.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\Setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{901DC58A-5C1B-4315-BA40-5AD3D3A463B9}\setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{DBFE5FBD-A7D9-4F74-88A1-2B042722F2DB}\Setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\PerformanceIndex\PerfIndex.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\StressTest\StressTest.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\StressTest\UninstallWrap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\AEEnable.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\RemADI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SMAXWDM\W2K_XP\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SMAXWDM\W2K_XP\Remove.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Comn\Wizards\SMax4Wiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgent.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgentI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgentX.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMax4.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_PNP\Sys\SMax4PNP.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Synth\DLSLdr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Synth\Sys\RemDev.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\Sys\CleanUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\Sys\DSndUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\ExtExport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\iedw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\appletviewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\apt.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\extcheck.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\HtmlConverter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\idlj.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jar.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jarsigner.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javac.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javadoc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javah.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jconsole.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jdb.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jhat.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jinfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jmap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jps.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jrunscript.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstack.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstat.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstatd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\native2ascii.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\packager.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmic.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\schemagen.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\serialver.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\wsgen.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\wsimport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\xjc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javacpl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\jusched.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javacpl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\jusched.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Messenger\msmsgs.exe a variant of Win32/Expiro.T virus
C:\Program Files\Microsoft Office\OFFICE11\1033\SCHDPL32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Movie Maker\moviemk.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN Gaming Zone\Windows\zClientm.exe a variant of Win32/Expiro.T virus
C:\Program Files\NetMeeting\conf.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\CKA.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\NSWCfg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\OBC.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\BACKLOG.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\NORTON.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\REGWDOC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SI32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SIREGIST.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\UE32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WDSCAN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WINDOC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WIPINFNT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\NOPDBInit.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SDNTC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\sdntdolu.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\sdntrun.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SIREGIST.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SIREGSRV.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Web Cleanup\WCQuick.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Web Cleanup\WCViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Df2.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Df2med.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Nlreg.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Pack.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Revupdat.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Update.exe a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\inst32.exe a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\FILEMGR.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPASC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCMP.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCOM.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCPD.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCPY.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPDEL.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPENC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPEXP.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPFMT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPLBL.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPLNK.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPMKD.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPMOV.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPNTC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPPRT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPREN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPRUN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPSYN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPUDO.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPUUE.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\msimn.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\oemig50.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\setup50.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\wabmig.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Program\qvp32.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Program\qvpcomp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Support\Quikview.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\PictureViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\QTTask.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\QTSystem\QuickTimeUpdateHelper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Safer Networking\FileAlyzer 2\FileAlyzer2.exe a variant of Win32/Expiro.T virus
C:\Program Files\Spybot - Search & Destroy\SDFiles.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Connect 2\wmccds.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Connect 2\WMCCFG.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\dlimport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\migrate.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\setup_wm.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmdbexport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmlaunch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpenc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmplayer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpnetwk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpnscfg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpshare.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmsetsdk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\dialer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\hypertrm.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\Accessories\wordpad.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\Pinball\pinball.exe a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\alg.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\cisvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\clipsrv.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllhost.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\dmadmin.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\imapi.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\itlnfw32.dll.vir a variant of Win32/Koblu.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\locator.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\mnmsrvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\msdtc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\msiexec.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\netdde.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\rsvp.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\scardsvr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\sessmgr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\smlogsvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\tlntsvr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\ups.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\vssvc.exe.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\IsUninst.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\uninsqvp.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\winhlp32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2183461-IE8\SP3QFE\ie4uinit.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2229593\SP3QFE\helpsvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\accwiz.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\alg.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\charmap.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cisvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cleanmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\clipsrv.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cmd.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\dllhost.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\dmadmin.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\freecell.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\imapi.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\locator.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\magnify.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mnmsrvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mobsync.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\msdtc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mshearts.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\msiexec.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mspaint.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mstsc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\narrator.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\netdde.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\ntbackup.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\odbcad32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\osk.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rcimlby.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rsvp.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rundll32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\scardsvr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sessmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\smlogsvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sndrec32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sndvol32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sol.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\spider.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\tlntsvr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\tourstart.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\ups.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\vssvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wiaacmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\winmine.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wupdmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\Restore\rstrui.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FARNEQA.EXE a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\usmt\migwiz.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wbem\wmiapsrv.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\twain_32\escndv\escndv.exe a variant of Win32/Expiro.T virus
Operating memory a variant of Win32/Expiro.T virus



