Having some issues..very confused.

johnb35

Administrator
Staff member
I need you to run an updated malwarebytes scan for me. New files have appeared since the last scan. Open malwarebytes, click on the update tab, click on check for updates. After it updates please run a quick scan on your system and post the logfile.
 

M199

New Member
Here you go

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/7/2011 10:37:57 PM
mbam-log-2011-07-07 (22-37-57).txt

Scan type: Quick scan
Objects scanned: 189559
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

johnb35

Administrator
Staff member
This is one of those few occassions I have users download and run Superantispyware.

http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html

Download, install, and update it before running and post the log when complete. To access the log, click on the preferences button on the main page, then click on the statistics/logs tab and then open the log and copy and paste it back here. Please let it remove whatever it finds.
 

M199

New Member
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2011 at 11:20 PM

Application Version : 4.55.1000

Core Rules Database Version : 7386
Trace Rules Database Version: 5198

Scan type : Quick Scan
Total Scan Time : 00:26:02

Memory items scanned : 636
Memory threats detected : 0
Registry items scanned : 2456
Registry threats detected : 15
File items scanned : 20181
File threats detected : 63

Adware.Tracking Cookie
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@247realmedia[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@specificmedia[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@tribalfusion[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@mediaplex[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@nextag[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@serving-sys[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@apmebf[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@zedo[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@insightexpressai[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@eyewonder[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@overture[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@questionmarket[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@collective-media[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@atdmt[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@screensaver[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@mediabrandsww[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@yieldmanager[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@doubleclick[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@tradedoubler[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@fastclick[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@mywebsearch[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@adinterax[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@invitemedia[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@adecn[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@specificclick[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@media6degrees[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@tripod[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@imrworldwide[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@pointroll[2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\amanda@adbrite[1].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
cdn.insights.gravity.com [ C:\Users\Amanda\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MAXZBRPT ]
spe.atdmt.com [ C:\Users\Amanda\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MAXZBRPT ]
C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\Low\conrad@commission-junction[2].txt
C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\Low\conrad@apmebf[2].txt
C:\Users\Conrad\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt

Adware.MyWebSearch/FunWebProducts
(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version

Browser Hijacker.Deskbar
(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
(x86) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Trojan.Agent/Gen-FakeDrop
C:\PROGRAM FILES (X86)\MOVIE MAKER\SHARED\DPL HILITE FILTER EFFECTS UNINSTALLER.EXE
 

johnb35

Administrator
Staff member
Okay, sorry for the late reply.

First thing to do would be to download and run Ccleaner.

http://download.cnet.com/ccleaner/

download, install and run it. Open the program, don't change any settings and just click on run cleaner. Then do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:
Kill all::

Folder::

c:\users\Amanda\AppData\Local\{AA0416E0-8EDB-49F3-A75E-C7AD2CB9B336}

File::

c:\windows\SysWow64\atiumdva32.dll
c:\programdata\atiumdva32.exe
c:\programdata\findnetprinters32.dll
c:\programdata\certenc32.dll
c:\programdata\KBDDIV132.dll
c:\programdata\atiumdva32.dll
c:\windows\SysWOW64\mfc7132.exe


Dirlook::

c:\users\Amanda\AppData\Roaming
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
 

M199

New Member
Sorry late reply too.
I see this program labels history on the scanner? It's not going to clear it is it?
 

johnb35

Administrator
Staff member
I'm headed to bed so I will reply tomorrow when I get home from work. Post your log and I'll look at it when I get home.
 

M199

New Member
That's fine, here you go!

