CLick.Giftloader Re-appearing and possible rootkit infection.

super.duper · Apr 23, 2011

Hi,

I have been reading other forums and it seems this has been reading around alot.
Well basically i have a click.Giftload that re-appears every time it is "removed."

The windows OS is legitimate nothing is torrent-ed:angel:.
hears is my DDS.txt

Thank you very much for your help it is greatly appreciated.:thanks:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 10:29:36.47 on Sat 04/23/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.513 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\search toolbar\tbhelper.dll
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - Windows Live ID Sign-in Helper
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - JQSIEStartDetectorImpl Class
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files\search toolbar\tbcore3.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [EPSON WorkForce 500 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieqa.exe /fu "c:\windows\temp\E_S308.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uExplorerRun: [Policies] c:\windows\install\javaupdate.exe
mExplorerRun: [Policies] c:\windows\install\javaupdate.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: &Search - ?s=100000341&p=GRxdm136YYUS&si=&a=4dVGR09GIOBoyvmLASuKpA&n=2010040317
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256651880125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
mASetup: {08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} - c:\windows\install\javaupdate.exe
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ljvrwzqo.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\microsoft.net\framework\v4.0.20506\wpf\NPWPF.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v4.0.20506\wpf\DotNetAssistantExtension
FF - Ext: Java Quick Starter:

- c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-27 54752]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-10-27 135168]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110423.002\naveng.sys [2011-4-23 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110423.002\navex15.sys [2011-4-23 1393144]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-10-26 6016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\microsoft.net\framework\v4.0.20506\mscorsvw.exe [2009-5-6 104272]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
.
=============== Created Last 30 ================
.
2011-04-22 16:07:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Trusteer
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-22 04:00:17 -------- d-----w- c:\docume~1\user\applic~1\Trusteer
2011-04-22 04:00:11 -------- d-----w- c:\program files\Trusteer
2011-04-22 03:58:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2011-04-21 23:25:23 53248 ----a-w- c:\windows\system32\6to4v32.dll
2011-04-21 23:25:19 34816 ----a-w- c:\windows\system32\itlnfw32.dll
2011-04-21 23:25:19 215552 ----a-w- c:\windows\system32\itlpfw32.dll
2011-04-20 04:37:34 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{14A884BB-57A8-45D0-A887-9F388313E24B}
2011-04-08 17:17:38 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_7Y250P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6654F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a66b7d0]; MOV EAX, [0x8a66b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A691AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000069[0x8A68EF18]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A68D940]
\Driver\atapi[0x8A697B78] -> IRP_MJ_CREATE -> 0x8A6654F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A66533B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:34:01.59 ===============

Sorry, for the post , i was not able to edit the above.
I did some research and some of my other registry keys are altered, the same keys in the same way as the "TR/Alureon.DX.236"
the following is my S&D report. I removed some of it because this will only allow me to post 64000 characters.
--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-05-12 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-03-29 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-04-19 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti (*)
2010-12-28 Includes\Trojans.sbi (*)
2011-04-20 Includes\TrojansC-02.sbi (*)
2011-04-18 Includes\TrojansC-03.sbi (*)
2011-04-18 Includes\TrojansC-04.sbi (*)
2011-04-11 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

This is not a complete list i tried to fit what i could.

ken545 · Apr 25, 2011

:snwelcome:

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Your infected with a nasty Rootkit , I am going to ask you to run TDSSKiller but the variant you have may prevent it from running and if thats the case we will use another method to remove it

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

super.duper · Apr 26, 2011

great your online. and May i Thank you once again for your help. You where right The TDSSkiller did not work.

Also after i attemptted it i restarted my computer and got this Spy bot SD mesage:

Process ID 208
Scchost.exe

C:\\Windows\system32\win32.Shark.bw

This has a very severe threat level if i am correct.
his backdoor is related to the other problem?

thanks. I will disconnect my internt and leav it only connected when i check this forum.

ken545 · Apr 26, 2011

Whats going on is your Master Boot Record is infected, I need you to run Combofix, when Combofix runs it will check to see if you have a Recovery Console and if not it will prompt you to install one, do so because we are going to need to fix your MBR through the Recovery Console

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

super.duper · Apr 26, 2011

i will do it now. Ill be back when it is done, in the case that this does not work? what would be next? I just hope it doesn't come to that.