=========
Ok, here it is I did not fix any. I just followed the directions. After turning Tea timer back on, it kept asking me about registry changes under the category:" Firewall Authorized Applications" I have neither accepted nor denied the changes.

ken545
2011-04-27, 21:07
Well :sad: This where were at, read this please
http://www.f-secure.com/v-descs/virus_w32_expiro_a.shtml

What that means is the virus will just keep on infecting .exe files, when you remove what it infected it will just reinfect them again, this virus also may have stolen credit card and banking information, I would urge you to use a known clean computer and change all your passwords for sites you use for shopping and banking, also keep an eye on your statements for any unauthorized charges.

This computer has been compromised, that means it can never be trusted, I feel at this point that the only thing to do is to format and reinstall windows to guarantee and nice clean and safe computer.

If you need help with this let me know and I can link you to a windows forum that can help you

super.duper
2011-04-27, 21:17
:thud::sad:
So what ways can i purge this computer?
I heard something about a boot CD? will that work?
While my OS is legitimate, I obtained it with the OS pre-installed.

Would directly updating windows XP to Windows 7? Clean it?

Does this worm actually obtain infestation that's stored in the system from previous credit card purchases etc? Does it pretty much have everything?

What would you recommend on cleaning it?

Thank You Very Much for your help.:rockon:

super.duper
2011-04-27, 21:23
and if you could please link me the forum on doing this reformatting/re-installing.

ken545
2011-04-27, 22:27
Well, to see what this virus does, look through the Combofix report and look at all the legit windows files that where infected and replaced. Looking at the ESET log, there are many more files infected including entire programs.

Exactly what this virus stole if anything is hard to say but change all your passwords.

This is a file infector virus, it will infect files as quick as we clean them and I am sure there are 100s of more that are infected that we cant see.

Upgrading to Win 7 would be a good option but I am not sure if your computer is a candidate. It would have to be a compete format and reinstall , an upgrade would not work or you would just be installing the new operating system right on top of the infected one.

You may want to contact Dell for Recovery Disks to restore your computer to factory defaults.

Post here and let them know where your at and see what they suggest, all us forums work together so you can link them to this thread so they can see what we have done.
http://forums.whatthetech.com/index.php?showforum=119

super.duper
2011-04-27, 22:55
alright Thanks.
i Posted the topic. there http://forums.whatthetech.com/index.php?showtopic=118321


Is that okay?

Would any windows Xp recovery Disk work? I think one of my friends has one, would i be able to use theirs?

ken545
2011-04-28, 00:58
I dont believe so because it needs to bring your computer back to factory defaults and someone elses would be for a different system

I posted at WTT in your thread

super.duper
2011-04-28, 02:24
Saw your post. So All i will really backup that i need are the Microsoft programs and Symantec. i will read the guide on re-formatting/re-installing, and get more info on the discs. Sites saying they offer the recovery disks are mallicous correct?
:cowboy:

ken545
2011-04-28, 02:25
Some are legit , some are not , its a crapshoot so stay away from them

Another place to post is at the Dell Forums. Ask if you can download the recovery disk to set your computer back to factory. When you got your Dell, I believe it had and option to do that ???

http://en.community.dell.com/support-forums/default.aspx

super.duper
2011-04-28, 02:32
it was used, i actually didnt pay anything for the system. Will this affect my ability to procure the required items?

ken545
2011-04-28, 02:55
Not sure, that between you and Dell.

Another option would be to get a Win XP disk on eBay, there selling for around $25 or so than you can go to the dell site and download the drivers you need for the video , sound and lan.