ComboFix 11-07-07.05 - Amanda 07/09/2011 22:34:09.5.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.5886.4037 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
Command switches used :: c:\users\Amanda\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\atiumdva32.dll"
"c:\programdata\atiumdva32.exe"
"c:\programdata\certenc32.dll"
"c:\programdata\findnetprinters32.dll"
"c:\programdata\KBDDIV132.dll"
"c:\windows\SysWow64\atiumdva32.dll"
"c:\windows\SysWOW64\mfc7132.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.exe
c:\users\Amanda\AppData\Local\{AA0416E0-8EDB-49F3-A75E-C7AD2CB9B336}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\install.rdf
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome.manifest
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome\xulcache.jar
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\defaults\preferences\xulcache.js
c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2011-07-10 02:52 . 2011-07-10 02:53 -------- d-----w- c:\users\Amanda\AppData\Local\temp
2011-07-10 02:52 . 2011-07-10 02:52 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-10 02:52 . 2011-07-10 02:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-10 02:52 . 2011-07-10 02:52 -------- d-----w- c:\users\Conrad\AppData\Local\temp
2011-07-10 01:58 . 2011-07-10 01:58 -------- d-----w- c:\program files\CCleaner
2011-07-08 16:11 . 2011-07-08 16:11 8896 --sha-w- c:\programdata\SMBHelperClass32.dll
2011-07-08 15:41 . 2011-07-08 15:41 8896 --sha-w- c:\programdata\feclient32.dll
2011-07-08 04:26 . 2011-07-08 04:26 8896 --sha-w- c:\programdata\CddbLangJA32.dll
2011-07-08 03:54 . 2011-07-08 03:54 8896 --sha-w- c:\programdata\KBDCZ232.dll
2011-07-08 03:22 . 2011-07-08 03:22 357376 ------w- c:\windows\SysWow64\atiumdva32.dll
2011-07-08 02:57 . 2011-07-08 02:57 8896 --sha-w- c:\programdata\D3DCompiler_3432.dll
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\users\Amanda\AppData\Roaming\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\programdata\!SASCORE
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-08 02:27 . 2011-07-08 02:27 8896 --sha-w- c:\programdata\TimeDateMUICallback32.dll
2011-07-08 01:56 . 2011-07-08 01:56 8896 --sha-w- c:\programdata\snmpapi32.dll
2011-07-07 17:36 . 2011-07-07 17:36 8896 --sha-w- c:\programdata\findnetprinters32.dll
2011-07-07 17:04 . 2011-07-07 17:04 8896 --sha-w- c:\programdata\certenc32.dll
2011-07-07 16:31 . 2011-07-07 16:31 8896 --sha-w- c:\programdata\KBDDIV132.dll
2011-07-07 15:58 . 2011-07-07 15:58 8896 --sha-w- c:\programdata\atiumdva32.dll
2011-07-07 15:34 . 2011-07-07 15:34 -------- d-----w- c:\program files (x86)\ESET
2011-07-07 00:39 . 2011-07-07 00:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-07-06 15:11 . 2011-07-06 15:11 388096 ----a-r- c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11 -------- d-----w- c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17 -------- d-----w- c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-01 02:29 . 2011-06-24 03:18 565248 ------w- c:\windows\SysWow64\MFC7132.exe
2011-06-29 15:00 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-27 14:38 . 2011-06-27 14:38 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-15 17:05 . 2011-07-01 03:35 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 00:03 . 2011-06-14 00:03 -------- d-----w- c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03 -------- d-----w- c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 14:54 . 2011-06-13 14:54 -------- d-----w- c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42 -------- d-----w- c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43 -------- d-----w- c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43 -------- d-----w- c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38 -------- d-----w- c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38 -------- d-----w- c:\program files (x86)\Bonjour
2011-06-13 01:09 . 2011-06-13 01:09 -------- d-----w- c:\users\Amanda\AppData\Roaming\Malwarebytes
2011-06-13 01:09 . 2011-06-13 01:09 -------- d-----w- c:\programdata\Malwarebytes
2011-06-13 01:09 . 2011-05-29 13:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-13 00:10 . 2011-06-27 14:38 142296 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-06-13 00:10 . 2011-06-27 14:38 89048 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-06-13 00:10 . 2011-06-27 14:38 465880 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-06-13 00:10 . 2011-06-27 14:38 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-06-13 00:10 . 2011-06-27 14:38 781272 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-06-13 00:10 . 2011-06-27 14:38 1850328 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:38 . 2010-07-25 23:37 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-05-10 12:06 . 2011-05-10 12:06 51712 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Amanda\AppData\Roaming ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-06_21.44.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-06 21:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-08 03:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-08 03:54 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-08 03:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-10 02:55 89034 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-07-10 02:55 97396 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-09 00:10 . 2011-07-10 02:55 21352 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2819834726-533737158-1913216436-1000_UserData.bin
+ 2009-08-09 00:11 . 2011-07-10 01:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-09 00:11 . 2011-07-06 20:45 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-09 00:11 . 2011-07-06 20:45 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-09 00:11 . 2011-07-10 01:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-09 00:11 . 2011-07-06 20:45 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-09 00:11 . 2011-07-10 01:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-10 02:53 . 2011-07-10 02:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-06 21:43 . 2011-07-06 21:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-10 02:53 . 2011-07-10 02:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-06 21:43 . 2011-07-06 21:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:39 . 2011-07-07 00:38 157472 c:\windows\SysWOW64\javaws.exe
- 2010-10-27 22:35 . 2010-09-15 08:50 145184 c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38 145184 c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38 145184 c:\windows\SysWOW64\java.exe
- 2010-10-27 22:35 . 2010-09-15 08:50 145184 c:\windows\SysWOW64\java.exe
+ 2009-08-09 17:38 . 2011-07-08 17:21 307024 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2010-11-12 04:49 . 2011-07-10 02:52 441820 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-11-12 04:49 . 2011-07-06 21:42 441820 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-06-13 00:39 . 2011-07-04 03:40 853060 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-06-13 00:39 . 2011-07-10 02:52 853060 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-07-07 00:39 . 2011-07-07 00:39 203776 c:\windows\Installer\9d68ec.msi
+ 2011-07-07 00:38 . 2011-07-07 00:38 675840 c:\windows\Installer\9d68de.msi
+ 2010-11-12 04:49 . 2011-07-10 02:52 4897704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
- 2010-11-12 04:49 . 2011-07-06 21:42 4897704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{005C3BD7-7E45-425D-AE16-69460AD19D6b}]
2011-07-08 03:22 357376 ------w- c:\windows\SysWOW64\atiumdva32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2988928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
"{005C3BD7-7E45-425D-AE16-69460AD19D6B}"=hex:51,66,7a,6c,4c,1d,38,12,b9,38,4f,
04,77,30,33,07,d1,00,2a,06,0f,8f,d9,7f
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\programdata\atiumdva32.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
c:\windows\ModLedKey.exe
c:\program files (x86)\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2011-07-09 23:01:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-10 03:01
ComboFix2.txt 2011-07-08 01:53
ComboFix3.txt 2011-07-07 15:32
ComboFix4.txt 2011-07-07 01:45
ComboFix5.txt 2011-07-10 02:32
.
Pre-Run: 398,228,615,168 bytes free
Post-Run: 397,970,735,104 bytes free
.
- - End Of File - - 6F78C94D7F03D2FC745D93FA26045FF7
 