:rockon::thanks:

super.duper · Apr 26, 2011

before it is actually saved it has to be renamed "Combo-Fix" correct? do i need to add an extension such as "exe" ?

super.duper · Apr 26, 2011

ComboFix 11-04-25.02 - User 04/25/2011 18:33:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1304 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\p18_812875.dll
c:\documents and settings\All Users\Application Data\Toolbar4
c:\documents and settings\User\Application Data\logs.dat
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{14A884BB-57A8-45D0-A887-9F388313E24B}\install.rdf
c:\documents and settings\User\WINDOWS
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\tbcore3.dll
c:\program files\Search Toolbar\tbhelper.dll
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\uninstall.exe
c:\program files\Search Toolbar\update.exe
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\windows\Install
c:\windows\system32\certstore.dat
c:\windows\system32\itlnfw32.dll
c:\windows\wuasirvy.dll
.
Infected copy of c:\windows\system32\clipsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\clipsrv.exe
.
Infected copy of c:\windows\system32\alg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\alg.exe
.
Infected copy of c:\windows\system32\cisvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cisvc.exe
.
Infected copy of c:\windows\system32\dllhost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dllhost.exe
.
Infected copy of c:\windows\system32\dmadmin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dmadmin.exe
.
Infected copy of c:\windows\system32\imapi.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imapi.exe
.
Infected copy of c:\windows\system32\locator.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\locator.exe
.
Infected copy of c:\windows\system32\mnmsrvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mnmsrvc.exe
.
Infected copy of c:\windows\system32\msdtc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msdtc.exe
.
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msiexec.exe
.
Infected copy of c:\windows\system32\netdde.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe
.
Infected copy of c:\windows\system32\rsvp.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rsvp.exe
.
Infected copy of c:\windows\system32\scardsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\scardsvr.exe
.
Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sessmgr.exe
.
Infected copy of c:\windows\system32\smlogsvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\smlogsvc.exe
.
Infected copy of c:\windows\system32\tlntsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\tlntsvr.exe
.
Infected copy of c:\windows\system32\ups.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ups.exe
.
Infected copy of c:\windows\system32\vssvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\vssvc.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-26 01:52 . 2011-04-26 01:52 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-04-26 01:52 . 2011-04-26 01:52 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-04-26 01:52 . 2011-04-26 01:52 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-04-26 01:52 . 2011-04-26 01:52 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-04-26 01:52 . 2011-04-26 01:52 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-04-26 01:52 . 2011-04-26 01:52 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-04-26 01:52 . 2011-04-26 01:52 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-04-26 01:52 . 2011-04-26 01:52 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-04-26 01:52 . 2011-04-26 01:52 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-04-26 01:52 . 2011-04-26 01:52 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-04-26 01:52 . 2011-04-26 01:52 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-04-26 01:52 . 2011-04-26 01:52 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-04-26 01:51 . 2011-04-26 01:51 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-04-26 01:51 . 2011-04-26 01:51 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-04-26 01:51 . 2011-04-26 01:51 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-04-26 01:51 . 2011-04-26 01:51 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-04-26 01:51 . 2011-04-26 01:51 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-04-23 22:01 . 2011-04-23 22:01 -------- d-----w- c:\program files\Safer Networking
2011-04-23 17:23 . 2011-04-23 17:23 -------- d-----w- c:\program files\ERUNT
2011-04-23 00:39 . 2011-04-23 00:39 -------- d-----w- c:\documents and settings\Administrator.INTEL\Application Data\Trusteer
2011-04-22 16:07 . 2011-04-22 16:07 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Trusteer
2011-04-22 15:58 . 2011-04-22 15:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-22 05:30 . 2011-04-22 05:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2011-04-22 05:29 . 2011-04-22 05:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-22 04:00 . 2011-04-22 04:00 -------- d-----w- c:\documents and settings\User\Application Data\Trusteer
2011-04-22 04:00 . 2011-04-22 04:00 -------- d-----w- c:\program files\Trusteer
2011-04-22 03:58 . 2011-04-22 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2011-04-22 03:42 . 2011-04-22 03:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-04-20 15:52 . 2011-04-22 03:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-19 20:35 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-04-16 03:50 . 2011-04-16 03:50 -------- d-----w- c:\documents and settings\User\Application Data\EPSON
2011-04-08 17:17 . 2011-04-08 17:17 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 01:53 . 2004-08-04 07:56 400384 ----a-w- c:\windows\system32\vssvc.exe
2011-04-26 01:53 . 2004-08-04 07:56 129024 ----a-w- c:\windows\system32\ups.exe
2011-04-26 01:53 . 2004-08-04 07:56 183808 ----a-w- c:\windows\system32\tlntsvr.exe
2011-04-26 01:53 . 2004-08-04 07:56 200192 ----a-w- c:\windows\system32\smlogsvc.exe
2011-04-26 01:53 . 2004-08-04 07:56 206336 ----a-w- c:\windows\system32\scardsvr.exe
2011-04-26 01:53 . 2004-08-04 07:56 185856 ----a-w- c:\windows\system32\locator.exe
2011-04-26 01:52 . 2004-08-04 07:56 221696 ----a-w- c:\windows\system32\netdde.exe
2011-04-26 01:52 . 2009-10-27 06:55 116736 ----a-w- c:\windows\system32\msdtc.exe
2011-04-26 01:52 . 2004-08-04 07:56 143872 ----a-w- c:\windows\system32\clipsrv.exe
2011-04-26 01:52 . 2004-08-04 07:56 116224 ----a-w- c:\windows\system32\cisvc.exe
2011-04-26 01:52 . 2004-08-04 07:56 155136 ----a-w- c:\windows\system32\alg.exe
2011-03-07 05:33 . 2009-10-27 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 07:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-03 23:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2004-08-03 22:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-03 23:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-03 23:14 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-10-27 11:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 07:56 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 07:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 07:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 07:56 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 07:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-10-27 06:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-10-27 06:55 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" [2011-04-08 1550136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-10-27 25214]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= "qvphook.dll" [2002-04-10 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ijjiOptimizer.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58954:TCP"= 58954:TCP

