User Tag List

Alureon.CT

This is a discussion on Alureon.CT within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, guys. I'm having a bit of trouble with my computer. A week or so ago, I foolishly opened a


 
 
Thread Tools Search this Thread
Old 06-22-2010, 06:01 PM   #1
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



Hello, guys. I'm having a bit of trouble with my computer. A week or so ago, I foolishly opened a link on Twitter that wound up giving me a virus. I'm generally good at spotting trouble like that, but in this moment I had a lapse of judgement that I'm really regretting.

Windows Defender keeps telling me that I have a trojan called alureon.ct. It says that it is removing, but it constantly regenerates. I think it's trying to hijack my browser (I use Chrome) but it generally just fails to load a site. I also came home from work today to find two Internet Explorer windows open with a smiley advertisement and something for a flash-based game.

Anyway, here is my DDS file. I appreciate any and all help! And for the record, I'm running Windows 7 Home Premium 64 Bit



DDS (Ver_10-03-17.01) - NTFSX64
Run by Justin at 18:09:41.43 on Tue 06/22/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.2405 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Lala.com\Lala Music Mover\LalaMover.exe
F:\Gaming\Steam.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\AirVideoServer\AirVideoServer.exe
C:\Users\Justin\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files (x86)\Air Mouse\Air Mouse\Air Mouse.exe
C:\Program Files\Logitech\SetPoint II\SetPointII.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~2\Raptr\raptr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\Last.fm\LastFM.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Local\Temp\setupv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\AppData\Roaming\drv73825.exe
C:\WINDOWS\SysWOW64\explorer.exe
C:\Users\Justin\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://bing.zugo.com/?cfg=2-79-0-1qj21
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files (x86)\search toolbar\tbhelper.dll
mWinlogon: Userinit=userinit.exe
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files (x86)\search toolbar\tbcore3.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files (x86)\search toolbar\tbcore3.dll
uRun: [Google Update] "c:\users\justin\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files (x86)\utorrent\uTorrent.exe"
uRun: [Lala Music Mover] "c:\program files (x86)\lala.com\lala music mover\LalaMover.exe" /minimized
uRun: [Steam] "f:\gaming\steam.exe" -silent
uRun: [Raptr] c:\progra~2\raptr\raptrstub.exe --startup
uRun: [Skype] "c:\program files (x86)\skype\phone\Skype.exe" /nosplash /minimized
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [AirVideoServer] c:\program files (x86)\airvideoserver\AirVideoServer.exe
uRun: [{12416-2365-1385-346865}] c:\users\justin\appdata\roaming\drv73825.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files (x86)\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files (x86)\acronis\trueimagehome\TimounterMonitor.exe
mRun: [VirtualCloneDrive] "c:\program files (x86)\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [Wradax] rundll32.exe "c:\users\justin\appdata\local\eqahukoziyequki.dll",Startup
dRun: [Raptr] c:\progra~2\raptr\RaptrStub.exe --startup
StartupFolder: c:\users\justin\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files (x86)\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\airmou~1.lnk - c:\program files (x86)\air mouse\air mouse\Air Mouse.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetPointII.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap
TB-X64: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun-x64: [Acronis Scheduler2 Service] "c:\program files (x86)\common files\acronis\schedule2\schedhlp.exe"

============= SERVICES / DRIVERS ===============

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-2-21 240232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-3-2 187392]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-10-16 50176]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-1 1255736]

=============== Created Last 30 ================

2010-06-22 21:15:47 0 d-----w- c:\program files (x86)\Search Toolbar
2010-06-19 16:57:41 96784 ----a-w- c:\windows\syswow64\WPRO_40_1340woem.tmp
2010-06-19 16:53:08 233472 --sh--r- c:\users\justin\appdata\roaming\drv73825.exe
2010-06-19 16:53:03 171008 ----a-w- c:\users\justin\appdata\roaming\tempimage.exe
2010-06-19 04:33:44 0 d-----w- c:\program files\iTunes
2010-06-19 04:33:44 0 d-----w- c:\program files\iPod
2010-06-19 04:32:10 0 d-----w- c:\program files\Bonjour
2010-06-13 02:11:47 0 d-----w- c:\program files\WBFS
2010-05-26 01:01:51 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-26 01:01:51 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-05-27 07:24:13 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-05-27 06:34:09 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 04:11:32 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-21 18:14:28 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:52:30 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-05-21 05:18:06 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-05-21 05:14:50 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-05-18 20:55:18 95520 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:55:18 119584 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\syswow64\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\syswow64\dns-sd.exe
2010-05-06 12:42:05 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
2010-05-06 12:41:55 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-05-06 12:41:53 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-05-06 12:41:53 5970944 ----a-w- c:\windows\syswow64\mshtml.dll
2010-05-06 12:41:49 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-05-06 12:41:49 10984448 ----a-w- c:\windows\syswow64\ieframe.dll
2010-05-01 15:07:05 3122176 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:45:56 72856 ----a-w- c:\windows\syswow64\xliveinstallhost.exe
2010-04-27 18:45:56 187544 ----a-w- c:\windows\syswow64\xliveinstall.dll
2010-04-02 21:17:52 15426200 ----a-w- c:\windows\syswow64\xlive.dll
2010-04-02 21:17:52 13642904 ----a-w- c:\windows\syswow64\xlivefnt.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-27 08:18:54 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-27 08:20:34 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-14 04:55:03 32768 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:09:58.02 ===============
Attached Files
File Type: zip Attach.zip (3.3 KB, 26 views)
iamtheb is offline  
Sponsored Links
Advertisement
 
Old 06-28-2010, 01:58 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Do you still need help?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-28-2010, 02:48 PM   #3
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



Yes. I haven't been around to check this lately. We had a death in a family and I had been home. I'd appreciate any assistance at all. Thanks a lot!
iamtheb is offline  
Sponsored Links
Advertisement
 
Old 06-28-2010, 03:17 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Sorry about your loss, my condolences.