The WTT forum can help you with the format and reinstall and getting the correct drivers

super.duper
2011-04-28, 03:16
that sounds reasonable ill look into that.
Wont that go against the whole using someone elses Xp recov. disk?


You told me NO windows update to 7. While reading through the reformatting etc. i also took a peek at the Windows 7 way.

Would doing a custom install, not update, be worht a try? Then from the "old windows folder" move the program files to a Flash drive, or perhaps the new windows, if its possible. Then after the first install, re-install windows 7 to re-format it using the Windows 7 disk?

Im not trying to be difficult i just have these crazy ideas, i just thought id pitch it out there.

:thanks:

ken545
2011-04-28, 03:57
What I am trying to say is that I could be wrong but it sounds like your system may not be a candidate for Win7, it may not have the requirements.

You can try this tool
http://windows.microsoft.com/upgradeadvisor

On eBay, you can buy an the actual Windows XP CD legally, with the newer operating systems out now , Vista and Win7, the XP CDs are going for a song, this is not the recovery disk I am talking about, its the full windows CD that is brand new still in the box.

Remember, most of your programs are infected, not a good idea to back them up and reinstall them

super.duper
2011-04-28, 03:59
just read your WTT post. DO NOT backup programs.:bigthumb:

That means i dont rally have anything i need to make a back up. Ill try to order the disc from an un-comprimised computer. Thanks Again:thanks:

super.duper
2011-04-28, 04:02
What I am trying to say is that I could be wrong but it sounds like your system may not be a candidate for Win7, it may not have the requirements.

You can try this tool
http://windows.microsoft.com/upgradeadvisor

On eBay, you can buy an the actual Windows XP CD legally, with the newer operating systems out now , Vista and Win7, the XP CDs are going for a song, this is not the recovery disk I am talking about, its the full windows CD that is brand new still in the box.

Remember, most of your programs are infected, not a good idea to back them up and reinstall them

Yeah the disk came with that compatinilty feature. I ran it everything seemed okay. I was just mentionin it. I will go search for the new windows Xp package then, hopefully i can find myself a good deal.

super.duper
2011-04-28, 05:22
i just wann amek sure i have your blessings before i do anything :angel:

ken545
2011-04-28, 11:38
Look for OEM for XP, it will still be shrinkwraped

super.duper
2011-04-29, 03:13
So problem solved? Get the disk pop it in reformat and wallah!?
Thread closed?
Thanks once again for all your help truly appreciated and i realize, as i hope everyone else does too, that you guys use your own time to do this and do it out of the kindness of your hearts. Thanks.
:thanks:

Just outta curiosity, lets say i where to upgrade to windows 7, and download Spybot, Malware Bytes and the complementary Microsoft security essentials, then run a scan on files from "old windows" and if they appeared to be "clean" while some show up as infected. Could the "un-infected" programs be brought up, and have the rest of the "old windows" files deleted? The new Windows 7 Os being clean inn itself finding threats only in the old.windows, file. :D:

Just hypothetically speaking, i don't wanna take up anymore of your time :thanks::rockon:


Xp disk, install from disk, reformat partitions and drive C.
Or use the Dell re-boot disk option, ill talk to them and see what they say the guys at WTT wanted some info. on that so i will post it there when i get it.

ken545
2011-04-29, 13:15
I dont know if I am understanding what your trying to do with old windows, outside of your data like word documents and pictures , I would just bite the bullet on the rest and do clean downloads and installs on the programs that you want to install.

Have you tried the Win 7 upgrade adviser to see if you system will accept win7 ?

If you get the Recovery Disks from Dell, that will bring your computer back to factory defaults, you should be ok and then again a format and reinstall is a good option also, you can do either or..

