Malware is blocking antispyware programs

Hello Mooka

Welcome to G2Go.
=====================
Transfer this program to your infected computer with a flash drive or cd.


Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
===========================================
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  • Reg - BotCheck
    File - Additional Folder Scans
    FIle - Lop check
    File - Purity Scan
    Under Basic scans:
    Rootkit Search -Yes
    Drivers -Non Microsoft
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Attach the information back here. I will review it when it comes in.

Hello kahdah,

I cannot run OTScanIt.exe. It's the same as other programs, I double-click it and it does nothing. I downloaded it on a flash drive and put it on my desktop on the infected computer. ATF Cleaner ran fine.

PLease rename OT scan it to Kahdah you can do that by right clicking on OT scan it and choose Rename.
Try it aftrer that.
If it does not work then try it in safe Mode.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

========
If it still will not work please let me know.

Ok, I was able to run OTScanIt in safemode aftter changing the name to Kahdah.

The report file is attached.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> brastk -> %SystemRoot%\system32\brastk.exe [C:\WINDOWS\system32\brastk.exe]
YN -> bwdcnyju -> %AllUsersProfile%\Application Data\bwdcnyju.dll [regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bwdcnyju.dll"]
YN -> orixivkl -> %AllUsersProfile%\Application Data\orixivkl.dll [regsvr32 /u "C:\Documents and Settings\All Users\Application Data\orixivkl.dll"]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> karna.datMirabilis -> %SystemRoot%\system32\karna.dat
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\shell.exe -> %SystemRoot%\shell.exe [C:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\printer.exe -> %SystemRoot%\system32\printer.exe [C:\WINDOWS\system32\printer.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolvs.exe -> %SystemRoot%\system32\spoolvs.exe [C:\WINDOWS\system32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Documents and Settings\Michael\Start Menu\Programs\Startup\findfast.exe -> %UserProfile%\Start Menu\Programs\Startup\findfast.exe [C:\Documents and Settings\Michael\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe -> %AllUsersProfile%\Start Menu\Programs\Startup\autorun.exe [C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe -> %SystemRoot%\system32\winav.exe [%windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\shell.exe -> %SystemRoot%\shell.exe [C:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\printer.exe -> %SystemRoot%\system32\printer.exe [C:\WINDOWS\system32\printer.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolvs.exe -> %SystemRoot%\system32\spoolvs.exe [C:\WINDOWS\system32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Michael\Start Menu\Programs\Startup\findfast.exe -> %UserProfile%\Start Menu\Programs\Startup\findfast.exe [C:\Documents and Settings\Michael\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe -> %AllUsersProfile%\Start Menu\Programs\Startup\autorun.exe [C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe:*:Enabled:@xpsp2res.dll,-22019]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe -> %SystemRoot%\system32\winav.exe [%windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019]
[Files/Folders - Created Within 30 days]
NY -> delself.bat -> %SystemRoot%\System32\delself.bat
NY -> karna.dat -> %SystemRoot%\System32\karna.dat
NY -> wini10331.exe -> %SystemRoot%\System32\wini10331.exe
NY -> brastk.exe -> %SystemRoot%\brastk.exe
[Files/Folders - Modified Within 30 days]
NY -> delself.bat -> %SystemRoot%\System32\delself.bat
NY -> svchstb.dll -> %SystemRoot%\System32\svchstb.dll
NY -> wini10331.exe -> %SystemRoot%\System32\wini10331.exe
NY -> brastk.exe -> %SystemRoot%\brastk.exe
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.
===================================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