------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed.

------------------------------------------------------

Your Windows 7 User Account Control UAC has been disabled. Sometimes, malware disables it, sometimes the end user does.

Please read this

Before you go any further, protect this system and re-enable that feature. Click Start > Control Panel > User Accounts and Family Safety > User Accounts > Change User Account settings and set it back to Default.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Windows 7, all tools should be started by right-click > Run as Administrator

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Right-click mbam-setup.exe and choose 'Run as administrator' to install it.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Download OTL.exe to your desktop.

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of OTL.
Get help here

Close any open browsers.

Right-click OTL.exe and choose 'Run as Administrator' to start the tool.
  • Click Run Scan and let the program run uninterrupted.
  • When the scan is complete, two text files will be created, OTL.Txt <- this one will be opened in Notepad and Extras.Txt, on Desktop.
Please copy/paste the contents of OTL.Txt in your next reply and attach the Extras.Txt to your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-28-2010, 05:13 PM   #5
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



Why no antivirus? Laziness, stubbornness, and I guess I just thought I wouldn't fall into something like this. I also felt like I would have had a layer of protection from Windows Defender, but I see that's not the case. I've learned my lesson now, though. Anything you would recommend?

Anyway, on to the logs.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4251

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/28/2010 7:50:09 PM
mbam-log-2010-06-28 (19-50-09).txt

Scan type: Quick scan
Objects scanned: 140060
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wradax (Trojan.Agent.U) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wradax (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{12416-2365-1385-346865} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (https://bing.zugo.com/?cfg=2-79-0-1qj21) Good: (https://www.google.com) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Justin\AppData\Local\Temp\1067.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\30C9.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\31E1.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\3DB4.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\3F2A.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\4764.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\4977.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\500B.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\51D0.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\5A77.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\5B9F.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\5BA9.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\62C1.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\64F2.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\6B29.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\6D1D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\7631.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\792D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\82FD.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\8DB7.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\AFD7.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\B312.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\BE48.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\BFDE.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\C86.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\CA49.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\CBC0.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\D689.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\D7D0.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\E1C.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\E806.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\Temp\E807.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\Justin\AppData\Local\eqahukoziyequki.dll (Trojan.Agent.U) -> Delete on reboot.
C:\Users\Justin\AppData\Roaming\drv73825.exe (Trojan.Agent) -> Quarantined and deleted successfully.

==========================================================


OTL logfile created on: 6/28/2010 7:58:37 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Justin\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 64.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 221.75 Gb Total Space | 70.96 Gb Free Space | 32.00% Space Free | Partition Type: NTFS
Drive D: | 11.14 Gb Total Space | 1.53 Gb Free Space | 13.77% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 931.50 Gb Total Space | 586.17 Gb Free Space | 62.93% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 149.01 Gb Total Space | 73.07 Gb Free Space | 49.04% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: JUSTIN-PC
Current User Name: Justin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/28 19:57:35 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Justin\Desktop\OTL.exe
PRC - [2010/06/19 12:56:42 | 000,395,048 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2010/06/18 17:30:48 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Users\Justin\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
PRC - [2010/06/11 02:33:32 | 000,057,296 | ---- | M] () -- C:\Program Files (x86)\Raptr\Raptr.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/05/21 20:50:34 | 001,036,464 | ---- | M] () -- C:\Program Files (x86)\Air Mouse\Air Mouse\Air Mouse.exe
PRC - [2010/05/20 13:02:28 | 004,818,760 | ---- | M] () -- C:\Program Files (x86)\AirVideoServer\AirVideoServer.exe
PRC - [2010/05/07 10:01:33 | 001,238,352 | ---- | M] (Valve Corporation) -- F:\Gaming\Steam.exe
PRC - [2010/03/07 15:08:56 | 000,215,128 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrB.exe
PRC - [2010/03/03 13:04:13 | 000,075,064 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2010/02/21 23:15:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/12/04 00:07:39 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
PRC - [2009/07/13 21:14:47 | 000,254,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
PRC - [2009/06/17 07:44:11 | 000,085,160 | ---- | M] (Elaborate Bytes AG) -- C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
PRC - [2009/06/10 05:02:50 | 000,904,840 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2009/06/10 04:57:40 | 000,136,472 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2009/06/10 04:55:30 | 001,326,080 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2009/03/05 14:49:50 | 002,155,824 | ---- | M] (Lala Media) -- C:\Program Files (x86)\Lala.com\Lala Music Mover\LalaMover.exe
PRC - [2009/02/23 20:43:12 | 000,576,000 | ---- | M] (MagicISO, Inc.) -- C:\Program Files (x86)\MagicDisc\MagicDisc.exe