Which ever path you take, when your up and running you need to re evaluate your surfing habits, look at all the trouble your having with letting your guard down like you have. Stay away from any illegal software, stay away from any File Sharing like the Torrents or sites like Limewire, get an email from someone you dont know, dont even open it, send it right to the trash

Good luck with you new endeavor

Ken :)

super.duper
2011-04-30, 07:18
It was "Leapyear" the movie :oops:
1st amd last time?
Decent movie.
Im against torentting and P2P and anything not legal.:bigthumb:

If your curious, ...read the following:D:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Computer at 20:42:36.35 on Fri 04/29/2011
Internet Explorer: 9.0.8112.16421
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1263 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SoftwareDistribution\Download\Install\dotNetFx40_Client_x86.exe
C:\Users\Computer\Desktop\dds.com
C:\Windows\system32\conhost.exe
C:\7b08b4b8f5958fb7ad47bd9d\Setup.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\computer\appdata\roaming\mozilla\firefox\profiles\rpd3zuol.default\
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslbee3a9ea;MpKslbee3a9ea;c:\programdata\microsoft\microsoft antimalware\definition updates\{486670b3-9f08-4774-b4fa-9d274c9444ef}\MpKslbee3a9ea.sys [2011-4-29 28752]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-7-13 8192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-29 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-29 52224]
.
=============== Created Last 30 ================
.
2011-04-30 03:42:24 -------- d-----w- C:\7b08b4b8f5958fb7ad47bd9d
2011-04-30 03:26:52 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{486670b3-9f08-4774-b4fa-9d274c9444ef}\MpKslbee3a9ea.sys
2011-04-30 02:43:33 -------- d-----w- c:\windows\system32\SPReview
2011-04-30 02:43:05 -------- d-----w- c:\windows\system32\EventProviders
2011-04-30 02:42:26 -------- d-----w- c:\users\computer\appdata\roaming\Malwarebytes
2011-04-30 02:42:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-30 02:42:19 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-30 02:42:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-30 02:42:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-30 02:12:21 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-04-30 02:12:21 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-04-30 02:12:21 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-04-30 02:12:14 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2011-04-30 01:40:14 469256 ----a-w- c:\program files\common files\windows live\.cache\8b83b94e1cc06d743\InstallManager_WLE_WLE.exe
2011-04-30 01:35:25 15712 ----a-w- c:\program files\common files\windows live\.cache\e0de49a01cc06d637\MeshBetaRemover.exe
2011-04-30 01:28:45 525656 ----a-w- c:\program files\common files\windows live\.cache\f1bb40431cc06d529\DXSETUP.exe
2011-04-30 01:28:45 1691480 ----a-w- c:\program files\common files\windows live\.cache\f1bb40431cc06d529\dsetup32.dll
2011-04-30 01:28:44 94040 ----a-w- c:\program files\common files\windows live\.cache\f1bb40431cc06d529\DSETUP.dll
2011-04-30 01:28:33 94040 ----a-w- c:\program files\common files\windows live\.cache\ea0250601cc06d528\DSETUP.dll
2011-04-30 01:28:33 525656 ----a-w- c:\program files\common files\windows live\.cache\ea0250601cc06d528\DXSETUP.exe
2011-04-30 01:28:33 1691480 ----a-w- c:\program files\common files\windows live\.cache\ea0250601cc06d528\dsetup32.dll
2011-04-30 01:14:37 6260088 ----a-w- c:\program files\common files\windows live\.cache\f7b427bb1cc06d315\Silverlight.4.0.exe
2011-04-30 01:03:32 -------- d-----w- c:\users\computer\appdata\local\Windows Live
2011-04-30 01:03:29 -------- d-----w- c:\program files\common files\Windows Live
2011-04-30 01:02:05 -------- d-----w- c:\windows\system32\Wat
2011-04-30 00:54:59 584192 ----a-w- c:\windows\system32\gpprefcl.dll
2011-04-30 00:53:59 828928 ----a-w- c:\windows\system32\fontext.dll
2011-04-30 00:52:59 82944 ----a-w- c:\windows\system32\iccvid.dll
2011-04-30 00:51:45 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-04-30 00:51:35 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-04-30 00:51:35 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-04-30 00:50:43 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-04-30 00:50:43 257024 ----a-w- c:\windows\system32\dpx.dll
2011-04-30 00:01:05 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-04-30 00:01:05 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-30 00:01:02 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-04-30 00:01:01 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-04-30 00:01:00 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-04-29 23:31:50 -------- d-----w- c:\users\computer\appdata\local\Mozilla
2011-04-29 23:31:08 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{a93ae193-f615-4b67-abaa-ccc98faaaacd}\gapaengine.dll
2011-04-29 23:29:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-29 23:29:34 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-29 23:29:33 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{486670b3-9f08-4774-b4fa-9d274c9444ef}\mpengine.dll
2011-04-29 09:07:15 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-04-29 09:07:11 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{dee5f568-3c2e-45e4-8293-f0010a9ee07c}\mpengine.dll
2011-04-29 05:02:29 -------- d-sh--w- c:\windows\Installer
2011-04-29 05:02:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-29 04:52:53 -------- d-----w- c:\windows\Panther
2011-04-29 04:46:13 -------- d-----w- C:\Windows.old
2011-04-29 04:37:06 1699328 ----a-w- c:\windows\system32\esent.dll
2011-04-29 04:37:06 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-04-29 04:37:06 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-04-29 04:37:05 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-04-29 04:37:05 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2011-04-29 04:37:05 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-04-29 04:37:04 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-04-29 04:37:04 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-04-29 04:37:04 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-04-29 04:36:51 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-29 04:36:48 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-04-29 04:36:09 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-29 04:34:56 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-29 04:34:56 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-29 04:34:11 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 04:31:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-29 04:27:42 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-04-29 04:27:42 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-04-29 04:27:42 107520 ----a-w- c:\windows\system32\cdd.dll
2011-04-29 04:27:41 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-29 04:27:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-29 04:25:23 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-29 04:25:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-29 04:25:23 223232 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 04:25:23 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 04:06:28 -------- d-----w- c:\windows\system32\wbem\Performance
2011-04-29 02:59:28 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2011-04-30 03:15:43 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-03-03 03:42:34 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-25 05:30:54 2616320 ----a-w- c:\windows\explorer.exe
2011-02-19 06:30:46 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 04:34:54 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-12 05:35:31 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
.
============= FINISH: 20:45:25.13 ===============