kahdah,

I was able to run the OTScanIt fix with no problems. Here is the log:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\brastk deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\bwdcnyju deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\orixivkl deleted successfully.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:karna.datMirabilis .
C:\WINDOWS\system32\karna.dat moved successfully.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\shell.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\printer.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolvs.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Documents and Settings\Michael\Start Menu\Programs\Startup\findfast.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\shell.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\printer.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\spoolvs.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Michael\Start Menu\Programs\Startup\findfast.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\winav.exe deleted successfully.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\System32\delself.bat moved successfully.
File C:\WINDOWS\System32\karna.dat not found!
C:\WINDOWS\System32\wini10331.exe moved successfully.
C:\WINDOWS\brastk.exe moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\delself.bat not found!
LoadLibrary failed for C:\WINDOWS\System32\svchstb.dll
C:\WINDOWS\System32\svchstb.dll NOT unregistered.
C:\WINDOWS\System32\svchstb.dll moved successfully.
File C:\WINDOWS\System32\wini10331.exe not found!
File C:\WINDOWS\brastk.exe not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Michael\Local Settings\Temp\JET3737.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11262008_205208

Files moved on Reboot...
File C:\Documents and Settings\Michael\Local Settings\Temp\JET3737.tmp not found!



I couldn't run ComboFix normally like the other programs, but I was able to run it in safe mode. However in safe mode I was not able to download the Windows Recovery Console. ComboFix continued to run in safe mode and it rebooted my computer. My computer did not reboot in safe mode in the process but Combofix continued to run. I hope none of this was a big problem.

ComboFix log:
ComboFix 08-11-26.05 - Michael 2008-11-26 21:06:03.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.236 [GMT -8:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\.rdr.ini
c:\temp\0c2
c:\temp\0c2\tmpFF.log
c:\temp\abW9
c:\temp\abW9\tPho.log
c:\windows\system32\bdeeg.ini
c:\windows\system32\CMMGR32.EXE
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dnwjpfxo.ini
c:\windows\system32\drivers\TDSSmaxt.sys
c:\windows\system32\fgdcgess.ini
c:\windows\system32\hgfmsnbc.ini
c:\windows\system32\hhhkj.ini
c:\windows\system32\jlnmp.ini
c:\windows\system32\jneicnmr.ini
c:\windows\system32\qqtss.ini
c:\windows\system32\rMa02yy
c:\windows\system32\rqtss.ini
c:\windows\system32\sqgdqygm.ini
c:\windows\system32\T4
c:\windows\system32\T6
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\ygliecai.ini
E:\autorun.inf
e:\recycler\Desktop.ini
e:\recycler\restore.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_WINDRIVER
-------\Service_WinDriver