========== Modules (SafeList) ==========

MOD - [2010/06/28 19:57:35 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Justin\Desktop\OTL.exe
MOD - [2009/07/13 21:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 21:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010/06/19 12:56:42 | 000,395,048 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/07 15:08:56 | 000,215,128 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrB.exe -- (PnkBstrB)
SRV - [2010/03/03 13:04:13 | 000,075,064 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/02/21 23:15:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/12/15 16:07:16 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/07/13 23:20:14 | 000,000,000 | ---D | M] [On_Demand | Stopped] -- C:\Windows\Vss -- (VSS)
SRV - [2009/07/13 23:20:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2009/07/13 16:30:11 | 000,061,056 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2009/06/10 04:57:56 | 000,605,976 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/04/19 20:47:42 | 000,050,688 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/12/27 22:35:14 | 000,711,712 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2009/12/27 22:35:14 | 000,081,952 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\tifsfilt.sys -- (tifsfilter)
DRV:64bit: - [2009/12/27 22:35:07 | 000,235,552 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2009/12/27 22:35:00 | 000,593,952 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tdrpman.sys -- (tdrpman)
DRV:64bit: - [2009/12/17 18:25:17 | 000,034,472 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2009/08/13 23:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/08/09 17:25:45 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone)
DRV:64bit: - [2009/07/31 01:12:56 | 000,339,744 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvmf6264.sys -- (NVNET)
DRV:64bit: - [2009/07/13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/17 12:53:34 | 000,030,736 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV:64bit: - [2009/06/17 10:54:30 | 000,057,872 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2009/06/17 10:54:22 | 000,055,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2009/06/10 16:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 15:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/03/02 00:05:32 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/02/24 19:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009/09/28 14:20:43 | 000,089,256 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysWOW64\ElbyCDIO.dll -- (ElbyCDIO)
DRV - [2009/06/10 17:28:14 | 000,001,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)
DRV - [2009/06/10 17:15:18 | 000,003,066 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)
DRV - [2009/02/24 19:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\mcdbus.sys -- (mcdbus)
DRV - [2007/02/07 14:27:46 | 000,014,104 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | Boot | Running] -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = https://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C9 67 98 CD 50 07 CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files (x86)\Search Toolbar\tbhelper.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071303000006


FF - HKLM\software\mozilla\Firefox\Extensions\\{5623A2D2-EEA3-45F6-BFC9-A66833CB1527}: C:\Users\Justin\AppData\Local\{5623A2D2-EEA3-45F6-BFC9-A66833CB1527} [2010/06/22 17:16:31 | 000,000,000 | ---D | M]

[2009/09/15 15:19:06 | 000,000,000 | ---D | M] -- C:\Users\Justin\AppData\Roaming\Mozilla\Extensions
[2010/04/13 22:15:24 | 000,000,000 | ---D | M] -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\extensions
[2010/01/27 00:30:19 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2010/01/27 00:30:19 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/09/15 15:19:08 | 000,000,000 | ---D | M] -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\extensions\[email protected]
[2010/04/13 22:15:24 | 000,001,606 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\amazondotcom.xml
[2009/01/29 14:11:14 | 000,001,595 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\ebay.xml
[2009/02/26 16:03:53 | 000,002,042 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\facebook.xml
[2010/04/13 22:15:24 | 000,001,221 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\filetubecom.xml
[2009/01/22 13:56:38 | 000,001,504 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\imdb.xml
[2009/05/13 13:15:03 | 000,001,098 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\project-playlist-music-search.xml
[2009/02/04 00:57:12 | 000,001,801 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\rapidsearch.xml
[2009/01/22 13:33:00 | 000,005,361 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\torrentsto.xml
[2009/03/19 08:33:52 | 000,001,632 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\weathercom.xml
[2009/01/22 1600 | 000,002,109 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\Mozilla\Firefox\Profiles\4dcaxghj.default\searchplugins\youtube-video-search.xml
[2010/04/13 22:15:24 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/01/22 16:03:28 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2009/03/05 14:50:38 | 000,390,472 | ---- | M] (Lala Media) -- C:\Program Files (x86)\Mozilla Firefox\plugins\nplalaDl.dll