ando Media Booster
"58954:UDP"= 58954:UDP

ando Media Booster
.
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [10/27/2009 1:33 AM 135168]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/1/2011 8:02 PM 102448]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [10/26/2009 12:34 PM 6016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [5/6/2009 10:08 AM 104272]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-04-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2002-08-30 05:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ljvrwzqo.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
AddRemove-Yahoo! BrowserPlus - c:\documents and settings\User\Local Settings\Application Data\Yahoo!\BrowserPlus\BrowserPlusUninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 18:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_7Y250P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A66633B
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3252)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
c:\windows\system32\sessmgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\NORTON~1\SPEEDD~1\nopdb.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-25 19:00:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-26 02:00
.
Pre-Run: 186,559,680,512 bytes free
Post-Run: 187,589,365,760 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 355F0270281334F237357C2A4E659BE0

super.duper · Apr 26, 2011

anything on what changes to registry to allow Spybot to change?

ken545 · Apr 26, 2011

You have a lot of nasty things going on on this system and its most likely caused by sharing files during the games your playing

Lets disable the teatimer

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)
When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter
It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.
Next type FIXMBR
If it asks if you're sure you want to write a new MBR, answer 'Y'
Then type EXIT to reboot the machine.

super.duper · Apr 27, 2011

Done. :rockon:

ken545 · Apr 27, 2011

:bigthumb: Nice job. These Rootkits sometimes bring friends along with them, lets check