((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-26 20:52 . 2008-11-26 20:52 <DIR> d-------- C:\_OTScanIt
2008-11-24 20:57 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-24 20:57 . 2008-05-18 19:40 260,096 --a------ c:\windows\system32\IEDFix.exe
2008-11-24 20:57 . 2008-10-01 13:51 133,632 --a------ c:\windows\system32\VACFix.exe
2008-11-24 20:57 . 2008-10-10 06:58 96,256 --a------ c:\windows\system32\o4Patch.exe
2008-11-24 20:57 . 2008-10-10 06:58 96,256 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-24 20:57 . 2008-08-18 10:19 95,744 --a------ c:\windows\system32\404Fix.exe
2008-11-24 20:57 . 2007-10-03 22:36 39,936 --a------ c:\windows\system32\WS2Fix.exe
2008-11-24 19:46 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-24 19:46 . 2003-06-05 20:13 131,072 --a------ c:\windows\system32\Process.exe
2008-11-24 19:46 . 2004-07-31 17:50 61,952 --a------ c:\windows\system32\dumphive.exe
2008-11-24 17:44 . 2001-08-28 12:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-11-24 17:44 . 2008-11-24 17:44 132 --a------ c:\windows\system32\3.tmp
2008-11-24 17:44 . 2008-11-24 17:44 64 --a------ c:\windows\system32\edl.dat
2008-11-24 17:44 . 2008-11-24 17:44 0 --a------ c:\windows\system32\7.tmp
2008-11-23 21:49 . 2008-11-23 21:49 48 --a------ c:\windows\system32\B.tmp
2008-11-23 21:49 . 2008-11-23 21:49 0 --a------ c:\windows\system32\D.tmp
2008-11-23 21:27 . 2008-11-23 21:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 21:27 . 2008-11-23 21:27 <DIR> d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2008-11-23 21:27 . 2008-11-23 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 21:27 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 21:27 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-23 18:44 . 2008-11-23 18:44 48 --a------ c:\windows\system32\3E8.tmp
2008-11-23 18:44 . 2008-11-23 18:44 0 --a------ c:\windows\system32\3EA.tmp
2008-11-05 08:37 . 2008-11-05 08:37 32,261 --a------ c:\windows\system32\netdata.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 04:58 --------- d-----w c:\program files\Google
2008-11-25 00:43 --------- d-----w c:\documents and settings\Michael\Application Data\uTorrent
2008-11-24 04:25 --------- d-----w c:\program files\Diablo
2008-11-19 05:50 --------- d-----w c:\program files\Full Tilt Poker
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-08-28 01:11 2,829 ----a-w c:\windows\DiabUnin.pif
2008-08-28 01:11 131,072 ----a-w c:\windows\DiabUnin.exe
2007-11-19 20:00 38,800 ----a-w c:\documents and settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2007-07-19 18:44 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2007-06-13 02:23 1043968 400b7a5018a424378e47017c5b2ec221 c:\windows\explorer.exe
2007-06-13 03:26 1043968 42a709d6e6622bc566dc9be32b146a0d c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-10 03:00 1042944 5d89aea892d4bd8fb841c3a4d26d1120 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 16:12 1044480 25a6c2e8fb77708a5150db0b99e0aee3 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 02:23 1043968 455f442e325df10f58f6d396b6561f6f c:\windows\system32\dllcache\explorer.exe

2008-04-13 16:12 26112 d9cc135cd3676918d4ace56cd30e9eec c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2004-08-10 03:00 26112 ede0a1eb9a8d92787bc2d8928e9f3135 c:\windows\system32\ctfmon.exe

2008-04-13 16:12 121856 b08ce8528eb488ebc02836bac21c47c9 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wuauclt.exe
2008-10-16 14:09 51224 c7abd7cfda6a1ae6caa0c18b2a50f349 c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51224 c7abd7cfda6a1ae6caa0c18b2a50f349 c:\windows\system32\dllcache\wuauclt.exe

2008-04-13 16:12 36864 7fb979648ba612c0ae40213f976defa5 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2004-08-10 03:00 101376 244a740a7532116612be749e2544abf2 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1770496]
"System configuration backup"="c:\recycler\S-1-5-21-4212517438-3617688452-882134386-3886\sysdate.exe" [2008-11-25 76764]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 266240]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 397312]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 131072]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 360448]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 159744]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 117248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 425984]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"netconfig"="c:\windows\system32\netdata.exe" [2008-11-05 32261]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-03 102400]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 10:39 282624 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=c:\windows\pss\Cool - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2005-08-31 09:06 151552 c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 00:04 343552 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-05 23:05 237627 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1770496 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-12-08 13:55 3174400 c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Michael\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Documents and Settings\\Michael\\Desktop\\snes\\ZSNESW1.36.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCG-11CF-AAX5-81CX5C625612}]
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A0A5803C-6342-B04B-54A9-6A0D530450CD}]
c:\windows\system32\netdata.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{ABADC07C-9990-405a-AA24-2C209B50AE79} - svchstb.dll
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe
MSConfigStartUp-OE_OEM - c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 12\pccguide.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\qn8th9qp.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 21:11:16
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
netconfig = c:\windows\system32\netdata.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-26 21:15:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-27 05:15:34
ComboFix2.txt 2007-11-15 01:51:21

Pre-Run: 2,757,898,240 bytes free
Post-Run: 2,773,729,280 bytes free

235 --- E O F --- 2008-11-13 11:02:24

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

c:\windows\explorer.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\userinit.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

File explorer.exe received on 11.27.2008 14:45:57 (CET)
Current status: finished
Result: 31/37 (83.78%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.11.27.4 2008.11.27 -
AntiVir 7.9.0.35 2008.11.27 W32/Virut.U
Authentium 5.1.0.4 2008.11.27 W32/Virut.10496
Avast 4.8.1281.0 2008.11.27 Win32:Virut
AVG 8.0.0.199 2008.11.27 Win32/Virut
BitDefender 7.2 2008.11.27 Win32.Virtob.Gen.9
CAT-QuickHeal 10.00 2008.11.27 W32.Virut.D
ClamAV 0.94.1 2008.11.27 W32.Virut.Gen.C-16
DrWeb 4.44.0.09170 2008.11.27 Win32.Virut.5
eSafe 7.0.17.0 2008.11.27 -
eTrust-Vet 31.6.6233 2008.11.27 Win32/Virut.10494
Ewido 4.0 2008.11.27 -
F-Prot 4.4.4.56 2008.11.27 W32/Virut.10496
F-Secure 8.0.14332.0 2008.11.27 Virus.Win32.Virut.n
Fortinet 3.117.0.0 2008.11.27 W32/Virut.G
GData 19 2008.11.27 Win32.Virtob.Gen.9
Ikarus T3.1.1.45.0 2008.11.27 Trojan.Win32.Patched
K7AntiVirus 7.10.534 2008.11.26 Virus.Win32.Virut.Generic
Kaspersky 7.0.0.125 2008.11.27 Virus.Win32.Virut.n
McAfee 5446 2008.11.26 W32/Virut.gen
McAfee+Artemis 5446 2008.11.26 W32/Virut.gen
Microsoft 1.4104 2008.11.27 Virus:Win32/Virut.AF
NOD32 3645 2008.11.27 Win32/Virut.O
Norman 5.80.02 2008.11.26 W32/Virut.N
Panda 9.0.0.4 2008.11.27 W32/Virutas.gen
PCTools 4.4.2.0 2008.11.27 Win32.Virut.Gen.5
Prevx1 V2 2008.11.27 -
Rising 21.05.32.00 2008.11.27 Win32.Virut.GEN
SecureWeb-Gateway 6.7.6 2008.11.27 Win32.Virut.U
Sophos 4.35.0 2008.11.27 W32/Vetor-A
Sunbelt 3.1.1832.2 2008.11.27 -
Symantec 10 2008.11.27 W32.Virut.U
TheHacker 6.3.1.1.164 2008.11.27 W32/Virut.q
TrendMicro 8.700.0.1004 2008.11.27 PE_VIRUT.XL-3
VBA32 3.12.8.9 2008.11.26 -
ViRobot 2008.11.27.1489 2008.11.27 Win32.Virut.G
VirusBuster 4.5.11.0 2008.11.26 Win32.Virut.Gen.5
Additional information
File size: 1043968 bytes
MD5...: 400b7a5018a424378e47017c5b2ec221
SHA1..: ab0c30d01a89a79f11b5f3bea483c2efcf230da5
SHA256: 91563ed53133b1c0ab00d2bb9c9fd87bff7ca4ecf17278699820438da89e579f
SHA512: e4d3182601fcf5ce50aa9b9df6d83f61bee4a31efc721a1cbbc72d09e37eda3b
f1be5f786e51fc31b1cd67ac8bf55a2af4195adc54c11531b9f73b682eb0225b
ssdeep: 12288:eRFHB/IwCDrA6FWVz0v/1oHWr2Rkf8I+skzaz1/g/J/vHyM/:ezhQwCDE6
FCOLakf8I+sko1/g/J//yk
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x101a8ce
timedatestamp.....: 0xa0a0a0a0L (invalid)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44ad9 0x44c00 6.36 84408e6eef820cc801b8ddf30a7e0929
.data 0x46000 0x1db4 0x1800 1.30 25fdde5ea7a06e94390eb8773b825a55
.rsrc 0x48000 0xb2278 0xb2400 6.63 b82ace172bfa53b11b99e63c7ac67c26
.reloc 0xfb000 0xb800 0x6200 7.49 1cfef3b19d86a730debaae4745c920f0