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (TBSB05974 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll ()
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKCU..\Run: [AirVideoServer] C:\Program Files (x86)\AirVideoServer\AirVideoServer.exe ()
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe (IGN Entertainment)
O4 - HKCU..\Run: [Lala Music Mover] C:\Program Files (x86)\Lala.com\Lala Music Mover\LalaMover.exe (Lala Media)
O4 - HKCU..\Run: [Raptr] C:\Program Files (x86)\Raptr\RaptrStub.exe ()
O4 - HKCU..\Run: [Steam] f:\gaming\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [uTorrent] C:\Program Files (x86)\uTorrent\uTorrent.exe File not found
O4 - Startup: C:\Users\Justin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} https://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} https://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} https://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} https://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.76.227.40 208.180.42.68
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30:64bit: - LSA: Authentication Packages - (relog_ap) - C:\Windows\SysNative\relog_ap.dll (Acronis)
O30 - LSA: Authentication Packages - (relog_ap) - C:\Windows\SysWow64\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2007/12/09 01:44:22 | 000,000,000 | ---D | M] - H:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/28 19:57:33 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Justin\Desktop\OTL.exe
[2010/06/28 19:42:11 | 000,000,000 | ---D | C] -- C:\Users\Justin\AppData\Roaming\Malwarebytes
[2010/06/28 19:42:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/06/28 19:42:05 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/06/28 19:42:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/06/28 19:42:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/06/28 19:40:54 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Justin\Desktop\mbam-setup.exe
[2010/06/22 22:19:58 | 032,472,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe
[2010/06/22 17:42:57 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/06/22 17:27:51 | 000,961,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\CPFilters.dll
[2010/06/22 17:27:51 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\CPFilters.dll
[2010/06/22 17:27:50 | 000,552,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msdri.dll
[2010/06/22 17:27:50 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MSNP.ax
[2010/06/22 17:27:50 | 000,258,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mpg2splt.ax
[2010/06/22 17:27:50 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSNP.ax
[2010/06/22 17:27:50 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mpg2splt.ax
[2010/06/22 17:27:49 | 001,736,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll
[2010/06/22 17:16:30 | 000,000,000 | ---D | C] -- C:\Users\Justin\AppData\Local\{5623A2D2-EEA3-45F6-BFC9-A66833CB1527}
[2010/06/22 17:15:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Search Toolbar
[2010/06/19 00:33:44 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/06/19 00:33:44 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/06/19 00:32:10 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/06/12 22:11:48 | 000,000,000 | ---D | C] -- C:\Users\Justin\Documents\WBFS Manager Covers
[2010/06/12 22:11:47 | 000,000,000 | ---D | C] -- C:\Program Files\WBFS
[2010/06/12 22:10:23 | 000,000,000 | ---D | C] -- C:\Users\Justin\AppData\Local\WBFSManager
[2010/06/12 1927 | 000,000,000 | ---D | C] -- C:\Users\Justin\Documents\Kodak Folder
[2010/06/10 06:44:56 | 000,366,080 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2010/06/10 06:44:56 | 000,293,888 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2010/06/10 06:44:56 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2010/06/10 06:44:56 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/28 19:59:17 | 000,014,672 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/28 19:59:17 | 000,014,672 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/28 19:57:35 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Justin\Desktop\OTL.exe
[2010/06/28 19:53:02 | 002,097,152 | -HS- | M] () -- C:\Users\Justin\NTUSER.DAT
[2010/06/28 19:52:07 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/28 19:52:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/28 19:51:58 | 3219,890,176 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/28 19:50:50 | 001,760,134 | -H-- | M] () -- C:\Users\Justin\AppData\Local\IconCache.db
[2010/06/28 19:40:59 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Justin\Desktop\mbam-setup.exe
[2010/06/28 19:36:01 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1078076855-648365237-3193196271-1001UA.job
[2010/06/28 19:29:30 | 000,000,000 | ---- | M] () -- C:\Users\Justin\AppData\Local\Mcekiq.bin
[2010/06/28 19:29:29 | 000,000,120 | ---- | M] () -- C:\Users\Justin\AppData\Local\Wluqirifadufod.dat
[2010/06/28 17:44:36 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1078076855-648365237-3193196271-1001Core.job
[2010/06/26 08:49:44 | 000,727,362 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/06/26 08:49:44 | 000,623,890 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/06/26 08:49:44 | 000,107,522 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/06/24 21:33:56 | 002,535,072 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\97979797979797979797.exe
[2010/06/22 22:29:12 | 000,001,079 | ---- | M] () -- C:\Users\Public\Desktop\Air Video Server.lnk
[2010/06/22 20:58:32 | 000,003,374 | ---- | M] () -- C:\Users\Justin\Desktop\Attach.zip
[2010/06/21 19:59:02 | 000,000,434 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\twittertmpwin.jpx
[2010/06/21 19:52:29 | 000,008,001 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\myspacetmpwin.jpx
[2010/06/19 12:53:08 | 000,171,008 | ---- | M] () -- C:\Users\Justin\AppData\Roaming\tempimage.exe
[2010/06/19 00:33:59 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/06/12 22:11:49 | 000,002,593 | ---- | M] () -- C:\Users\Public\Desktop\WBFS Manager 2.5.lnk
[2010/06/11 03:21:20 | 000,274,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/06/03 16:24:57 | 000,001,133 | ---- | M] () -- C:\Users\Justin\Application Data\Microsoft\Internet Explorer\Quick Launch\GOM Player.lnk
[2010/06/03 16:24:57 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\GOM Player.lnk
[2010/06/01 20:14:04 | 000,002,025 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Air Mouse.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/24 21:33:54 | 002,535,072 | ---- | C] () -- C:\Users\Justin\AppData\Roaming\97979797979797979797.exe
[2010/06/22 20:58:32 | 000,003,374 | ---- | C] () -- C:\Users\Justin\Desktop\Attach.zip
[2010/06/22 18:11:32 | 000,293,376 | ---- | C] () -- C:\Users\Justin\Desktop\gmer.exe
[2010/06/22 17:16:31 | 000,000,120 | ---- | C] () -- C:\Users\Justin\AppData\Local\Wluqirifadufod.dat
[2010/06/22 17:16:31 | 000,000,000 | ---- | C] () -- C:\Users\Justin\AppData\Local\Mcekiq.bin
[2010/06/19 13:14:03 | 000,000,434 | ---- | C] () -- C:\Users\Justin\AppData\Roaming\twittertmpwin.jpx
[2010/06/19 12:54:04 | 000,008,001 | ---- | C] () -- C:\Users\Justin\AppData\Roaming\myspacetmpwin.jpx
[2010/06/19 12:53:03 | 000,171,008 | ---- | C] () -- C:\Users\Justin\AppData\Roaming\tempimage.exe
[2010/06/19 00:33:59 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/06/12 22:11:49 | 000,002,593 | ---- | C] () -- C:\Users\Public\Desktop\WBFS Manager 2.5.lnk
[2010/06/03 16:24:57 | 000,001,133 | ---- | C] () -- C:\Users\Justin\Application Data\Microsoft\Internet Explorer\Quick Launch\GOM Player.lnk
[2010/06/03 16:24:57 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\GOM Player.lnk
[2010/05/03 12:28:15 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009/12/01 23:25:23 | 000,743,126 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
< End of report >
Attached Files
File Type: txt Extras.Txt (38.8 KB, 31 views)
iamtheb is offline  
Old 06-28-2010, 06:15 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello iamtheb. Does Windows Defender still detect Alureon? Describe any remaining problems.

