Author Topic: once badly infected-not sure what now (Read 17926 times)

bouncier · « **on:** July 29, 2010, 07:59:21 AM »

Hi, I have windows xp sp3. I have IE8 and was using MSN to connect to internet through dial up. I then changed to Juno.
I believe this is when I started having problems like
"this program cannot display the webpage" and
when trying to go to msinfo32, i get "not a valid win32 application.

First malicious infection, approx 1 year ago, then 2 months
then a week ago. I immediately activiated the malicious
software removal tool from Microsoft and had Microsoft
Security Essentials in place. I removed 136 infections.
I have continued removing for the past week until I found you.
I have several programs blocked through Online Armour-how can
I know if ok to let them back in?

I read the page before removing malware by evil fantasy -
and here I am. I don't know if I am still infected, but when
I try to go to certain sites as stated above, I get the "This
program cannot display the webpage", and when I try to open
msinfo32.

Code: [Select]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/28/2010 at 01:14 AM

Application Version : 4.41.1000

Core Rules Database Version : 5278
Trace Rules Database Version: 3090

Scan type       : Complete Scan
Total Scan Time : 00:35:14

Memory items scanned      : 417
Memory threats detected   : 0
Registry items scanned    : 5108
Registry threats detected : 0
File items scanned        : 60018
File threats detected     : 3

Adware.Tracking Cookie
 C:\Documents and Settings\bouncier\Cookies\bouncier@tribalfusion[2].txt
 C:\Documents and Settings\bouncier\Cookies\bouncier@liveperson[1].txt
 C:\Documents and Settings\bouncier\Cookies\bouncier@doubleclick[1].txt

Code: [Select]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4365

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/29/2010 6:12:51 AM
mbam-log-2010-07-29 (06-12-51).txt

Scan type: Quick scan
Objects scanned: 129822
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Code: [Select]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:03:59 AM, on 7/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Emsisoft\Online Armor\OAcat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Emsisoft\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Emsisoft\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Emsisoft\Online Armor\OAhlp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SUPERAntiSpyware\4b651a78-21c2-4dec-bf0c-e953de5e0cc5.com
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\qsacc\x1exec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\sniper.exe\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.juno.com/search?action=minisearch&source=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.juno.com/search?action=minisearch&source=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.juno.com/search?action=minisearch&source=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = searchap.untd.com;127.0.0.1;localhost;*microsoft.com;
*windowsupdate.com;*wustat.windows.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;
*.nai.com;*.networkassociates.com;cf.netzero.net;qs.netzero.net;*.quicken.com;feed.untd.com;*.pogo.com;<local>
R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: Juno Toolbar Helper - {FE3098B1-04A3-41fd-8CA9-BEA39CB14C87} - C:\Program Files\Juno\ucreg.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] E:\registry\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: http://www.softpedia.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8831E24-1AC2-4246-A40F-A353DC4B410C}: NameServer = 64.136.52.73 64.136.44.73
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\oasrv.exe

--
End of file - 7873 bytes

These are the infections that remain quarantined and/or disinfected/removed from this last week.

Code: [Select]

Virus:HTML/Allaple.A
BrowserModifier:Win32/Zwangi
Exploit:Java/CVE-2008-5353.GG
Exploit:Java/CVE-2009-3867.DT
Exploit:Java/CVE-2009-3867.CJ
Exploit:Java/CVE-2008-5353.AJ
Exploit:Java/CVE-2008-5353.BO
Exploit:Java/CVE-2009-3867.DP
Exploit:Java/CVE-2009-3867.BX
Exploit:Java/CVE-2009-3867.DN
TrojanDownloader:Java/OpenConnection.AK
Exploit:Win32/Pdfjsc.FU
Trojan:Win32/Rundis.gen!A
TrojanDownloader:Win32/Abgade.A
TrojanDownloader:Win32/Cutwail.BC
TrojanDownloader:Win32/Cutwail.BA
Virus:Win32/Virut.BN
Virus:Win32/Virut.BM
TrojanClicker:Win32/Refpron.A
Backdoor:Win32/Refpron.I
Trojan:Win32/Puzlice.A
Exploit:HTML/IframeRef.gen
PWS:Win32/Frethog.MK
Trojan:Win32/Comame
TrojanDownloader:Java/OpenConnection.AK
Worm:Win32/Allaple.A
TrojanDropper:Win32/small.NM

SuperDave · « **Reply #1 on:** July 29, 2010, 06:43:02 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

====================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*
windowsupdate.com;*wustat.windows.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.
nai.com;*.networkassociates.com;cf.netzero.net;qs.netzero.net;*.
quicken.com;feed.untd.com;*.pogo.com;<local>
R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
background
Internet Explorer's security is based upon a set of zones.
Each zone has different security in terms of what scripts and applications
can be run from a site that is in that zone. There is a security zone called
the Trusted Zone. This zone has the lowest security and allows
scripts and applications from sites in this zone to run without your
knowledge. It is therefore a popular setting for malware
sites to use so that future infections can be easily done on your
computer without your knowledge as these sites will be in the
Trusted Zone. Therefore, I recommend that nothing be allowed
in the trusted zone. If you agree, please place a check mark in front
of these two lines.
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: http://www.softpedia.com

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

===================================

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools ]A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

bouncier · « **Reply #2 on:** July 30, 2010, 11:39:21 PM »

Dave--I sent PM to you cuz I could not see the Reply at the bottom of this post...Ok, went to Major Geeks to download the messenger removal. A popup stated that the application configuration was incorrect and that reinstalling the application might solve the problem?

I tried 5 or 8 times but to no avail. So I stand as you left me...

SuperDave · « **Reply #3 on:** July 31, 2010, 05:18:53 PM »

Just skip the Windows Messenger part and continue with the rest, please.

bouncier · « **Reply #4 on:** August 02, 2010, 12:41:10 PM »

Ok, I am attempting to send commy log here:

ComboFix 10-07-30.02 - bouncier 07/31/2010 2:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1426 [GMT -6:00]
Running from: c:\documents and settings\bouncier\desktop\commy.exe
Command switches used :: /stepdel
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
c:\windows\system32\87ghd.log
c:\windows\system32\b55v0.log
c:\windows\system32\dfttuyo.txt
c:\windows\system32\Install.txt
D:\install.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-29 14:38 . 2010-07-29 14:38   --------   d-----w-   c:\program files\Novel Games
2010-07-29 12:59 . 2010-07-29 12:59   388096   ----a-r-   c:\documents and settings\bouncier\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-29 12:59 . 2010-07-29 13:02   --------   d-----w-   c:\program files\Trend Micro
2010-07-29 11:49 . 2010-07-29 11:49   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Malwarebytes
2010-07-29 11:49 . 2010-04-29 21:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 11:49 . 2010-07-29 11:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-29 11:49 . 2010-04-29 21:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-29 11:49 . 2010-07-29 11:49   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-28 05:50 . 2010-07-28 06:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-28 05:50 . 2010-07-28 05:50   --------   d-----w-   c:\program files\CCleaner
2010-07-28 04:48 . 2010-07-29 14:18   --------   d-----w-   c:\documents and settings\bouncier\Application Data\OnlineArmor
2010-07-28 04:48 . 2010-07-28 05:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-07-28 04:48 . 2010-07-07 18:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-07-28 04:48 . 2010-07-07 18:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-07-28 04:48 . 2010-07-07 18:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-07-28 04:48 . 2010-07-28 04:48   --------   d-----w-   c:\program files\Emsisoft
2010-07-28 00:15 . 2010-07-28 00:15   --------   d-----w-   c:\program files\WON
2010-07-27 14:01 . 2010-07-27 14:01   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-07-27 07:45 . 2010-07-27 07:45   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\Help
2010-07-27 02:05 . 2010-07-27 02:15   --------   d-----w-   c:\program files\Exterminate It!
2010-07-26 20:27 . 2010-07-26 20:27   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Uniblue
2010-07-26 18:42 . 2010-07-26 18:43   --------   dc-h--w-   c:\windows\ie8
2010-07-26 05:19 . 2010-07-26 05:19   --------   d-----w-   c:\program files\ESET
2010-07-25 23:34 . 2010-07-25 23:34   --------   d-----w-   c:\program files\ACW
2010-07-25 21:08 . 2010-06-02 10:55   74072   ----a-w-   c:\windows\system32\XAPOFX1_5.dll
2010-07-25 21:08 . 2010-06-02 10:55   527192   ----a-w-   c:\windows\system32\XAudio2_7.dll
2010-07-25 21:08 . 2010-06-02 10:55   239960   ----a-w-   c:\windows\system32\xactengine3_7.dll
2010-07-25 21:08 . 2010-05-26 17:41   248672   ----a-w-   c:\windows\system32\d3dx11_43.dll
2010-07-25 21:08 . 2010-05-26 17:41   2106216   ----a-w-   c:\windows\system32\D3DCompiler_43.dll
2010-07-25 21:08 . 2010-05-26 17:41   1868128   ----a-w-   c:\windows\system32\d3dcsx_43.dll
2010-07-25 21:08 . 2010-05-26 17:41   470880   ----a-w-   c:\windows\system32\d3dx10_43.dll
2010-07-25 21:08 . 2010-05-26 17:41   1998168   ----a-w-   c:\windows\system32\D3DX9_43.dll
2010-07-25 20:20 . 2010-07-25 20:20   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\FixItCenter
2010-07-25 20:02 . 2010-07-25 20:02   --------   d-----w-   c:\windows\MATS
2010-07-25 20:02 . 2010-07-25 20:02   --------   d-----w-   c:\program files\Microsoft Fix it Center
2010-07-25 07:32 . 2010-07-25 07:34   --------   d-----w-   c:\windows\system32\NtmsData
2010-07-25 05:22 . 2010-07-25 14:24   --------   d-----w-   c:\program files\Free Window Registry Repair
2010-07-25 02:01 . 2010-07-25 19:08   --------   d-----w-   c:\documents and settings\bouncier\Application Data\ElevatedDiagnostics
2010-07-25 00:48 . 2010-07-25 00:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-07-24 10:21 . 2010-07-28 06:34   63488   ----a-w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-24 10:21 . 2010-07-24 10:21   52224   ----a-w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-24 10:21 . 2010-07-28 06:34   117760   ----a-w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-24 10:05 . 2010-07-24 10:05   --------   d-----w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com
2010-07-24 10:05 . 2010-07-24 10:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-24 10:05 . 2010-07-31 06:43   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-24 05:00 . 2010-07-24 05:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\RegCure
2010-07-24 05:00 . 2010-07-24 05:01   --------   d-----w-   c:\program files\RegCure
2010-07-24 04:31 . 2010-07-24 04:31   --------   d-----w-   c:\program files\Common Files\Java
2010-07-24 03:07 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2010-07-24 02:53 . 2010-07-24 02:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\Juno
2010-07-24 02:34 . 2006-08-11 20:41   225280   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\U3Action.exe
2010-07-24 02:34 . 2006-05-26 07:53   19456   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\skypeshutdown.exe
2010-07-24 02:34 . 2006-08-16 22:51   19647528   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe
2010-07-24 02:34 . 2005-09-27 20:57   24064   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\hostClnUpNoOp.exe
2010-07-24 02:32 . 2007-10-23 15:27   110592   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\temp\cleanup.exe
2010-07-24 02:27 . 2008-05-02 16:41   3493888   ---ha-w-   c:\documents and settings\bouncier\Application Data\U3\temp\Launchpad Removal.exe
2010-07-24 02:10 . 2010-07-25 04:27   --------   d-----w-   c:\program files\Cleopatras Palace
2010-07-24 02:09 . 2010-07-24 02:10   --------   d-----w-   c:\program files\Bonjour
2010-07-24 02:08 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iTunes
2010-07-24 02:08 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iPod
2010-07-23 20:14 . 2010-07-24 02:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Juno(2)
2010-07-23 00:23 . 2010-07-24 02:07   --------   d-----w-   c:\program files\TropicaCasino
2010-07-22 22:44 . 2010-07-24 02:07   --------   d-----w-   c:\program files\Slots Jungle Casino
2010-07-20 18:49 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iPod(2)
2010-07-20 18:49 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iTunes(2)
2010-07-20 18:47 . 2010-07-24 02:08   --------   d-----w-   c:\program files\Bonjour(2)
2010-07-20 07:14 . 2010-07-24 02:08   --------   d-----w-   c:\documents and settings\bouncier\Application Data\CasinoStates
2010-07-20 07:14 . 2010-07-24 02:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\CasinoStates
2010-07-19 23:38 . 2010-07-24 02:53   --------   d-----w-   c:\program files\Juno
2010-07-19 23:38 . 2010-07-24 02:53   --------   d-----w-   C:\JunoInstaller
2010-07-19 19:54 . 2010-07-19 20:11   109976   ----a-w-   c:\windows\hpoins08.dat
2010-07-19 19:54 . 2006-01-24 07:11   7577   ------w-   c:\windows\hpomdl08.dat
2010-07-19 11:39 . 2010-07-19 11:39   --------   d-----w-   c:\documents and settings\bouncier2\Local Settings\Application Data\PCHealth
2010-07-19 10:04 . 2010-07-19 10:04   --------   d-----w-   c:\documents and settings\bouncier2\Local Settings\Application Data\Apple Computer
2010-07-19 10:04 . 2010-07-19 10:04   20456   ----a-w-   c:\documents and settings\bouncier2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-19 10:03 . 2010-07-19 10:03   --------   d-----w-   c:\documents and settings\bouncier2\IETldCache
2010-07-19 10:03 . 2010-07-24 02:09   --------   d-----w-   c:\documents and settings\bouncier2\Local Settings\Application Data\Microsoft
2010-07-19 10:03 . 2010-07-24 02:09   --------   d-s---w-   c:\documents and settings\bouncier2
2010-07-18 20:36 . 2010-07-24 02:10   --------   d-----w-   c:\program files\Cleopatras Palace(2)
2010-07-18 06:11 . 2010-07-24 02:35   --------   d-----w-   c:\program files\NetZeroInstaller
2010-07-18 06:04 . 2010-07-24 10:59   --------   d-----w-   c:\documents and settings\bouncier\Application Data\U3
2010-07-17 21:34 . 2010-07-18 06:29   86   ---h--w-   c:\windows\popcreg.dat
2010-07-17 21:34 . 2010-07-18 06:29   32   ----a-w-   c:\windows\popcinfot.dat
2010-07-17 20:24 . 2010-07-17 20:24   --------   d-----w-   c:\program files\PopCap Games
2010-07-13 17:40 . 2010-07-24 02:12   --------   d-----w-   c:\program files\RTF Convertor
2010-07-13 14:23 . 2010-07-25 13:59   --------   d-----w-   c:\documents and settings\bouncier\Application Data\GlarySoft
2010-07-13 14:23 . 2010-07-25 13:59   --------   d-----w-   c:\program files\Glary Registry Repair
2010-07-13 01:25 . 2010-07-24 02:12   --------   d-----w-   c:\program files\AZ RTF to PDF Converter
2010-07-08 22:53 . 2006-02-28 12:00   1677824   -c--a-w-   c:\windows\system32\dllcache\chsbrkr.dll
2010-07-08 22:53 . 2006-02-28 12:00   1677824   ----a-w-   c:\windows\system32\chsbrkr.dll
2010-07-08 22:53 . 2006-02-28 12:00   838144   -c--a-w-   c:\windows\system32\dllcache\chtbrkr.dll
2010-07-08 22:53 . 2006-02-28 12:00   838144   ----a-w-   c:\windows\system32\chtbrkr.dll
2010-07-08 22:53 . 2006-02-28 12:00   70656   -c--a-w-   c:\windows\system32\dllcache\korwbrkr.dll
2010-07-08 22:53 . 2006-02-28 12:00   70656   ----a-w-   c:\windows\system32\korwbrkr.dll
2010-07-08 22:53 . 2006-02-28 12:00   98304   -c--a-w-   c:\windows\system32\dllcache\msir3jp.dll
2010-07-08 22:53 . 2006-02-28 12:00   98304   ----a-w-   c:\windows\system32\msir3jp.dll