First run DDS and post a new log and lets make sure its gone

Then run these in order

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

super.duper · Apr 27, 2011

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 17:17:05.29 on Tue 04/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1247 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page =
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9030d464-4c02-4abf-8ecc-5164760863c6} - Windows Live ID Sign-in Helper
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256651880125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ljvrwzqo.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\microsoft.net\framework\v4.0.20506\wpf\NPWPF.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v4.0.20506\wpf\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-27 54752]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-10-27 135168]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110425.002\naveng.sys [2011-4-25 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110425.002\navex15.sys [2011-4-25 1393144]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-10-26 6016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\microsoft.net\framework\v4.0.20506\mscorsvw.exe [2009-5-6 104272]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
.
=============== Created Last 30 ================
.
2011-04-26 04:41:31 160768 ----a-w- c:\windows\system32\utilman.vir
2011-04-26 01:31:30 -------- d-sha-r- C:\cmdcons
2011-04-26 01:26:00 98816 ----a-w- c:\windows\sed.exe
2011-04-26 01:26:00 89088 ----a-w- c:\windows\MBR.exe
2011-04-26 01:26:00 256512 ----a-w- c:\windows\PEV.exe
2011-04-26 01:26:00 161792 ----a-w- c:\windows\SWREG.exe
2011-04-23 22:01:11 -------- d-----w- c:\program files\Safer Networking
2011-04-22 16:07:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Trusteer
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-22 15:58:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-22 04:00:17 -------- d-----w- c:\docume~1\user\applic~1\Trusteer
2011-04-22 04:00:11 -------- d-----w- c:\program files\Trusteer
2011-04-22 03:58:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2011-04-08 17:17:38 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2011-04-27 00:17:28 143360 ----a-w- c:\windows\system32\mnmsrvc.vir
2011-04-27 00:17:21 261120 ----a-w- c:\windows\system32\imapi.exe
2011-04-26 23:59:56 146432 ----a-w- c:\windows\system32\rcimlby.exe
2011-04-26 23:59:31 457728 ----a-w- c:\windows\system32\tourstart.exe
2011-04-26 23:59:27 253952 ----a-w- c:\windows\system32\mobsync.exe
2011-04-26 23:59:22 179712 ----a-w- c:\windows\system32\notepad.exe
2011-04-26 23:59:03 499712 ----a-w- c:\windows\system32\cmd.exe
2011-04-26 04:41:31 160768 ----a-w- c:\windows\system32\utilman.exe
2011-04-26 04:41:26 326144 ----a-w- c:\windows\system32\osk.exe
2011-04-26 04:41:20 164352 ----a-w- c:\windows\system32\narrator.exe
2011-04-26 04:41:13 183296 ----a-w- c:\windows\system32\magnify.exe
2011-04-26 01:53:44 400384 ----a-w- c:\windows\system32\vssvc.exe
2011-04-26 01:53:34 129024 ----a-w- c:\windows\system32\ups.exe
2011-04-26 01:53:25 183808 ----a-w- c:\windows\system32\tlntsvr.exe
2011-04-26 01:53:16 200192 ----a-w- c:\windows\system32\smlogsvc.exe
2011-04-26 01:53:03 206336 ----a-w- c:\windows\system32\scardsvr.exe
2011-04-26 01:53:02 185856 ----a-w- c:\windows\system32\locator.exe
2011-04-26 01:52:57 221696 ----a-w- c:\windows\system32\netdde.exe
2011-04-26 01:52:48 116736 ----a-w- c:\windows\system32\msdtc.exe
2011-04-26 01:52:22 143872 ----a-w- c:\windows\system32\clipsrv.exe
2011-04-26 01:52:14 116224 ----a-w- c:\windows\system32\cisvc.exe
2011-04-26 01:52:03 155136 ----a-w- c:\windows\system32\alg.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 17:18:25.18 ===============

PS. When making psto adding peas my add body and give it a slightly sweeter flavor. If you buy pre-made pesto such as kirkland for ex. Adding peas is an excellent idea.