------------------------------------------------------

As far as a purchased AV, you can't go wrong with ESET's NOD32, or Smart Security, and you can try it free for 30 days:

https://www.eset.com/download/free-trial

I use it, and love it. You will be surprised how fast and silently it runs.

------------------------------------------------------

As far as a free AV, I recommend Avira's AntiVir, a good AV that is light on system resources:

https://www.free-av.com/en/pages/20/I...20AntiVir.html

------------------------------------------------------

Please go to: VirusTotal
  • Click the Browse button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    C:\Users\Justin\AppData\Roaming\97979797979797979797.exe

  • Click Open then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-28-2010, 06:49 PM   #7
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



Here's the VirusTotal Link.

So far, I'm not getting any notices from Windows Defender. I also just ran a scan with Defender and it picked nothing up. Everything else seems to be normal.

Also, I'll give Avira a go around and see how it works out. Once again, I want to thank you for your help here. It's really been a lifesaver.
iamtheb is offline  
Old 06-28-2010, 07:44 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, iamtheb. You're welcome. Please tell me how your machine continues to behave.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /a/f/q "C:\Users\Justin\AppData\Local\Wluqirifadufod.dat"

A DOS window will open and close again, this is normal.

Repeat for the following:

cmd /c del /a/f/q "C:\Users\Justin\AppData\Local\Mcekiq.bin"

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
ren "C:\Users\Justin\AppData\Roaming\97979797979797979797.exe" "97979797979797979797.exe.old"
cls
Save this Notepad file as rename.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on rename.bat and allow it to run. Please delete the file afterwards.

------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 17 can be updated from the Java Control Panel. Go Start > Control Panel > Programs > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows 7, you must open the Web browser via a right-click using the Run as Administrator command.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-29-2010, 12:22 PM   #9
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



I updated Java and I also downloaded Avira. This morning before I headed to work, I found that Avira had detected something. I made sure to remove it, but the name is escaping me right now. I'll make sure to post it later this evening.

Also, Kaspersky says that I don't have the proper requirements to run it. Do you think that has to do with the use of Google Chrome? Thanks again.
iamtheb is offline  
Old 06-29-2010, 02:15 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Try using IE for the scan.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-30-2010, 02:54 PM   #11
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



Here is the scan!
Attached Files
File Type: txt Kaspersky Report.txt (12.3 KB, 39 views)
iamtheb is offline  
Old 06-30-2010, 04:16 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, iamtheb. When was ComboFix run on this machine?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-30-2010, 04:31 PM   #13
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



It's been a while, I believe. I know it was well before I came on here for advice.
iamtheb is offline  
Old 06-30-2010, 05:16 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Who instructed you to run ComboFix?

Please attach this file to your next reply:

C:\ComboFix.txt
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-30-2010, 05:21 PM   #15
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



A friend of mine made mention that I should try it.
Attached Files
File Type: txt ComboFix.txt (35.0 KB, 43 views)
iamtheb is offline  
Old 06-30-2010, 05:55 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, iamtheb. As stated in the disclaimer you had to pass when running ComboFix, it is not intended for unsupervised use.

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

------------------------------------------------------

You also didn't properly uninstall ComboFix or OTListIt before you upgraded to Win7 64-bit.

Do a search for the following and delete any files/folders:

combofix
qoobox
_OTListIt

------------------------------------------------------

System Volume Information is where Windows keeps old system restore points. Those will get deleted when we are done.