johnb35

Administrator
Staff member
Ok, lets attack this from a different angle.

I need you to run tdsskiller again to make sure we aren't still dealing with a nast

Please do a full system scan with malwarebytes and post the log. Then reboot and do the following.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.
 

M199

New Member
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/10/2011 11:23:10 PM
mbam-log-2011-07-10 (23-23-09).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 357500
Time elapsed: 59 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{005C3BD7-7E45-425D-AE16-69460AD19D6b} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{005C3BD7-7E45-425D-AE16-69460AD19D6B} (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\SysWOW64\atiumdva32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
c:\Windows\System32\atiumdva32.dll (Trojan.Tracur.PGen) -> Quarantined and deleted successfully.
 

magna86

New Member
@johnb35

According to the last Combofix log first he need to create a new System Restore point then you allow the following script:
Code:
KillAll::

Driver::
yksvc

File::
c:\programdata\CddbLangJA32.dll
c:\programdata\feclient32.dll
c:\programdata\SMBHelperClass32.dll
c:\programdata\KBDCZ232.dll
c:\programdata\TimeDateMUICallback32.dll
c:\programdata\snmpapi32.dll
c:\programdata\findnetprinters32.dll
c:\programdata\certenc32.dll
c:\programdata\KBDDIV132.dll
c:\windows\SysWow64\MFC7132.exe



CF log after this script should be clean ...

Malwarebytes has just detected infected BHO that can be seen in the CF logs.

.......

Also check his Master boot record (MBR). If the MBR does not belong to Windows OS should be replaced.

Use aswMBR for check MBR
http://public.avast.com/~gmerek/aswMBR.htm

If the MBR is not standard or is infected it is best to do the replacement with clean copy with Recovery Disc:

http://members.rushmore.com/~jsky/id39.html

Code:
bootrec.exe /fixmbr
bootrec.exe /fixboot
 
Last edited:

M199

New Member
Thought I forgot something.
Here you are

C:\ProgramData\atiumdva32.exe probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Qoobox\Quarantine\[4]-Submit_2011-07-07_20.59.15.zip multiple threats
C:\Qoobox\Quarantine\[4]-Submit_2011-07-09_22.33.47.zip multiple threats
C:\Qoobox\Quarantine\C\ProgramData\atiumdva32.exe.vir probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Qoobox\Quarantine\C\ProgramData\KBDCZ132.dll.vir probably a variant of Win32/TrojanDownloader.Agent.HIVKBDM trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{155ca05c-939f-4003-ad1f-993591e624bd}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{19bf2274-6f60-409f-993d-ac26dd482737}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{49f47bbd-32ed-49c3-82ab-9affdc67d001}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{910a7df3-474a-45ec-b9d1-95dba03b39fd}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{9cfbdb48-7ddf-4789-bec1-1e50ccb17b26}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{b32afd51-1d5c-42eb-9cf2-91f2af93c6dd}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{c4d0a5ac-f947-475b-9a40-139a4c350fa9}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\extensions\{f14115e8-1aab-4400-a2c1-21d1536d6fd9}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Windows\SysWOW64\atiumdva32.dll.vir a variant of Win32/Kryptik.PQF trojan
C:\Users\All Users\atiumdva32.exe probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Users\All Users\Application Data\atiumdva32.exe probably a variant of Win32/TrojanDownloader.Agent.BLHNAIM trojan
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi multiple threats
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi multiple threats
C:\Users\Amanda\Downloads\7artChristmasLand3DInst.exe multiple threats
C:\Users\Amanda\Downloads\moviebar_us_z(2).exe Win32/Toolbar.Zugo application
C:\Users\Amanda\Downloads\moviebar_us_z(3).exe Win32/Toolbar.Zugo application
C:\Users\Amanda\Downloads\moviebar_us_z.exe Win32/Toolbar.Zugo application
 
Top