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )

File ctfmon.exe received on 11.27.2008 14:47:52 (CET)
Current status: finished
Result: 34/37 (91.89%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.11.27.4 2008.11.27 Win32/Virut.C
AntiVir 7.9.0.35 2008.11.27 W32/Virut.U
Authentium 5.1.0.4 2008.11.27 W32/Virut.10496
Avast 4.8.1281.0 2008.11.27 Win32:Virut
AVG 8.0.0.199 2008.11.27 Win32/Virut
BitDefender 7.2 2008.11.27 Win32.Virtob.Gen.9
CAT-QuickHeal 10.00 2008.11.27 W32.Virut.D
ClamAV 0.94.1 2008.11.27 W32.Virut.Gen.C-99
DrWeb 4.44.0.09170 2008.11.27 Win32.Virut.5
eSafe 7.0.17.0 2008.11.27 -
eTrust-Vet 31.6.6233 2008.11.27 Win32/Virut.10494
Ewido 4.0 2008.11.27 -
F-Prot 4.4.4.56 2008.11.27 W32/Virut.10496
F-Secure 8.0.14332.0 2008.11.27 Virus.Win32.Virut.n
Fortinet 3.117.0.0 2008.11.27 W32/MetaCrypt.2
GData 19 2008.11.27 Win32.Virtob.Gen.9
Ikarus T3.1.1.45.0 2008.11.27 Virus.Win32.Virut.q
K7AntiVirus 7.10.534 2008.11.26 Virus.Win32.Virut.Generic
Kaspersky 7.0.0.125 2008.11.27 Virus.Win32.Virut.n
McAfee 5446 2008.11.26 W32/Virut.gen
McAfee+Artemis 5446 2008.11.26 W32/Virut.gen
Microsoft 1.4104 2008.11.27 Virus:Win32/Virut.AF
NOD32 3645 2008.11.27 Win32/Virut.O
Norman 5.80.02 2008.11.26 W32/Virut.N
Panda 9.0.0.4 2008.11.27 W32/Virutas.gen
PCTools 4.4.2.0 2008.11.27 Win32.Virut.Gen.5
Prevx1 V2 2008.11.27 -
Rising 21.05.32.00 2008.11.27 Win32.Virut.aw
SecureWeb-Gateway 6.7.6 2008.11.27 Win32.Virut.U
Sophos 4.35.0 2008.11.27 W32/Vetor-A
Sunbelt 3.1.1832.2 2008.11.27 Win32.Virut.xl (v)
Symantec 10 2008.11.27 W32.Virut.U
TheHacker 6.3.1.1.164 2008.11.27 W32/Virut.q
TrendMicro 8.700.0.1004 2008.11.27 PE_VIRUT.XL-1
VBA32 3.12.8.9 2008.11.26 Virus.Win32.Virut.f
ViRobot 2008.11.27.1489 2008.11.27 Win32.Virut.G
VirusBuster 4.5.11.0 2008.11.26 Win32.Virut.Gen.5
Additional information
File size: 26112 bytes
MD5...: ede0a1eb9a8d92787bc2d8928e9f3135
SHA1..: c6b0d0e81e64c62f19e8eebed24bf3e73985c9dc
SHA256: 2d116a2142b355da0e2d8e77edc899b3e1b153da74c0d73a186e146605651717
SHA512: 0ed97b445c29751285d754d4e090cb741a8a8e6df9bda4a5d1f241b97846329b
bfbb220382a069fde0309648598713c2ec558d62ebdd707f7867e6ffd5b32c3e
ssdeep: 768:3AJpITIaWh9gn+16oJwYGKHUX9LCc8DuB:3AY/ig+1Z9LHUX9LCc8DK
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x405a00
timedatestamp.....: 0xa0a0a0a0L (invalid)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2ab8 0x2c00 6.75 d34df1f2640fde4abe70f6471c488040
.data 0x4000 0x210 0x200 1.07 bd8c5cd346a9f53dc0dbc69260ab2240
.rsrc 0x5000 0x8a00 0x3400 7.58 64b031dbb5ea584a8a2295280d106e89

( 6 imports )
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit
> ADVAPI32.dll: RegDeleteValueA, RegOpenKeyExA, RegCloseKey, RegSetValueExA, RegCreateKeyA, RegCreateKeyExA
> KERNEL32.dll: lstrcpynA, lstrlenA, GetSystemDirectoryA, GetSystemWindowsDirectoryA, GetVersionExA, GetACP, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LocalFree, CloseHandle, ResetEvent, OpenEventA, CreateProcessA, lstrcatA, GetSystemInfo, lstrcmpiA, FreeLibrary, LoadLibraryA, CreateEventA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, LocalAlloc, GetProcAddress
> USER32.dll: EnumWindows, GetClassNameA, FindWindowA, PostMessageA, SetTimer, KillTimer, MsgWaitForMultipleObjects, PeekMessageA, TranslateMessage, DispatchMessageA, GetMessageA, SetWindowPos, LoadCursorA, RegisterClassExA, DefWindowProcA, PostQuitMessage, CreateWindowExA, GetSystemMetrics
> MSCTF.dll: TF_InitSystem, TF_GetGlobalCompartment, TF_InvalidAssemblyListCacheIfExist, TF_InvalidAssemblyListCache, TF_PostAllThreadMsg, TF_CreateCicLoadMutex, TF_UninitSystem
> MSUTB.dll: ClosePopupTipbar, GetPopupTipbar

( 0 exports )

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 2/37 (5.41%)
Loading server information...
Your file is queued in position: 46.
Estimated start time is between 5 and 8 minutes.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.11.27.4 2008.11.27 -
AntiVir 7.9.0.35 2008.11.27 -
Authentium 5.1.0.4 2008.11.27 -
Avast 4.8.1281.0 2008.11.27 -
AVG 8.0.0.199 2008.11.27 -
BitDefender 7.2 2008.11.27 -
CAT-QuickHeal 10.00 2008.11.27 -
ClamAV 0.94.1 2008.11.27 -
DrWeb 4.44.0.09170 2008.11.27 -
eSafe 7.0.17.0 2008.11.27 -
eTrust-Vet 31.6.6233 2008.11.27 -
Ewido 4.0 2008.11.27 -
F-Prot 4.4.4.56 2008.11.27 -
F-Secure 8.0.14332.0 2008.11.27 Suspicious:W32/SCKeyLog!Gemini
Fortinet 3.117.0.0 2008.11.27 -
GData 19 2008.11.27 -
Ikarus T3.1.1.45.0 2008.11.27 -
K7AntiVirus 7.10.536 2008.11.27 -
Kaspersky 7.0.0.125 2008.11.27 -
McAfee 5447 2008.11.27 -
McAfee+Artemis 5446 2008.11.26 -
Microsoft 1.4104 2008.11.27 -
NOD32 3646 2008.11.27 -
Norman 5.80.02 2008.11.27 -
Panda 9.0.0.4 2008.11.27 -
PCTools 4.4.2.0 2008.11.27 -
Prevx1 V2 2008.11.27 -
Rising 21.05.32.00 2008.11.27 -
SecureWeb-Gateway 6.7.6 2008.11.27 -
Sophos 4.35.0 2008.11.27 -
Sunbelt 3.1.1832.2 2008.11.27 -
Symantec 10 2008.11.27 -
TheHacker 6.3.1.1.165 2008.11.27 -
TrendMicro 8.700.0.1004 2008.11.27 -
VBA32 3.12.8.9 2008.11.27 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2008.11.27.1489 2008.11.27 -
VirusBuster 4.5.11.0 2008.11.27 -
Additional information
File size: 51224 bytes
MD5...: c7abd7cfda6a1ae6caa0c18b2a50f349
SHA1..: 42f0eef83eaf617f89630f8c96c2b487b537e9c8
SHA256: 8ec0d50b82d8eb28ee0ef62002d5cccbfae65cd14f7ba2c8669c527aa6b0cd04
SHA512: 001ddc34b43634ca4df5dba49d3c91df6a0822bdc76ee0f317119a7b3ffe92be
57a08b53672a1d46ae0ed8d822c632cdc67a4c8666c093f7333c4253c4d87caa
ssdeep: 768:e53FKsUAg+c6uzJBXJDy0g1FX3vxBytplKKEf/jKv:sLcDzfXSh/x0Pq/k
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4042dd
timedatestamp.....: 0x48f7aa62 (Thu Oct 16 20:56:02 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8c84 0x8e00 6.00 dbf65b54e3f456d05e8a50068f958b51
.data 0xa000 0xd54 0x400 5.81 aea75c550ab527cbfba56bc33d16ea93
.rsrc 0xb000 0x7b8 0x800 4.55 6daa37f1a45c1959bcc0022df0317156
.reloc 0xc000 0xc8a 0xe00 3.10 56fa4b399c6d09575836259c52cf6c40

( 6 imports )
> KERNEL32.dll: CreateFileW, CreateDirectoryW, GetFileAttributesW, ExpandEnvironmentStringsW, lstrlenW, CreateProcessW, VerSetConditionMask, VerifyVersionInfoW, LoadLibraryW, OutputDebugStringW, WriteFile, FlushFileBuffers, GetModuleFileNameW, InterlockedIncrement, InterlockedDecrement, GetSystemTime, GetLastError, SetLastError, GetFileSize, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, SetFilePointer, SetEndOfFile, ReleaseMutex, WaitForSingleObject, CreateMutexW, CloseHandle, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, RtlUnwind, GetStartupInfoW, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetSystemDirectoryW, LoadLibraryExW, GetDriveTypeW, GetVolumePathNameW, GetFileType, GetSystemInfo, GetModuleHandleW, CompareStringW, GetProcessHeap, HeapFree, HeapAlloc, GetCommandLineW, FreeLibrary, OpenEventW, GetProcAddress, WideCharToMultiByte, InterlockedExchange, Sleep, InterlockedCompareExchange
> msvcrt.dll: __dllonexit, _unlock, _controlfp, _terminate@@YAXXZ, free, malloc, memmove, memcpy, memset, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _lock, _cexit, __wgetmainargs, _vsnwprintf, _onexit, _exit
> ole32.dll: CoTaskMemFree, CoUninitialize, CoCreateInstance, CoInitialize, CoInitializeEx
> ADVAPI32.dll: AllocateAndInitializeSid, FreeSid, GetTokenInformation, DuplicateTokenEx, CheckTokenMembership, IsValidSid, CopySid, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, GetUserNameW, GetLengthSid, InitializeAcl, AddAccessAllowedAce, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyExW, RegCloseKey
> OLEAUT32.dll: -, -
> SHLWAPI.dll: StrRChrW, -, PathStripToRootW, PathIsRelativeW, StrChrW, PathIsRootW, PathIsUNCW

( 0 exports )

File userinit.exe received on 11.27.2008 20:19:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 34/37 (91.9%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.11.27.4 2008.11.27 Win32/Virut.C
AntiVir 7.9.0.35 2008.11.27 W32/Virut.U
Authentium 5.1.0.4 2008.11.27 W32/Virut.10496
Avast 4.8.1281.0 2008.11.27 Win32:Virut
AVG 8.0.0.199 2008.11.27 Win32/Virut
BitDefender 7.2 2008.11.27 Win32.Virtob.Gen.9
CAT-QuickHeal 10.00 2008.11.27 W32.Virut.D
ClamAV 0.94.1 2008.11.27 W32.Virut.Gen.C-50
DrWeb 4.44.0.09170 2008.11.27 Win32.Virut.5
eSafe 7.0.17.0 2008.11.27 -
eTrust-Vet 31.6.6233 2008.11.27 Win32/Virut.10494
Ewido 4.0 2008.11.27 -
F-Prot 4.4.4.56 2008.11.27 W32/Virut.10496
F-Secure 8.0.14332.0 2008.11.27 Virus.Win32.Virut.n
Fortinet 3.117.0.0 2008.11.27 W32/MetaCrypt.1
GData 19 2008.11.27 Win32.Virtob.Gen.9
Ikarus T3.1.1.45.0 2008.11.27 Virus.Win32.Virut.q
K7AntiVirus 7.10.536 2008.11.27 Virus.Win32.Virut.Generic
Kaspersky 7.0.0.125 2008.11.27 Virus.Win32.Virut.n
McAfee 5447 2008.11.27 W32/Virut.gen
McAfee+Artemis 5446 2008.11.26 W32/Virut.gen
Microsoft 1.4104 2008.11.27 Virus:Win32/Virut.AF
NOD32 3646 2008.11.27 Win32/Virut.O
Norman 5.80.02 2008.11.27 W32/Virut.N
Panda 9.0.0.4 2008.11.27 W32/Virutas.gen
PCTools 4.4.2.0 2008.11.27 Win32.Virut.Gen.5
Prevx1 V2 2008.11.27 -
Rising 21.05.32.00 2008.11.27 Win32.Virut.aw
SecureWeb-Gateway 6.7.6 2008.11.27 Win32.Virut.U
Sophos 4.35.0 2008.11.27 W32/Vetor-A
Sunbelt 3.1.1832.2 2008.11.27 Win32.Virut.xl (v)
Symantec 10 2008.11.27 W32.Virut.U
TheHacker 6.3.1.1.165 2008.11.27 W32/Virut.q
TrendMicro 8.700.0.1004 2008.11.27 PE_VIRUT.XL-4
VBA32 3.12.8.9 2008.11.27 Virus.Win32.Virut.f
ViRobot 2008.11.27.1489 2008.11.27 Win32.Virut.G
VirusBuster 4.5.11.0 2008.11.27 Win32.Virut.Gen.5
Additional information
File size: 101376 bytes
MD5...: 244a740a7532116612be749e2544abf2
SHA1..: 2a8a3966c2ffb4678831c677246b6decf6e916cb
SHA256: dec051a43a45b09de17b0287780ab0ab4c1362711bb3c04f477b55142f32e5f5
SHA512: 9f6e0f77ff0e84fc7c517d1b2718c6dd111fb0a013ee304145b909fa289ab0a9
a18665d06c0f0d7f035235c28ca99a3599d91ca1b74e002f67b4ec1080da6794
ssdeep: 1536:tJRxIEVBvT2aLarPUO7c/JoHubFhd6xmRqoISVMMd:tJRxI0JYPUO7cVwxm
RqHSV
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100fc00
timedatestamp.....: 0xa0a0a0a0L (invalid)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4db8 0x4e00 6.01 c14f5a77277e38c1c8f1c529d870d350
.data 0x6000 0x14c 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0x18c00 0x13800 4.29 724257f8975db04fb9332025e1abd9fb

( 7 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> KERNEL32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW

( 0 exports )

Bad news you have a File Infecter virus that has already infected most of your files.
We can clean this machine but I cannot guarantee good results or even a bootable machine after the cleaning.
But still could be a good result after cleaning as well.
But if you want to give it a shot then we will continue, if you do not want to risk it then you will need to reinstall Windows.

Let me know what you want to do.

Bummer.

I'm going to just completely reinstall windows.

Is this going to prevent me from backing files? Like on an external hard drive?

Yes it can transfer to a removable drive better to back up only non .exe files as that it what it infects.
Let me know if you need any further assistance and we will close this thread.

Ok, will not back up any executable files.


Thank you so much for your help.

You are welcome


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.