------------------------------------------------------

Ensure your H: drive is inserted/connected.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\$WINDOWS.~Q\DATA\Users\Justin\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report2e97bd9c\Report.cab"
"C:\$WINDOWS.~Q\DATA\Users\Justin\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report369b947a\Report.cab"
"C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25LS62JK\tbprofit[1].exe"
"C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SRX2WPS\net[1].exe"
"C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BTZO6RCK\installsconverter[1].exe"
"C:\Users\Justin\AppData\Local\Temp\416B.tmp"
"C:\Users\Justin\AppData\Local\Temp\6F2F.tmp"
"C:\Users\Justin\AppData\Local\Temp\DC62.tmp"
"C:\Users\Justin\AppData\Local\Temp\setupv.exe"
"C:\Users\Justin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\301cb0e5-1de4fa99"
"C:\Users\Justin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\301cb0e5-69b971c7"
"C:\Users\Justin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\54714329-11e360c5"
"C:\Users\Justin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3efada6c-394c5ee4"
"C:\Users\Justin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\299b3ab2-1b5d0587"
"C:\Users\Justin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\7b79707a-2339e49f"
"C:\Users\Justin\AppData\Roaming\97979797979797979797.exe.old"
"C:\Users\Justin\AppData\Roaming\tempimage.exe"
"H:\Start.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------

You never told me what Avira found. How is the machine behaving?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-30-2010, 06:03 PM   #17
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



It just told me that it was deleted successfully. The machine seems to behaving fine as well.
Here's what I had from Avira.

From 06/29/10:
The file 'C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NEEBXHZL\loudmo[1].exe'
contained a virus or unwanted program 'DR/VB.ahcz.2' [dropper]
Action(s) taken:
The file was moved to the quarantine directory under the name '481f6f1f.qua'.

And 06/28/10:
Virus or unwanted program 'DR/VB.ahcz.2 [dropper]'
detected in file 'C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NEEBXHZL\loudmo[1].exe.
Action performed: Deny access
iamtheb is offline  
Old 06-30-2010, 06:57 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, iamtheb. Sounds like Avira is doing it's job. You'll get those, depending on what site you are visiting.

------------------------------------------------------

Please update Avira. Next, reboot into Safe Mode and do a full system scan.
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
  • In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Safe Mode and press 'Enter'.
  • Login on your usual account.
------------------------------------------------------

At the end of the scan, click 'Repair All', then 'Report' and post the log in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-01-2010, 01:02 AM   #19
Registered Member
 
Join Date: Jun 2010
Posts: 11
OS: Windows 7



Here's the Avira Log.




Avira AntiVir Personal
Report file date: Wednesday, June 30, 2010 22:03

Scanning for 2280411 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (plain) [6.1.7600]
Boot mode : Safe mode
Username : Justin
Computer name : JUSTIN-PC

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 01:35:26
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 01:35:33
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 01:35:33
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 01:35:33
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 01:35:33
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 01:35:33
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 01:35:33
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 01:35:34
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 01:35:35
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 01:35:37
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 01:35:38
VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 01:35:39
VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 01:35:41
VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 01:35:43
VBASE019.VDF : 7.10.8.195 2048 Bytes 6/27/2010 01:35:43
VBASE020.VDF : 7.10.8.196 2048 Bytes 6/27/2010 01:35:43
VBASE021.VDF : 7.10.8.197 2048 Bytes 6/27/2010 01:35:43
VBASE022.VDF : 7.10.8.198 2048 Bytes 6/27/2010 01:35:43
VBASE023.VDF : 7.10.8.199 2048 Bytes 6/27/2010 01:35:44
VBASE024.VDF : 7.10.8.200 2048 Bytes 6/27/2010 01:35:44
VBASE025.VDF : 7.10.8.201 2048 Bytes 6/27/2010 01:35:44
VBASE026.VDF : 7.10.8.202 2048 Bytes 6/27/2010 01:35:44
VBASE027.VDF : 7.10.8.203 2048 Bytes 6/27/2010 01:35:44
VBASE028.VDF : 7.10.8.204 2048 Bytes 6/27/2010 01:35:44
VBASE029.VDF : 7.10.8.205 2048 Bytes 6/27/2010 01:35:45
VBASE030.VDF : 7.10.8.206 2048 Bytes 6/27/2010 01:35:45
VBASE031.VDF : 7.10.8.218 134144 Bytes 6/29/2010 02:29:09
Engineversion : 8.2.4.2
AEVDF.DLL : 8.1.2.0 106868 Bytes 6/29/2010 01:36:03
AESCRIPT.DLL : 8.1.3.33 1356155 Bytes 6/29/2010 01:36:03
AESCN.DLL : 8.1.6.1 127347 Bytes 6/29/2010 01:36:01
AESBX.DLL : 8.1.3.1 254324 Bytes 6/29/2010 01:36:05
AERDL.DLL : 8.1.4.6 541043 Bytes 6/29/2010 01:36:01
AEPACK.DLL : 8.2.2.5 430453 Bytes 6/29/2010 01:36:00
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/29/2010 01:35:58
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 6/29/2010 01:35:58
AEHELP.DLL : 8.1.11.6 242038 Bytes 6/29/2010 01:35:53
AEGEN.DLL : 8.1.3.12 377204 Bytes 6/29/2010 01:35:52
AEEMU.DLL : 8.1.2.0 393588 Bytes 6/29/2010 01:35:51
AECORE.DLL : 8.1.15.3 192886 Bytes 6/29/2010 01:35:49
AEBB.DLL : 8.1.1.0 53618 Bytes 6/29/2010 01:35:48
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, F:, H:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, June 30, 2010 22:03