: :rockon:

super.duper · Apr 27, 2011

i have these 2 files in my local disk. that i believe may be associated to the problem their each roughly 2million-3 million kb

super.duper · Apr 27, 2011

super.duper said:
i have these 2 files in my local disk. that i believe may be associated to the problem their each roughly 2million-3 million kb

hiberfil.sys
and

pagefile.sys I will not touch them, but do you suggest using file assassin, that comes with malwareBytes? I DID previously try using file shredder with spybot, because at that moment i felt 100% sure they where bad because I have never seen them before. Ill wait for your advice.

Here is my Malware bytes report, i did a full scan, I do hope that is OK with you.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 7:00:36 PM
mbam-log-2011-04-26 (19-00-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 248252
Time elapsed: 58 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
c:\WINDOWS\system32\notepad.exe (Trojan.FakeMS) -> 1936 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\notepad.exe (Trojan.FakeMS) -> Delete on reboot.
c:\program files\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\WINDOWS\aputumuf.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\calc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\utilman.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\utilman.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.

I cleaned the risks and they where deleted.

This a quickscan i ran after i re-booted the system to fix some problems.
:thanks:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2011 7:20:59 PM
mbam-log-2011-04-26 (19-20-59).txt

Scan type: Quick scan
Objects scanned: 180837
Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
:thanks::rockon:

super.duper · Apr 27, 2011

just in case your interested.

My Symantec picks up this on the auto-protect.
Suspicious.MH690

Location is Microsoft outlook.

I am going to run a full scan using this anti-virus however i wont take any action on the files.

:banana::wav::wav::thanks: sorry the emotes are tempting.:red:

ken545 · Apr 27, 2011

Those files you mentioned are legit windows files so leave them be

You may have a email in Outlook with a bad link or attachment, you may want to open all those folders and delete what you dont need

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the

button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on
  
  to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the
  
  icon on your desktop.
Check
Click the

button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push

, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the

button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

super.duper · Apr 27, 2011

C:\111\D865PERL\LAN_allOS_11.2_PV_TL3_132319_FULL\APPS\ASF\Win32\AGENT\Setup.exe a variant of Win32/Expiro.T virus
C:\111\D865PERL\LAN_allOS_11.2_PV_TL3_132319_FULL\APPS\iSCSI\Win32\iSCSIApp.exe a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE a variant of Win32/Expiro.T virus
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ljvrwzqo.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js JS/Redirector.NBI trojan
C:\Documents and Settings\User\Desktop\iFunBox.exe a variant of Win32/Expiro.T virus
C:\Documents and Settings\User\Desktop\iFunBox.vir a variant of Win32/Expiro.T virus
C:\Documents and Settings\User\Local Settings\Tempwinconfig.vbs VBS/TrojanDownloader.Agent.NDV trojan
C:\Documents and Settings\User\temp\TeamViewer\Version5\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Sprint.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\TrigrammsInstaller.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Scan\ScanMan6.exe a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Scan\Twain\TWUNK_32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\ABBYY FineReader 6.0 Sprint\Support\Ainfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\plug_ins\PaperCapture\Server\Roman\capserve.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\Acrobat Elements.exe a variant of Win32/Expiro.T virus
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\AEEnable.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\DLSLdr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\RemADI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\RemDev.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\Remove.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMAgentI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMAgentX.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe a variant of Win32/Expiro.T virus
C:\Program Files\Analog Devices\SoundMAX\SMax4Wiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreations.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsCF.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsDL.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\PrintCreationsUP.exe a variant of Win32/Expiro.T virus
C:\Program Files\ArcSoft\Print Creations\Help\htmindex.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CAL\CALMAIN.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CAL\CALWLESS.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncherDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraWindowCompDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CamSetDlg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\DirectTransfer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\MyCameraDVC6.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\CameraLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\MyCamera\MyCamera.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\MyCameraDC\MyCameraDC.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\RCTask.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPBatch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPEditor.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPLensViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPPrinter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPRenamer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPStamp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPTrimmer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\Digital Photo Professional\DPPWorker.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\360View.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\stitch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\STLauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\PhotoStitch\STViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\dbconverter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\ZbScreenSaver.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCU.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher.exe a variant of Win32/Expiro.T virus
C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher_UL.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\copier.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\patchsdk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jdk1.6.0.b105\patch-jdk1.6.0.b105\zipper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0.b105\patchjre.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0.b105\zipper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\DJSActiv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LOGBOOK.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LOGGER.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\sevinst.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\SYMUNDO.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\IraLrShl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\VcCleanUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe a variant of Win32/Expiro.T virus
C:\Program Files\epson\escndv\escndv.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\Setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{901DC58A-5C1B-4315-BA40-5AD3D3A463B9}\setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\InstallShield Installation Information\{DBFE5FBD-A7D9-4F74-88A1-2B042722F2DB}\Setup.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\PerformanceIndex\PerfIndex.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\StressTest\StressTest.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel\StressTest\UninstallWrap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\AEEnable.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\RemADI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SMAXWDM\W2K_XP\install.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SMAXWDM\W2K_XP\Remove.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Comn\Wizards\SMax4Wiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgent.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgentI.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMAgentX.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Panel\Sys\SMax4.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_PNP\Sys\SMax4PNP.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Synth\DLSLdr.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\SM_Synth\Sys\RemDev.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\Sys\CleanUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Intel Desktop Board Audio Driver\Sys\DSndUp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\ExtExport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\iedw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe a variant of Win32/Expiro.T virus
C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\appletviewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\apt.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\extcheck.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\HtmlConverter.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\idlj.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jar.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jarsigner.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javac.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javadoc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javah.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jconsole.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jdb.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jhat.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jinfo.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jmap.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jps.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jrunscript.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstack.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstat.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\jstatd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\native2ascii.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\packager.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmic.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\schemagen.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\serialver.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\wsgen.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\wsimport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\bin\xjc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javacpl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\jusched.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jdk1.6.0\jre\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\java-rmi.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\java.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javacpl.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javaw.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\javaws.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\jusched.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\keytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\kinit.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\klist.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\ktab.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\orbd.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\pack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\policytool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\rmid.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\servertool.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\tnameserv.exe a variant of Win32/Expiro.T virus
C:\Program Files\Java\jre1.6.0\bin\unpack200.exe a variant of Win32/Expiro.T virus
C:\Program Files\Messenger\msmsgs.exe a variant of Win32/Expiro.T virus
C:\Program Files\Microsoft Office\OFFICE11\1033\SCHDPL32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Movie Maker\moviemk.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe a variant of Win32/Expiro.T virus
C:\Program Files\MSN Gaming Zone\Windows\zClientm.exe a variant of Win32/Expiro.T virus
C:\Program Files\NetMeeting\conf.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\CKA.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\NSWCfg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\OBC.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\BACKLOG.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\NORTON.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\REGWDOC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SI32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SIREGIST.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\UE32.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WDSCAN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WINDOC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Norton Utilities\WIPINFNT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\NOPDBInit.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SDNTC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\sdntdolu.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\sdntrun.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SIREGIST.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Speed Disk\SIREGSRV.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Web Cleanup\WCQuick.exe a variant of Win32/Expiro.T virus
C:\Program Files\Norton SystemWorks\Web Cleanup\WCViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Df2.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Df2med.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Nlreg.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Pack.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Revupdat.exe a variant of Win32/Expiro.T virus
C:\Program Files\NovaLogic\Delta Force 2\Update.exe a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\inst32.exe a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\FILEMGR.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPASC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCMP.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCOM.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCPD.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPCPY.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPDEL.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPENC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPEXP.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPFMT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPLBL.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPLNK.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPMKD.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPMOV.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPNTC.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPPRT.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPREN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPRUN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPSYN.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPUDO.EXE a variant of Win32/Expiro.T virus
C:\Program Files\NTTools\NFileMgr\SYMAPUUE.EXE a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\msimn.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\oemig50.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\setup50.exe a variant of Win32/Expiro.T virus
C:\Program Files\Outlook Express\wabmig.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Program\qvp32.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Program\qvpcomp.exe a variant of Win32/Expiro.T virus
C:\Program Files\Quick View Plus\Support\Quikview.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\PictureViewer.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\QTTask.exe a variant of Win32/Expiro.T virus
C:\Program Files\QuickTime\QTSystem\QuickTimeUpdateHelper.exe a variant of Win32/Expiro.T virus
C:\Program Files\Safer Networking\FileAlyzer 2\FileAlyzer2.exe a variant of Win32/Expiro.T virus
C:\Program Files\Spybot - Search & Destroy\SDFiles.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Connect 2\wmccds.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Connect 2\WMCCFG.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\dlimport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\migrate.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\setup_wm.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmdbexport.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmlaunch.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpenc.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmplayer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpnetwk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpnscfg.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmpshare.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows Media Player\wmsetsdk.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\dialer.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\hypertrm.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\Accessories\wordpad.exe a variant of Win32/Expiro.T virus
C:\Program Files\Windows NT\Pinball\pinball.exe a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\alg.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\cisvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\clipsrv.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllhost.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\dmadmin.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\imapi.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\itlnfw32.dll.vir a variant of Win32/Koblu.A trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\locator.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\mnmsrvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\msdtc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\msiexec.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\netdde.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\rsvp.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\scardsvr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\sessmgr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\smlogsvc.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\tlntsvr.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\ups.exe.vir a variant of Win32/Expiro.T virus
C:\Qoobox\Quarantine\C\WINDOWS\system32\vssvc.exe.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\IsUninst.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\uninsqvp.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\winhlp32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2183461-IE8\SP3QFE\ie4uinit.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2229593\SP3QFE\helpsvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\accwiz.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\alg.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\charmap.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cisvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cleanmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\clipsrv.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\cmd.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\dllhost.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\dmadmin.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\freecell.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\imapi.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\locator.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\magnify.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mnmsrvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mobsync.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\msdtc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mshearts.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\msiexec.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mspaint.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\mstsc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\narrator.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\netdde.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\ntbackup.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\odbcad32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\osk.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rcimlby.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rsvp.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\rundll32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\scardsvr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sessmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\smlogsvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sndrec32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sndvol32.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\sol.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\spider.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\tlntsvr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\tourstart.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\ups.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\vssvc.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wiaacmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\winmine.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wupdmgr.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\Restore\rstrui.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FARNEQA.EXE a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\usmt\migwiz.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\wbem\wmiapsrv.vir a variant of Win32/Expiro.T virus
C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe a variant of Win32/Expiro.T virus
C:\WINDOWS\twain_32\escndv\escndv.exe a variant of Win32/Expiro.T virus
Operating memory a variant of Win32/Expiro.T virus

=========
Ok, here it is I did not fix any. I just followed the directions. After turning Tea timer back on, it kept asking me about registry changes under the category:" Firewall Authorized Applications" I have neither accepted nor denied the changes.

ken545 · Apr 27, 2011

Well :sad: This where were at, read this please
http://www.f-secure.com/v-descs/virus_w32_expiro_a.shtml

What that means is the virus will just keep on infecting .exe files, when you remove what it infected it will just reinfect them again, this virus also may have stolen credit card and banking information, I would urge you to use a known clean computer and change all your passwords for sites you use for shopping and banking, also keep an eye on your statements for any unauthorized charges.

This computer has been compromised, that means it can never be trusted, I feel at this point that the only thing to do is to format and reinstall windows to guarantee and nice clean and safe computer.

If you need help with this let me know and I can link you to a windows forum that can help you

super.duper · Apr 27, 2011

:thud::sad:
So what ways can i purge this computer?
I heard something about a boot CD? will that work?
While my OS is legitimate, I obtained it with the OS pre-installed.

Would directly updating windows XP to Windows 7? Clean it?

Does this worm actually obtain infestation that's stored in the system from previous credit card purchases etc? Does it pretty much have everything?

What would you recommend on cleaning it?

Thank You Very Much for your help.:rockon:

super.duper · Apr 27, 2011

and if you could please link me the forum on doing this reformatting/re-installing.

CLick.Giftloader Re-appearing and possible rootkit infection.

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member