Would it be safe to acces my bank account? It provides a free 1 yr subscription of McAfee. and rapport. You have an opinion on McAfee? Thanks

ken545
2011-04-30, 09:29
Until your totally clean after the reinstall of windows I would do banking from another clean computer

super.duper
2011-04-30, 19:41
So im not clean? I did a clean install. I booted from the CD/DVD and deleted the partitions. THe current "old.windows" you see is due to an accidental twice installed Windows 7, after the Clean Install. :snorkle:

ken545
2011-04-30, 20:33
I linked you to the windows forum for help in reinstalling windows, at this point I have no idea what your doing on your own. After you format your drive and do a clean install of windows post back and we can go from there,

super.duper
2011-04-30, 21:00
well basically what i did was deleted all the old partition in the HDD, then just installed Windows 7. I deleted the Partitions from the Old Windows Xp, along wiht all the other partitions, before i installed this one, so I thought deleting the partitions would be = to re-formatting. Basically my system is Windows 7 now it doesn't have any programs from my old OS, .If i need to reformat then Ill do it.

ken545
2011-04-30, 21:04
You need to iron this out with the windows people

super.duper
2011-04-30, 21:11
alright ima hit WTT.
thanks.


I'm just unclear on wther deleting partitions is similar to re-formatting,
Ill ask in WTT.

super.duper
2011-05-01, 04:46
alright i believe i got the answer, once I deleted the Partitions before installing the windows. When windows created a new partition to Install 7 it automatically re-formatted it. :bigthumb:

ken545
2011-05-01, 20:37
super.duper is being helped at WTT to format and reinstall windows as with all the nasty infections found along with a file infector we decided this was the best option.

This thread will be closed, after the reinstall if you feel you still have issues than start a new topic please


How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)






Safe Surfn
Ken