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '65' Module(s) have been scanned
Scan process 'avcenter.exe' - '76' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '126' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Program Files (x86)\Phantasy Star Online Blue Burst\SHPsoBB_multi.exe
[DETECTION] Is the TR/Renaz.1917912 Trojan
C:\Qoobox\Quarantine\C\Users\Justin\lsass.exe.vir
[DETECTION] Contains a recognition pattern of the (harmful) BDS/VB.ehs back-door program
C:\Qoobox\Quarantine\C\Users\Justin\AppData\Local\Temp\mousehook.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Users\Justin\AppData\Local\Temp\ntdll64.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\ld08.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
--> Object
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\pp06.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
--> Object
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\afnoinkdsfe.dll.vir
[DETECTION] Is the TR/Dldr.Agent.bvpx Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ak1.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\detebosi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\frmwrk32.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\kijosagi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\laruyupi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\lmn_setup.exe.vir
[DETECTION] Contains recognition pattern of the DR/Small.cgi dropper
C:\Qoobox\Quarantine\C\Windows\System32\loader49.exe.vir
[DETECTION] Is the TR/Dldr.Agent.vxo Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ntdll64.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxcbvnujdh.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxmbdbmkpd.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxpqfbivny.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxpubraceu.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxsineegfn.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxxjlqexbp.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\SYS32DLL.exe.vir
[DETECTION] Is the TR/BHO.Gen Trojan
--> Object
[DETECTION] Is the TR/BHO.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\tefadige.exe.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\tevofagi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\vevuhura.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\wanajiva.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\winglsetup.exe.vir
[DETECTION] Is the TR/Drop.Agent.39936 Trojan
C:\Qoobox\Quarantine\C\Windows\System32\yhs783ijfo3fe.dll.vir
[DETECTION] Is the TR/Dldr.Ertfor.B Trojan
C:\Qoobox\Quarantine\C\Windows\System32\796525\796525.dll.vir
[DETECTION] Is the TR/BHO.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\drivers\ovfsthxvvwfeotn.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_ovfsthxvvwfeotn_.sys.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Rootkit.Gen Trojan
--> ovfsthxvvwfeotn.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
--> ovfsthxvvwfeotn.sys.1
[DETECTION] Is the TR/Rootkit.Gen Trojan
--> ovfsthxvvwfeotn.sys.2
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\120817708.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1224881167.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1225921167.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1337870636.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1403340972.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1467873692.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1476288368.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1533394028.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1587680752.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1663377084.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1717663808.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1785228140.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\185330428.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\1930833871.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\194103358.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\2508174431.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\250850764.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\2620393900.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\2685894236.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\2750406956.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\2815917292.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\2870214016.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\2937974820.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3000197072.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\305117488.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3067761404.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3213367135.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3784887980.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\380833820.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3837254444.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3838994444.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3902957164.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\3968427500.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\4028397151.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\4098460556.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\4152717280.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\4220271612.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\435110544.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\502684876.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\55337372.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\65902960.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\temp\ntdll64.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0012359.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0012383.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0012408.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0013395.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0017399.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0022398.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SRX2WPS\Gamebound[1].exe
[0] Archive type: NSIS
[DETECTION] Is the TR/Agent.161280 Trojan
--> [PluginsDir]/nswebgui.dll
[DETECTION] Is the TR/Agent.161280 Trojan
C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BTZO6RCK\SearchToolbar[1].exe
[DETECTION] Is the TR/Drop.Agen.989336 Trojan
C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NEEBXHZL\Gamebound[1].exe
[0] Archive type: NSIS
[DETECTION] Is the TR/Agent.161280 Trojan
--> [PluginsDir]/nswebgui.dll
[DETECTION] Is the TR/Agent.161280 Trojan
C:\Users\Public\Downloads\MLB2K10.Data.001
[WARNING] The file could not be read!
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\jehavifu.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\kunubasi.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\liwuholo.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\nopasisi.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\_OTListIt\MovedFiles\03022009_123020\Windows\System\xccef090131.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'D:\' <FACTORY_IMAGE>
Begin scan in 'F:\' <Local Disk 2>
Begin scan in 'H:\' <My Book>