2010-07-08 22:51 . 2006-02-28 12:00   57398   -c--a-w-   c:\windows\system32\dllcache\imjpdadm.exe
2010-07-08 22:51 . 2006-02-28 12:00   45109   -c--a-w-   c:\windows\system32\dllcache\imjpuex.exe
2010-07-08 22:50 . 2006-02-28 12:00   6656   -c--a-w-   c:\windows\system32\dllcache\c_is2022.dll
2010-07-08 22:50 . 2006-02-28 12:00   6656   ----a-w-   c:\windows\system32\c_is2022.dll
2010-07-08 22:49 . 2001-08-18 04:36   8704   -c--a-w-   c:\windows\system32\dllcache\kbdjpn.dll
2010-07-08 22:49 . 2001-08-18 04:36   8704   ----a-w-   c:\windows\system32\kbdjpn.dll
2010-07-08 22:49 . 2001-08-18 04:36   8192   -c--a-w-   c:\windows\system32\dllcache\kbdkor.dll
2010-07-08 22:49 . 2001-08-18 04:36   8192   ----a-w-   c:\windows\system32\kbdkor.dll
2010-07-08 22:49 . 2001-08-17 20:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101c.dll
2010-07-08 22:49 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\kbd101c.dll
2010-07-08 22:49 . 2001-08-17 20:55   5632   -c--a-w-   c:\windows\system32\dllcache\kbd103.dll
2010-07-08 22:49 . 2001-08-17 20:55   5632   ----a-w-   c:\windows\system32\kbd103.dll
2010-07-08 22:49 . 2001-08-17 20:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101b.dll
2010-07-08 22:49 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\kbd101b.dll
2010-07-08 22:49 . 2008-04-14 00:09   6144   -c--a-w-   c:\windows\system32\dllcache\kbd106.dll
2010-07-08 22:49 . 2008-04-14 00:09   6144   ----a-w-   c:\windows\system32\kbd106.dll
2010-07-08 00:08 . 2010-07-25 04:27   --------   d-----w-   c:\program files\VIP Lounge
2010-07-07 07:28 . 2010-07-27 02:49   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Apple Computer
2010-07-07 07:28 . 2009-05-18 19:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-07-07 07:28 . 2008-04-17 18:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-07-07 07:27 . 2010-07-07 07:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-07 07:26 . 2010-07-18 16:52   --------   d-----w-   c:\program files\QuickTime
2010-07-07 07:26 . 2010-07-24 02:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-07 07:26 . 2010-07-07 07:26   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\Apple
2010-07-07 07:26 . 2010-07-07 07:26   --------   d-----w-   c:\program files\Apple Software Update
2010-07-07 07:26 . 2010-07-28 05:24   --------   dc----w-   c:\windows\system32\DRVSTORE
2010-07-07 07:25 . 2010-07-24 02:08   --------   d-----w-   c:\program files\Common Files\Apple
2010-07-07 07:25 . 2010-07-07 07:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2010-07-07 07:21 . 2010-07-07 07:28   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 13:30 . 2010-07-29 18:48   --------   d-----w-   c:\program files\Common Files\Real
2010-07-30 13:30 . 2010-07-29 18:48   --------   d-----w-   c:\program files\Real
2010-07-30 13:30 . 2010-07-30 13:30   --------   d-----w-   c:\documents and settings\bouncier\Application Data\7Spins
2010-07-30 13:30 . 2010-07-30 13:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\7Spins
2010-07-30 13:30 . 2010-07-30 13:30   --------   d-----w-   c:\program files\7Spins
2010-07-30 13:30 . 2010-07-29 21:35   --------   d-----w-   c:\program files\Mozilla Firefox(2)
2010-07-29 21:36 . 2010-07-29 21:36   0   ----a-w-   c:\windows\nsreg.dat
2010-07-28 05:50 . 2010-06-22 17:34   --------   d-----w-   c:\program files\Yahoo!
2010-07-25 22:49 . 2010-03-27 07:00   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-07-25 22:34 . 2010-03-27 06:58   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-07-25 13:34 . 2010-04-04 08:17   --------   d-----w-   c:\program files\Ask.com
2010-07-25 04:27 . 2010-07-01 05:57   --------   d-----w-   c:\program files\WinPalace
2010-07-24 04:31 . 2010-04-20 05:49   --------   d-----w-   c:\program files\Java
2010-07-24 02:17 . 2010-04-04 00:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\SpeedBit
2010-07-19 12:14 . 2010-03-27 06:20   76487   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-18 23:35 . 2010-04-05 21:19   --------   d-----w-   c:\program files\Eusing Free Registry Cleaner
2010-07-18 23:06 . 2010-04-29 09:53   --------   d-----w-   c:\program files\Vegascasino21
2010-07-18 22:53 . 2010-03-27 20:10   --------   d-----w-   c:\program files\Atlantis
2010-07-18 18:42 . 2010-03-27 07:22   --------   d-----w-   c:\documents and settings\bouncier\Application Data\ATI
2010-07-18 04:45 . 2010-04-05 16:07   83   ----a-w-   c:\windows\popcinfo.dat
2010-07-09 20:29 . 2010-03-27 07:23   20456   ----a-w-   c:\documents and settings\bouncier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-06 00:09 . 2010-06-06 00:02   --------   d-----w-   c:\documents and settings\bouncier\Application Data\HpUpdate
2010-06-29 02:18 . 2010-03-27 20:21   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-06-23 02:31 . 2010-06-22 17:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-22 17:34 . 2010-06-22 17:34   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Yahoo!
2010-06-22 10:36 . 2010-04-20 05:50   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-06-20 17:58 . 2010-06-19 02:08   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-19 02:08 . 2010-06-19 02:08   --------   d-----w-   c:\program files\Microsoft SQL Server
2010-06-18 23:36 . 2010-06-18 23:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-18 23:36 . 2010-06-18 23:36   193824   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2010-06-18 23:35 . 2010-06-18 23:35   416   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-06-18 23:34 . 2010-06-18 23:32   --------   d-----w-   c:\program files\Microsoft Visual Studio 9.0
2010-06-18 23:32 . 2010-06-18 23:32   --------   d-----w-   c:\program files\Microsoft.NET
2010-06-18 23:32 . 2010-06-18 23:32   --------   d-----w-   c:\program files\Microsoft SDKs
2010-06-16 02:01 . 2010-06-16 02:01   72504   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-14 14:31 . 2010-03-27 06:18   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 04:21 . 2010-06-09 04:21   --------   d-----w-   c:\program files\Common Files\Software Update Utility
2010-06-09 04:16 . 2010-06-09 04:15   --------   d-----w-   c:\documents and settings\bouncier\Application Data\acccore
2010-06-09 04:14 . 2010-06-09 04:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\AIM
2010-06-09 04:14 . 2010-06-09 04:14   --------   d-----w-   c:\program files\AIM
2010-06-09 04:14 . 2010-06-09 04:13   --------   d-----w-   c:\program files\Common Files\AOL
2010-06-01 17:37 . 2010-03-28 09:00   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-27 01:52 . 2010-05-27 01:52   503808   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70f5cbff-n\msvcp71.dll
2010-05-27 01:52 . 2010-05-27 01:52   499712   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70f5cbff-n\jmc.dll
2010-05-27 01:52 . 2010-05-27 01:52   348160   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70f5cbff-n\msvcr71.dll
2010-05-27 01:48 . 2010-05-27 01:48   61440   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66666ea4-n\decora-sse.dll
2010-05-27 01:48 . 2010-05-27 01:48   12800   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66666ea4-n\decora-d3d.dll
2010-05-19 10:26 . 2010-05-19 10:26   32608   ----a-w-   c:\windows\king-uninstall.exe
2010-05-18 22:35 . 2010-05-18 22:35   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-05-18 22:35 . 2010-05-18 22:35   75040   ----a-w-   c:\windows\system32\jdns_sd.dll
2010-05-18 22:35 . 2010-05-18 22:35   197920   ----a-w-   c:\windows\system32\dnssdX.dll
2010-05-18 22:35 . 2010-05-18 22:35   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2006-02-28 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-06 10:41 . 2006-02-28 12:00   916480   ----a-w-   c:\windows\system32\wininet(2)(2).dll
2010-05-06 10:41 . 2006-02-28 12:00   1209344   ----a-w-   c:\windows\system32\urlmon(2)(2).dll
2010-05-06 10:41 . 2009-03-08 10:32   1985536   ----a-w-   c:\windows\system32\iertutil(2)(2).dll
2010-05-06 10:41 . 2009-03-08 10:39   11076096   ----a-w-   c:\windows\system32\ieframe(2)(2).dll
2010-05-06 02:02 . 2010-04-29 09:59   77824   ----a-w-   c:\documents and settings\bouncier\Application Data\Vegascasino21\download\update.exe
2010-05-06 02:02 . 2010-04-29 09:59   77824   ----a-w-   c:\documents and settings\All Users\Application Data\Vegascasino21\download\update.exe
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\ctfmon.exe
[-] 2008-04-14 . 81A23C9F7FA7D6B9D927ED6E78A57878 . 15872 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[7] 2006-02-28 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 0]
"Juno_uoltray"="c:\program files\Juno\exec.exe" [2009-10-05 1779712]
"Uniblue RegistryBooster 2"="e:\registry\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 1923352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16129536]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 123648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\bouncier\\Application Data\\U3\\0000167A6773D0BF\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [7/27/2010 10:48 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [7/27/2010 10:48 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [7/27/2010 10:48 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [7/27/2010 10:48 PM 1283400]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [7/27/2010 10:48 PM 3364680]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 5:05 PM 266544]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [3/26/2010 5:02 PM 9344]
S3 SetupNTGLM7X;SetupNTGLM7X;F:\NTGLM7X.SYS [6/23/2006 3:02 AM 28160]
.
Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

2010-07-31 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 23:05]

2010-07-31 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 23:05]

2010-07-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-07-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-07-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-11-19 22:50]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;cf.netzero.net;qs.netzero.net;*.quicken.com;*.pogo.com;<local>
uSearchURL,(Default) = hxxp://search.juno.com/search?action=minisearch&source=minisearch
Trusted Zone: superslots.com
TCP: {E8831E24-1AC2-4246-A40F-A353DC4B410C} = 64.136.52.73 64.136.44.73
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 02:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(448)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-31 02:53:52
ComboFix-quarantined-files.txt 2010-07-31 08:53

Pre-Run: 189,944,442,880 bytes free
Post-Run: 190,072,213,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 29FD7BB82A2F041D1E0C216343CA3B48

SuperDave · « **Reply #5 on:** August 02, 2010, 01:30:15 PM »

Registry cleaners (Free Window Registry Repair, RegCure,Eusing Free Registry Cleaner,Uniblue RegistryBooster and Glary Registry Repair ) are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
If you agree, you should uninstall them.

=============================

I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
=====================================

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DDS::
Trusted Zone: superslots.com
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
I do not need to see the log from this script.

=====================================

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

bouncier · « **Reply #6 on:** August 02, 2010, 10:11:12 PM »

Dave, I ran combofix again as suggested. It stated that the Recovery system was not installed but ... I ran this Friday evening and everything was good. Nonetheless, I went ahead and instructed it to download or update. I became frozen while internet explorer was tyying to install, update or??? I managed to run a new task from the manager and get passed that.

The problem?? I am having the same message appear at the end of download as it did with messenger. The application configuration is incorrect...

bouncier · « **Reply #7 on:** August 03, 2010, 11:14:23 AM »

Apparently the error mentioned above, with downloading applications, is a VB C++ problem related to mscrvt files. I have been researching that issues to see if I can resolve. Any input you may have would be greatly appreciated. Anybody.

SuperDave, I want to thank you again for helping me with these viral issues. While they are not gone, my system is running much better. Thank You!

SuperDave · « **Reply #8 on:** August 03, 2010, 01:17:49 PM »

Just forget about the ComboFix script. We can fix that later. Please run RootRepeal and post the log.

bouncier · « **Reply #9 on:** August 03, 2010, 01:20:43 PM »

I'm sorry, I wasn't clear with that, it is the Root Repel program that I cannot download. Combofix is running fine.

SuperDave · « **Reply #10 on:** August 03, 2010, 05:37:03 PM »

Ok. Please try this.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

bouncier · « **Reply #11 on:** August 03, 2010, 09:18:14 PM »

Dave, sorry but the SysProt will not download either. I cannot get anything to download. I will update if this changes.

bouncier · « **Reply #12 on:** August 04, 2010, 12:29:58 PM »

i have managed to get a working RootRepeal and will be back with the report as soon as i finish.

bouncier · « **Reply #13 on:** August 04, 2010, 12:53:25 PM »

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/08/04 12:45
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0508000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D4000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: PCI_HAL
Image Path: \Driver\PCI_HAL
Address: 0x00000000   Size: 0   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xACBD7000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: ꎨ詊
Image Path: ꎨ詊
Address: 0xBA3D0000   Size: 21120   File Visible: No   Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: c:\documents and settings\all users\application data\juno\accelerator\sdi.lg
Status: Size mismatch (API: 384706, Raw: 384250)

Path: c:\documents and settings\all users\application data\microsoft\microsoft antimalware\support\mpwpptracing.bin
Status: Allocation size mismatch (API: 131072, Raw: 65536)

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069ced0

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d700

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069ada0

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb06aa9c0

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a8e0

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0697620

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0697a30

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0696ef0

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0698f20

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699b90

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a6f0

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069c490

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb06ab040

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0698a20

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0697310

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699420

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d350

#: 145   Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069ca70

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d8a0

#: 199   Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069b9a0

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069bf90

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb06aa550

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a340

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069b190

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699970

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699d30

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069c370

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a520

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a130

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699f40

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0698c80

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699760

#: 262   Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069c780

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d520

==EOF==

SuperDave · « **Reply #14 on:** August 04, 2010, 01:14:49 PM »

Quote

I cannot get anything to download.

What happens when you try to download programs? Do you get any error messages?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

bouncier · « **Reply #15 on:** August 04, 2010, 04:39:35 PM »

Hi, well you asked for it...there was 161 threats on my system. I have no idea what is on where because the computer was given to me. (She goes through them like candy- paranoia... but uses web search, etc.)

I noticed that some of the threats were quite old which tells me that the programs we used previously, and the malicious removal tool put out by MS didn't detect them on all the passes there has been.

C:\Program Files\Atlantis\Atlantis.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP138\A0024726.dll   probably a variant of Win32/Adware.Gamevance.AG application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP173\A0027677.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027687.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027691.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027695.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027700.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027762.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027766.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027775.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027786.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027791.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP174\A0027800.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0027991.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0027999.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028001.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028005.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028006.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028008.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028053.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028058.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028070.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028074.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028121.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028123.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028137.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028138.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028149.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028153.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028159.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028162.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028167.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028175.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175\A0028176.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028238.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028240.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028244.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028245.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028246.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028247.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028249.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028250.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028252.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028253.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028256.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028267.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028271.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028275.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028277.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028286.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028306.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028309.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028405.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028460.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028471.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028482.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028490.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028495.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177\A0028500.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028563.exe   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028584.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028587.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028601.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028635.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028640.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028771.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028779.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028783.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028795.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028811.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028815.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028893.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028894.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028905.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028907.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179\A0028912.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029275.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029283.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029310.scr   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029390.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029414.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029415.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029416.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029430.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029432.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029434.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029436.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029445.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029447.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029463.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029467.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029479.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029482.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029490.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029735.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0029736.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0030295.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0030303.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0031263.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP181\A0031323.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031701.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031702.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031718.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031761.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031775.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031961.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031963.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031964.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031968.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0031986.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0032003.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0032008.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP186\A0032010.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP187\A0032364.rbf   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP187\A0032431.rbf   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP187\A0032495.rbf   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037807.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037816.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037842.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037844.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037848.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037862.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037875.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037879.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037880.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037882.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037891.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037893.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037901.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037910.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037911.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037922.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037924.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037928.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037930.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037933.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037938.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037942.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037946.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037953.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0037960.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0038303.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0038304.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0038538.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193\A0038539.dll   Win32/Agent.RLA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP197\A0039840.rbf   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP206\A0040963.DLL   a variant of Win32/Toolbar.MyWebSearch application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP206\A0040964.DLL   Win32/Toolbar.MyWebSearch application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042036.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042037.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042040.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042041.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042042.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042043.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042044.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042045.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042046.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042049.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP208\A0042050.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP265\A0056638.exe   Win32/Virut.NBP virus   cleaned - quarantined
C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP88\A0019362.dll   probably a variant of Win32/Adware.Gamevance.AG application   cleaned by deleting - quarantined

SuperDave · « **Reply #16 on:** August 04, 2010, 05:45:35 PM »

You didn't tell me what messages you receive when you try to download programs. I'm afraid I have some bad news. You have had and probably still have Virut on your computer and all the experts feel that this is uncurable, although a lot of products say that they can cure it. See below.

Unfortunately the only reliable cure for Virut is a complete reformat and reinstall. See here for more information. Virut and other File infectors - Throwing in the Towel?

Many of the major antivirus vendors have Virut removal tools but many times Virut is not repairable. The only reliable way to remove Virut is removing the system files it has infected and in turn crippling the system and calling for a reformat/reinstall anyway. Remember it is always spreading so trying to contain it is impossible. See this article on why it is so destructive. Under the Hood: Virut

If you do try to repair this without reformatting then your best chance is using the Avira AntiVir Rescue CD. (free) And/or the Dr Web LiveCD. (also free)

Backing up files before formatting

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos.

Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.

-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> www.windowsreinstall.com/

Very important, do the following immediately or as soon as possible!

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.

From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.

DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.
================================
Here is a scan that will tell if your computer actually has Virut.

Please go VirusTotal.com. Browse for this file:

c:\windows\system32\user32.DLL

Do the same for these two files:

C:\windows\system32\userinit.exe
C:\windows\explorer.exe

Then click submit.

If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Please post the results (URL) to your next reply.

bouncier · « **Reply #17 on:** August 04, 2010, 07:30:58 PM »

http://www.virustotal.com/analisis/acd0ae7b4d5f871e148276c6cc4ae3a216e33f67fc78d827c16986e1f945438c-1280970992
http://www.virustotal.com/analisis/944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f-1280971427

Is this what you needed? It said they previously analyzed the files and/or they gained access 13 and 14 April 2008!! I'm going to start getting this handled, a clean format. Yes, I do know how ...

Question: Is there any way that a virus can get onto the installation disc?? It seems that I read somewhere that if All Caps were on it could or something to that effect.

I will check back with you before I totally wipe it clean. Better yet, I will wait for your go ahead after I have taken care of everything else...

In case something happens and I am unable to get back, THANK YOU SOOO MUCH!! aAt least now I know...

SuperDave · « **Reply #18 on:** August 05, 2010, 01:35:09 PM »

Did you forget to scan this file? C:\windows\explorer.exe
The other two files came back quite clean so you may not have Virut after all. The decision to reformat is totally up to you. The ESET scan shows that all the instances fo Virut were in System Restore so it's possible it may not have gotten into the OS files until someone hit Restore.

Quote

Is there any way that a virus can get onto the installation disc??

Not unless it was copied with an infected computer. If it's the original, it's good.
Please let me know your future course of action.

bouncier · « **Reply #19 on:** August 05, 2010, 03:23:19 PM »

I searched for exeplore.exe and didn't find it although it seems that in my travels through my directories I had seen a file with that name. I will look again and scan if I find.

If its no Virut, or if not throughout system, what is the course to take to eradicate for good?? one of the programs you previously mentioned? i'll be back.

bouncier · « **Reply #20 on:** August 05, 2010, 04:03:38 PM »

http://www.virustotal.com/analisis/eccf9f7bb602e25cf9383be7856318c1fa679c0c4a354966b0ed723da17e8d24-1281045966

I couldn't find it because commy had it!!

SuperDave · « **Reply #21 on:** August 05, 2010, 06:03:47 PM »

Are you still having problems with downloads?

Download Dr.Web CureIt to the desktop:
Dr WebCureIt

Double-click the launch.exe or cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, just let it cure whatever it finds...

o Now, go to Settings >> Change Settings
o Go to Actions tab >> under Objects section, change the settings to below
Infected objects - Cure
Incurable objects - Report
Suspicious objects - Report
o Don't change any other settings

Start the scan again. This time, choose Complete Scan
Click the green arrow button at the right, and the scan will start.
After the scan finished, click Select all
Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your Desktop. The report will be called DrWeb.csv
Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

bouncier · « **Reply #22 on:** August 05, 2010, 08:57:08 PM »

Allrighty-I went to download, (Russian??) qne tried to download, nothing was happening. So I did search and saw Bleeping Computer. I went to that one because I know they are trusted. Their download link took me to CNet. I proceeded to download. When it finished, it said that the free version was only for home PC's and did I want to go to the purchase page?? I said cancel and it brought up another screen that said _##_ viruses ... , and that the program was rebuilt _##_ per day, etc. and then it asked me if I wanted to get the current version and I said yes. I am back to the Russian page.

These are not verbatim but close. I will try it again but thought you might want to know.

And my download attempts?? It was: "not a valid win32 application", or "the application configuration is incorrect" downloading the application again might fix this problem. Almost every download has a problem, except if it is a ms windows - I believe.

bouncier · « **Reply #23 on:** August 06, 2010, 02:37:50 PM »

There was two reports, this one and one that was 65,733 KB. I assume you want this one??

Softpedia is the first and only Dr. Web Cure It I found that I could download. The site that is in Russian kept looping - start page then eula, etc. I tried as I explained above, through Bleeping Computer, etc. Just FYI.

Oh, the other download problem I have had is the "Gateway Timeout"

I think this doesn't look good but will wait for your comment.

Dave, even if this doesn't work, I so appreciate your time and personal attention given here. I may go on to become a malware removal specialist because of you!!

A0028017.exe;C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175;Win32.Virut.56;Cured.;
A0028157.exe;C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP175;Win32.Virut.56;Cured.;
A0028248.exe;C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP177;Win32.Virut.56;Cured.;
A0028812.exe;C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179;Win32.Virut.56;Cured.;
A0028817.exe;C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP179;Win32.Virut.56;Cured.;
A0037945.scr;C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP193;Win32.Virut.56;Cured.;
A0040962.DLL;C:\System Volume Information\_restore{E6A610F7-930C-4195-B284-D1E0577DAE99}\RP206;Adware.Funweb.23;Incurable.Deleted.;
identity\unvised_41.bin;D:\Documents and Settings\bouncier\Local Settings\Application Data\identity;Probably BACKDOOR.Trojan;;
identity;D:\Documents and Settings\bouncier\Local Settings\Application Data;Container contains infected objects;Moved.;
stress-game.exe;D:\Documents and Settings\bouncier\Local Settings\Application Data;Joke.Puncher;Incurable.Deleted.;

SuperDave · « **Reply #24 on:** August 06, 2010, 04:37:36 PM »

Here's some information about the "not a valid win32 application" error message. Does it make any sense to you? Does the program download and then you get the error when you try to run the program?

bouncier · « **Reply #25 on:** August 06, 2010, 05:08:41 PM »

Hi, I had read that win32 topic when I first got here. The not valid win32 msg comes up after download. But it comes up on things I had used before, and things that should absolutely be okay.

Here's something for you: My task bar icons have switched up, meaning that the one for Microsoft Security Essentials is now assigned to some casino; the super Antispyware icon has been assigned to another program. My Security Essentials won't allow me to turn it back on; and I think that I actually did make back up or reinstall disks, plus I have my original.

I just read the article about whether you should install a fresh operating system, and I believe that given the overall condition of my system, maybe I should just reinstall. Bite the bullet and go for it.

Of course, if you don't think necessary, or if you see hope for current situation, i'll gladly hold off and listen...
thanks you more!!

SuperDave · « **Reply #26 on:** August 07, 2010, 03:54:21 PM »

I really believe that Virut is still infecting files. You should follow the instructions I post earlier, try to save your documents and reformat. Sorry

bouncier · « **Reply #27 on:** August 09, 2010, 01:15:01 PM »

I have been saving files, dumoing garbage, etc. I re=ran Dr. Web and it did not find anything this time. Is that because it could be gone or because the virus changed it's name and Dr. Web isn't aware??? I'm not entirely sure what these virus' can do...

Also, I downloaded Opera (cuz I like the widgets) and the problems I was having with IE, (not bringing up the page) is gone!

SuperDave · « **Reply #28 on:** August 09, 2010, 04:28:59 PM »

Please try re-running ESET and also the Virut test that I gave you earlier.

BC_Programmer · « **Reply #29 on:** August 10, 2010, 11:31:00 AM »

I've had to deal with virut myself, and trust me, it's a losing battle. It's a very feisty file infector. What I ended up doing was reformatting my primary drive, reinstalling windows, and then deleting all the infectable files off my data drive. The main problem is that unlike most viruses you can't just clean a bit at a time and come back later- if you leave <ANY> infected files they will just spread out over the clean ones again and your back where you started. What makes this even more annoying is that you could leave a executable in a deep nested hidden off directory, or there could be a program you use on a portable drive, and you think your clean for a good few weeks or a month, and you run the program and your infected again and in a matter of hours you're back in the very same position you were before.

It's one of the few viruses that almost always requires the brute force complete format to get rid of.

bouncier · « **Reply #30 on:** August 13, 2010, 05:49:27 PM »

Can you point me in a direction to help ensure a good clean drive to start with?? I have reinstalled once, and now days later here I am. And thank you for the advice about the virut...I keep thinking I can beat it. I'm giving up.

One last question, there are PE Structure Viewers, Explorers, etc. out there that allow looking inside at the root of a file. I have downloaded one and looked at the nasty file. There is definitely some concerns but since I'm rebooting, it won't matter. But, is that software viewer able to help one successfully achieve eradication of Virut? If you know what you are looking for? I am stubborn, but not stupid however am also curious to no end!!

Appreciate all of your time and comments guys!!

SuperDave · « **Reply #31 on:** August 14, 2010, 04:53:48 PM »

Quote

But, is that software viewer able to help one successfully achieve eradication of Virut?

Most experts agree that you can't clean a Virut infection.

Quote

Can you point me in a direction to help ensure a good clean drive to start with??

If you do not know how to perform a fresh install, use this website -> www.windowsreinstall.com/

If you want to try a few more scans before reformatting, try these. These is one list in Reply#16. It's called Avira AntiVir rescue CD or Dr Web Live CD

* Go to Start > Run and type mrt.exe then press Enter on the keyboard).
* (Vista and Windows 7 users go to Start and type mrt.exe in the search box then press Enter on the keyboard.
* Click Next.
* Choose Full Scan and click Next.
* Once the scan is finished click View detailed results of the scan.

Look through the list and let me know if anything was found infected.

bouncier · « **Reply #32 on:** September 16, 2010, 04:18:13 AM »

Hi Dave, remember me?? I am in the process of a complete from scratch reinstall. I wanted to run my user32.dll file through the Virus Total process to ensure I had clean install. I have a validated Windows Insallation disk. That is the only thing that has been on hard drive except for the floppy disk that was used to enable the brand new hard drive for use.

Virus Total indicates a trojan patched by the Hacker. the scan I did on last user32.dll file was a Win32.Banker by esafe.

I need some understanding on what the contents of the url as raised below and what direction I go now since apparently either the infection is on my installation disk or...?

Please!!!

THIS IS THE URL THAT I COPIED AND PASTED IN NOTEPAD; Please look at part where it says that "Virus Total's website has changed and that they need new translations... and do you want to help community"

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<title>VirusTotal - Free Online Virus, Malware and URL Scanner</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="content-language" content="en" />
<meta name="keywords" content="virustotal, antivirus, infected, free, scan, online, malware, malicious" />
<meta name="description" content="VirusTotal is a free virus, malware and URL online scanning service" />
<meta name="copyright" content="Hispasec Sistemas" />
<meta name="author" content="Emiliano Martinez Contreras" />
<meta name="robots" content="index,follow" />

<link rel="alternate" type="application/rss+xml" title="VirusTotal Blog RSS Feed" href="http://blog.hispasec.com/virustotal/rss20.xml" />

<link rel="shortcut icon" href="http://virustotal.hispasecsistemas.netdna-cdn.com/img/favicon.ico" type="image/x-icon" />

<link rel="stylesheet" type="text/css" href="http://virustotal.hispasecsistemas.netdna-cdn.com/css/virustotal-min.css" />
<link type="text/css" href="http://virustotal.hispasecsistemas.netdna-cdn.com/css/custom-theme/jquery-ui-1.7.2.custom-min.css" rel="stylesheet" />

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.1/jquery-ui.min.js"></script>

<script type="text/javascript" src="http://virustotal.hispasecsistemas.netdna-cdn.com/js/common-min.js"></script>

</head>

<body>

<div id="shaded-screen"></div>

<center>

<div id="top-bar">
<table>
<tr>
<td style="width: 350px; text-align: left;">
<span id="community-banner">VT Community</span>
<span id="sign-in" class="clickable" style="padding-left: 8px;"> Sign in ▼</span>
<span id="my-account" class="clickable" style="padding-left: 8px; display: none;"> My account ▼</span>
<span id="sign-out" class="clickable" style="padding-left: 8px; display: none;"> Sign out</span>
<span id="signing-out" style="padding-left: 8px; display: none;">Signing out...
<img height="16" width="16" src="http://virustotal.hispasecsistemas.netdna-cdn.com/img/loading.gif" /></span>
</td>
<td style="width: 350px; text-align: right;">
<span id="drop-langs" class="clickable">Languages ▼</span>
</td>
</tr>
</table>

<div id="languages">
<div style="border: 5px solid #137DC6; background-color: #fff;">
<div id="inner-languages">
VirusTotal's website has changed, we need new translations, do you feel like helping the community?

<a class="contact" href="">[/url]
</div>
</div>
</div>

<div id="sign-in-box">

<div style="text-align: center; font-weight: bold; margin-bottom: 10px;">Sign in to VT Community</div>
<p>Safety ratings and user comments (disinfection, in-the-wild locations,
reverse engineering reports, etc.) on malware and URLs, free and easy.</p>

<table>
<tr>
<td style="width: 100px;">email</td>
<td><input id="email" name="email" type="text" class="text ui-widget-content ui-corner-all" style="width: 200px;" /></td>
</tr>
<tr>
<td style="width: 100px;">password</td>
<td><input id="password" name="password" type="password" class="text ui-widget-content ui-corner-all"
style="width: 200px;" /></td>
</tr>
<tr>
<td></td><td><input id="persist" type="checkbox"></input> <span style="font-weight: normal">Keep me logged in</span></td>
</tr>
<tr>
<td></td>
<td>
<div id="login-button" class="button" style="margin-top: 10px; font-size: 0.8em;">
<button id="login-submit" class="submission-button">Sign in</button>
</div>
<div id="login-loading" style="display: none;">
Signing in, please wait... <img height="16" width="16" src="http://virustotal.hispasecsistemas.netdna-cdn.com/img/loading.gif" />
</div>
</td>
</tr>
<tr>
<td></td>
<td>
<span id="login-failed" style="color:red; display: none;">Login failed, please try again</span>
</td>
</tr>
</table>
<table style="margin-top: 15px;">
<tr>
<td style="width: 175px; text-align: center;">
<a id="forgot" href="vt-community/forgot-password.html">Forgot your password?[/url]
</td>
<td style="width: 175px; text-align: center;"><a id="create" href="vt-community/register.html">Create an account[/url]</td>
</tr>
</table>

</div>

<div id="my-account-box">
<span class="ui-icon ui-icon-pencil" style="float: left; margin-right: .3em;"></span>
<a style="padding-left: 5px;" href="/vt-community/edit-profile.html">Edit my profile[/url]

<span class="ui-icon ui-icon-person" style="float: left; margin-right: .3em;"></span>
<a style="padding-left: 5px;" href="/vt-community/user-profile.html">View my profile[/url]

<span class="ui-icon ui-icon-mail-closed" style="float: left; margin-right: .3em;"></span>
<a style="padding-left: 5px;" href="/vt-community/inbox.html">Inbox[/url]

</div>

</div>

<table id="header" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="2" height="20"></td>
</tr>
<tr>
<td valign="top">
<a href="/index.html">

[/url]
</td>
<td id="header-info" valign="bottom">
<h1>Virustotal is a <strong>service that analyzes suspicious files and URLs</strong> and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. <a href="/about.html">More information...[/url]</h1>
</td>
</tr>

</table>

<div id="updates" style="display: none;"></div>

<div id="content">

<div id="status">
<table style="margin: 8px;">
<tr>
<td style="width: 574px;">
<div style="background-color: #E2F1FF; margin-right: 20px; margin-bottom: 10px; padding: 5px; font-size: 0.9em;">
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware.
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
</div>
<div style="width: 120px; float:left; display: inline;">File name: </div><span id="status-object" class="blackthick">user32.dll</span>

<div style="width: 120px; float:left; display: inline;">Submission date: </div><span id="status-date" class="blackthick">2010-09-16 09:58:44 (UTC)</span>

<div style="width: 120px; float:left; display: inline;">Current status: </div><span id="status-1" class="redthick status">queued</span>
<span id="status-2" class="redthick status invisible">queued</span>
<span id="status-3" class="greenthick status invisible">analysing</span>
<span id="status-4" class="blackthick status invisible">finished</span>

<div id="processing-bar"><img width="220" height="16" border="0" alt="" src="http://virustotal.hispasecsistemas.netdna-cdn.com/img/loader.gif"/></div>
<div id="ratio" class="invisible">
<div style="width: 120px; float:left; display: inline;">Result: </div>
<span class="blackthick"><span id="detected" style="color: red"></span>/
<span id="status-total"></span></span>

</div>
</td>
<td style="width: 110px; text-align: center; border: 3px solid; border-color: #E2F1FF;">
<div class="blackthick" style="padding: 4px; background-color: #E2F1FF; margin-bottom: 4px;">VT Community</div>

<span style="font-size: 0.8em;" class="blackthick">not reviewed</span>

<span style="font-size: 0.8em;"> Safety score: - </span></td>
</tr>
</table>
</div>

<div id="report-manipulation" class="invisible">
<div style="height: 14px; text-align: right;">
<div style="font-size: 11px; position: absolute; display: block; float: left;">
<span class="ui-icon ui-icon-zoomout" style="float: left; margin-right: .3em;"></span>
<a onclick="openCompact();" href="#">Compact[/url]
</div>
<div style="font-size: 11px; display: block;">
<a href="javascript:window.print()">Print results[/url]
<span class="ui-icon ui-icon-print" style="display: -moz-inline-stack; display:inline-block; margin-right: .3em; vertical-align: top;"></span>
</div>
</div>
</div>

<div id="tablas">

<table width="700" border="0" cellpadding="0" cellspacing="0" id="tablaMotores">
<tr>
<th>Antivirus</th>
<th>Version</th>
<th>Last Update</th>
<th>Result</th>
</tr>
</table>

<table width="700" border="0" cellpadding="0" cellspacing="0" id="metadata-table">
<tr>
<th><div style="display:inline; float: left; padding-top: 5px;">Additional information</div>
<div class="button" style="display: inline; float: right;">
<button id="show-metadata" class="submission-button" style="font-size: 11px;">Show all</button>
</div>
</th>
</tr>
<tr>
<td><strong>MD5   :</strong> c72661f8552ace7c5c85e16a3cf505c4</td>
</tr>
<tr>
<td><strong>SHA1  :</strong> 19dc0854aaeaadf26bae8b7daace8115b5209f7 3</td>
</tr>
<tr>
<td><strong>SHA256:</strong> 380797a1d74b8c5cc0972f61d546666eb509950 be94256a1fbdbc06244bb564a</td>
</tr>
<tr style="display: none;">
<td><strong>File size :</strong> 577024 bytes</td>
</tr>
<tr style="display: none;">
<td><strong>First seen:</strong> 2008-12-02 20:35:24</td>
</tr>
<tr style="display: none;">
<td><strong>Last seen :</strong> 2010-09-16 09:58:44</td>
</tr>
<tr style="display: none;">
<td><strong>Magic:</strong> </td>
</tr>
</table>

<p />

<div class="blackthick" style="font-size: 12px; font-weight: bold; background-color: #EFEFEF; padding: 5px;">VT Community</div>

<p/>

<div id="num-comments" style="display:none;">0</div>

<div id="no-comments" class="bubble">
<blockquote class="odd" style="background-color: #E2F1FF;">
This file has never been reviewed by any VT Community member. Be the first one to
comment on it!

<cite class="odd"><strong>VirusTotal Team</strong></cite>
</div>

<div id="comment-form" style="font-size: 12px; font-weight: bold;">
<span id="#add-comment">Add your comment...
<span class="redthick">Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so.</span>

How to markup your comments? <span id="howtoMarkup" class="ui-icon ui-icon-info clickable" style="display: -moz-inline-stack; display:inline-block; margin-right: .3em; vertical-align: top;"></span></span>

<div class="help-popup" id="markupPopup" style="font-weight: normal;">
<span id="closeMarkup" class="ui-icon ui-icon-circle-close clickable" style="display: -moz-inline-stack; display:inline-block; margin-right: .3em; vertical-align: top; float: right;"></span>
<div>
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold

text -- italics

text -- underline

~~text~~ -- strikethrough

Code: [Select]

text -- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending
a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.
</div>
</div>

<div id="preview" class="bubble" style="display:none; font-size: 1.0em; font-weight: normal;">
<blockquote id="comment-preview">

</div>

<textarea id="comment" class="comment-area"></textarea>

<div id="tags" style="margin-left: 50px; margin-top: 20px; display: block;">
<div style="width: 200px; display:inline; float:left;">
<input type="checkbox" name="Goodware"/><span id="goodware-tag">Goodware</span>
</div>
<div style="width: 200px; display:inline; float:left;">
<input type="checkbox" name="Malware"/><span id="malware-tag">Malware</span>
</div>
<div style="width: 200px; display:inline; float:left;">
<input type="checkbox" name="SpamAttachmentOrLink"/><span id="spam-tag">Spam attachment/link</span>
</div>

<div style="width: 200px; display:inline; float:left;">
<input type="checkbox" name="P2Pdownload"/><span id="p2p-tag">P2P download</span>
</div>
<div style="width: 200px; display:inline; float:left;">
<input type="checkbox" name="IMpropagating"/><span id="im-tag">Propagating via IM</span>
</div>
<div style="width: 200px; display:inline; float:left;">
<input type="checkbox" name="NetworkWorm"/><span id="networm-tag">Network worm</span>
</div>

<div style="width: 200px; display:inline; float:left;">
<input type="checkbox" name="DriveByDownload"/><span id="drive-tag">Drive-by-download</span>
</div>

</div>

<div id="anonym-limit" class="ui-widget" style="display: none;">
<div class="ui-state-highlight ui-corner-all" style="padding: 0 .7em; font-size: 0.8em; text-align: left;
margin-top: 0px; margin-bottom: 10px;">
<p style="font-weight: normal;">
<span class="ui-icon ui-icon-info" style="float: left; margin-right: .3em; "></span>
<strong>Anonymous limit exceeded:</strong> anonymous users can only make one comment per
file or URL, either sign in or register in order to continue making reviews on this item.
Note that anonymous user discrimination is based on IP addresses, hence, it may be possible
that another user behind your same proxy or NAT connection already made a review.
</p>
</div>
</div>

<div id="post-menu" style="margin-left: 150px; margin-right: 150px;">
<div id="preview-button" class="button" style="text-align: center; margin-top: 20px; float: left;">
<button id="preview-it" class="submission-button">Preview comment</button>
<button id="edit-it" style="display: none;" class="submission-button">Edit comment</button>
</div>
<div id="comment-button" class="button" style="text-align: center; margin-top: 20px; float: right;">
<button id="comment-submit" class="submission-button">Post comment</button>
</div>
</div>
<div id="posting-loading" style="text-align: center; display: none;">
Posting comment... <img height="16" width="16" src="http://virustotal.hispasecsistemas.netdna-cdn.com/img/loading.gif" />
</div>
<div id="successful-post" style="text-align: center; display: none;" class="greenthick">
Comment successfully posted
</div>

</div>

<form id="search" name="search" method="post" action="../search.html" style="display: none;">
<input id="chain" name="chain" type="text" size="60" />
</form>

<p/>

<p id="important">
<span class="ui-icon ui-icon-alert" style="float: left; margin-right: .3em;"></span>
<strong>ATTENTION:</strong> VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the
availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines
is far superior to that offered by just one product, <strong>these results DO NOT guarantee the harmlessness of a file</strong>.
Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
</p>

</div>

</div>

<div id="footer" style="margin-top: 10px;">
VirusTotal ©
<a href="http://www.hispasec.com/" target="_blank">Hispasec Sistemas[/url] -
<a target="_blank" href="http://blog.hispasec.com/virustotal/rss20.xml">
<span class="ui-icon ui-icon-signal-diag" style="display: -moz-inline-stack; display:inline-block; margin-right: .3em; vertical-align: top;"></span>
[/url]
<a href="http://blog.hispasec.com/virustotal/" target="_blank"> Blog[/url] -
<a href="http://www.twitter.com/virustotalnews" target="_blank">
<span class="ui-icon ui-icon-comment" style="display: -moz-inline-stack; display:inline-block; margin-right: .3em; vertical-align: top;"></span>
[/url]
<a href="http://www.twitter.com/virustotalnews" target="_blank">Twitter[/url] -
Contact: <a class="contact" href="">[/url] -
<a href="/terms.html">Terms of Service & Privacy Policy[/url]
</div>

THIS IS THE URL

</center>

<script type="text/javascript" src="http://virustotal.hispasecsistemas.netdna-cdn.com/js/filereportDynamic-min.js"></script>
<script type="text/javascript" src="http://virustotal.hispasecsistemas.netdna-cdn.com/js/jquery.pagination.js"></script>
<script type="text/javascript" src="http://virustotal.hispasecsistemas.netdna-cdn.com/js/comments-min.js"></script>

</body>

</html>
http://www.virustotal.com/file-scan/report.html?id=380797a1d74b8c5cc0972f61d546666eb509950be94256a1fbdbc06244bb564a-1284631124

SuperDave · « **Reply #33 on:** September 16, 2010, 04:45:46 PM »

One in 43 is nothing to worry about. Go ahead with your reformat and reinstall your OS.

Computer Hope Forum

News:

Author Topic: once badly infected-not sure what now (Read 17926 times)

bouncier

SuperDave

bouncier

SuperDave

bouncier

SuperDave

bouncier

bouncier

SuperDave

bouncier

SuperDave

bouncier

bouncier

bouncier

SuperDave

bouncier

SuperDave

bouncier

SuperDave

bouncier

bouncier

SuperDave

bouncier

bouncier

SuperDave

bouncier

SuperDave

bouncier

SuperDave

BC_Programmer

bouncier

SuperDave

bouncier

SuperDave