Beginning disinfection:
C:\_OTListIt\MovedFiles\03022009_123020\Windows\System\xccef090131.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4821eeba.qua'.
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\nopasisi.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '50a5c111.qua'.
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\liwuholo.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '02c59bf3.qua'.
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\kunubasi.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '64cbd405.qua'.
C:\_OTListIt\MovedFiles\02262009_141355\Windows\system32\jehavifu.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '2141f90b.qua'.
C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NEEBXHZL\Gamebound[1].exe
[DETECTION] Is the TR/Agent.161280 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5e57cb76.qua'.
C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BTZO6RCK\SearchToolbar[1].exe
[DETECTION] Is the TR/Drop.Agen.989336 Trojan
[NOTE] The file was moved to the quarantine directory under the name '12fbe720.qua'.
C:\Users\Justin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SRX2WPS\Gamebound[1].exe
[DETECTION] Is the TR/Agent.161280 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6ef7a76c.qua'.
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0022398.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '43688bf1.qua'.
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0017399.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5a00b06b.qua'.
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0013395.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '365c9c5b.qua'.
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0012408.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '47e5a5ce.qua'.
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0012383.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '49ff9509.qua'.
C:\System Volume Information\_restore{FF15A0B8-23AF-4318-8A30-771F1A43171C}\RP12\A0012359.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0cd6ec4b.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\ntdll64.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0511eb1c.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\65902960.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5da5f1b2.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\55337372.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '716b887e.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\502684876.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '4f94e89f.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\435110544.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2ca5c3d1.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\4220271612.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0a5283cf.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\4152717280.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '38f9f86b.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\4098460556.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '32b8d32a.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\4028397151.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0dd0b76f.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3968427500.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '73c0bb7f.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3902957164.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2686bfb4.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3838994444.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2b13ce93.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3837254444.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '374eda9a.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\380833820.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '069e9754.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3784887980.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6af08363.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3213367135.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '2353a663.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3067761404.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '78f9ae8c.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\305117488.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '1e48a265.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\3000197072.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '49fbd0cd.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\2937974820.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '6b88878e.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\2870214016.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '03a4fd17.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\2815917292.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '23ecf992.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\2750406956.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '76f4bf27.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\2685894236.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '17d19e9b.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\2620393900.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7247dc10.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\250850764.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '1792a8b1.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\2508174431.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '04769422.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\194103358.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '16f3e893.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1930833871.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '019c8b21.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\185330428.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5b80b9b0.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1785228140.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7e88c3ab.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1717663808.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0aeadbd8.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1663377084.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '28d78955.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1587680752.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5d42f14f.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1533394028.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '762ead4f.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1476288368.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1175e5f1.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1467873692.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5a04dce7.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1403340972.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5ac4d6b6.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1337870636.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '106883a1.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1225921167.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '7e40ac68.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\1224881167.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '3360f218.qua'.
C:\Qoobox\Quarantine\C\Windows\temp\120817708.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5b46d523.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_ovfsthxvvwfeotn_.sys.zip
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '2109ec17.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\drivers\ovfsthxvvwfeotn.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '506bb06a.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\796525\796525.dll.vir
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '207c99b7.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\yhs783ijfo3fe.dll.vir
[DETECTION] Is the TR/Dldr.Ertfor.B Trojan
[NOTE] The file was moved to the quarantine directory under the name '5bf1e611.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\winglsetup.exe.vir
[DETECTION] Is the TR/Drop.Agent.39936 Trojan
[NOTE] The file was moved to the quarantine directory under the name '15af9579.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\wanajiva.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6bd4ee57.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\vevuhura.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1f76c620.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\tevofagi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '14429a49.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\tefadige.exe.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '47aa898b.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\SYS32DLL.exe.vir
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '222ea2fd.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxxjlqexbp.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0a38f27d.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxsineegfn.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7e9babc7.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxpubraceu.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '3196d34e.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxpqfbivny.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0e428ae8.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxmbdbmkpd.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7474895e.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ovfsthxcbvnujdh.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '247c8e2e.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ntdll64.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '72768462.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\loader49.exe.vir
[DETECTION] Is the TR/Dldr.Agent.vxo Trojan
[NOTE] The file was moved to the quarantine directory under the name '35db80b5.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\lmn_setup.exe.vir
[DETECTION] Contains recognition pattern of the DR/Small.cgi dropper
[NOTE] The file was moved to the quarantine directory under the name '1680ee35.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\laruyupi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '510fc7ef.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\kijosagi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '23639473.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\frmwrk32.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0803d75e.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\detebosi.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4ba3d9de.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\ak1.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0190a0e0.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\afnoinkdsfe.dll.vir
[DETECTION] Is the TR/Dldr.Agent.bvpx Trojan
[NOTE] The file was moved to the quarantine directory under the name '0c1fbe45.qua'.
C:\Qoobox\Quarantine\C\Windows\pp06.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '2333f695.qua'.
C:\Qoobox\Quarantine\C\Windows\ld08.exe.vir
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1cf7bfc3.qua'.
C:\Qoobox\Quarantine\C\Users\Justin\AppData\Local\Temp\ntdll64.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '23dca969.qua'.
C:\Qoobox\Quarantine\C\Users\Justin\AppData\Local\Temp\mousehook.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4634f9b5.qua'.
C:\Qoobox\Quarantine\C\Users\Justin\lsass.exe.vir
[DETECTION] Contains a recognition pattern of the (harmful) BDS/VB.ehs back-door program
[NOTE] The file was moved to the quarantine directory under the name '6039dedb.qua'.
C:\Program Files (x86)\Phantasy Star Online Blue Burst\SHPsoBB_multi.exe
[DETECTION] Is the TR/Renaz.1917912 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6c658e78.qua'.


End of the scan: Thursday, July 01, 2010 03:54
Used time: 2:18:42 Hour(s)

The scan has been done completely.

44347 Scanned directories
1308226 Files were scanned
89 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
87 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1308137 Files not concerned
11297 Archives were scanned
1 Warnings
87 Notes
iamtheb is offline  
Old 07-01-2010, 05:55 AM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, iamtheb. Did you miss this previous instruction?

Quote:
Do a search for the following and delete any files/folders:

combofix
qoobox
_OTListIt
------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Double-click OTL.exe and click CleanUp

This will uninstall most tools used in this fix.

------------------------------------------------------
  • Go to Computer > System properties > System protection > Configure.
  • Check 'Turn off system protection' > Apply > Yes > OK.
  • Now turn it back on > Configure
  • Check 'Restore system settings and previous versions of files'.
  • Click Apply > OK > OK.
This will flush out older possibly infected System Restore Points and create one fresh, clean System Restore Point.

------------------------------------------------------

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

You can delete those items from Avira's quarantine.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > https://windows.microsoft.com/en-us/w...ce-packs?os=xp

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:28 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts