C:\WINDOWS\GQSFX.KTC

Avast keeps telling me this is Win32:Trojan-gen when I try to activate sound icon in the tray.

Each time I’ve moved it to the chest; when I click again, it’s back.

Is this really a Trojan, or a false positive? Earlier I had to “Start” Windows Audio in Services, even though it was set for “Automatic”.

Just now, went back to Services to see if it was still “on”. Yes, it is. Went to the Dependencies tab, and Avast popped up again! Same warning. Got a couple services in that tab – when I touch the screen, Avast pops up again!

Should I delete the above in the title of this post? What if the system needs it? Is this a legit file?

Have you got that file name correct gqsfx.ktc as a google search for that returns zero hits and for a file in the windows folder I would have expected many hits, so to me that is suspicious.

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

What was the malware name (also in the above location) ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

Hi guys,

You have a Doanol infection. It’s a good detection by Avast.

we’ll need a couple of tools

Please download DaonolFix from the link below and save it to your Desktop
Download Mirror #1
Double-click DaonolFix.exe to run it.
Select 1. Find Daonol (no fix) by typing 1 and pressing Enter.
You will see a lot of files being listed - don’t worry, they are just being scanned.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called DaonolFix.txt).

.
And

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

.
Please post both logs. If you are blocked from downloading MBAM, please post the DaonolFix log and we’ll continue.

The Avast log shows it was detected 10 times so far, even though at each warning, I moved it to the Chest:
Sign of "Win32:Trojan-gen {Other}* has been fund in “C:\WINDOWS\GQSFX.KTC” file.

I browsed to the WINDOWS folder and found 2 versions, one with .ktc and the other with .ktcx.

Both are 29 KB, both created 3/31/2003 (same date as my explorer.exe created) and modified on 4/16/2007.

Here are the results of the scan:
http://www.virustotal.com/analisis/ff7ce3834cff560b477b32bbabc649c0

Result: 6/40 (15%)

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.25 -
AhnLab-V3 5.0.0.2 2009.04.24 -
AntiVir 7.9.0.156 2009.04.24 -
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.24 -
Avast 4.8.1335.0 2009.04.25 Win32:Trojan-gen {Other}
AVG 8.5.0.287 2009.04.24 Agent
BitDefender 7.2 2009.04.25 -
CAT-QuickHeal 10.00 2009.04.23 -
ClamAV 0.94.1 2009.04.25 -
Comodo 1133 2009.04.24 -
DrWeb 4.44.0.09170 2009.04.24 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.24 -
F-Secure 8.0.14470.0 2009.04.25 -
Fortinet 3.117.0.0 2009.04.25 -
GData 19 2009.04.25 Win32:Trojan-gen {Other}
Ikarus T3.1.1.49.0 2009.04.25 -
K7AntiVirus 7.10.714 2009.04.23 -
Kaspersky 7.0.0.125 2009.04.24 -
McAfee 5595 2009.04.24 -
McAfee+Artemis 5595 2009.04.24 -
McAfee-GW-Edition 6.7.6 2009.04.25 -
Microsoft 1.4602 2009.04.25 Trojan:Win32/Delf.ER
NOD32 4035 2009.04.25 Win32/Delf.OGF
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.25 -
Panda 10.0.0.14 2009.04.24 -
PCTools 4.4.2.0 2009.04.24 -
Prevx1 3.0 2009.04.25 High Risk Worm
Rising 21.26.44.00 2009.04.24 -
Sophos 4.41.0 2009.04.25 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.25 -
TheHacker 6.3.4.1.314 2009.04.25 -
TrendMicro 8.700.0.1004 2009.04.24 -
VBA32 3.12.10.3 2009.04.24 -
ViRobot 2009.4.24.1708 2009.04.24 -
VirusBuster 4.6.5.0 2009.04.24 -
Additional information
File size: 29184 bytes
MD5…: 427b0030689ade0d213404ff3ce5e5ed
SHA1…: 52c0be869583963a87db12d09fb8b601cc47e915
SHA256: 2fe7257a4405d1e4729d536ee835ebeb23f070258f0ff36b682b5e89b1e37480
SHA512: 2ca789d3bf14ca36e42753386a389f369dc72aa11dc0bf9183e3f43ce2c50361
0bb7f2a69a55a16542a543d881a25c2c58b5d94d105c52742043930cfba20988
ssdeep: 768:ufbkTp0/2dX0qpumlCebFVakrn1QIxN5:u0pdpWebFVTrn1

PEiD…: -
TrID…: File type identification
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7100
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x6120 0x6200 5.83 9c6b8e5ed93030c8a81480f8a9c6fa32
DATA 0x8000 0x1c8 0x200 4.71 7a53055156462f68e3574baf668be340
BSS 0x9000 0xf59 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xa000 0x2ae 0x400 3.21 fa86cc26693913ba28133d14cf519533
.reloc 0xb000 0x218 0x400 3.96 5655039e678a3fab7c53dcf4e9468d4c
.rsrc 0xc000 0x180 0x200 2.74 c9dc3c53103d913b8d228828d8f676b5

( 2 imports )

kernel32.dll: GetCurrentThreadId, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary, GetProcessHeap
kernel32.dll: VirtualFree, VirtualAlloc, Sleep, ReadFile, HeapFree, HeapAlloc, GetTickCount, GetProcessHeap, GetProcAddress, GetModuleFileNameA, GetFileSize, GetComputerNameA, FindAtomA, ExitProcess, CreateThread, CreateFileA, CloseHandle, AddAtomA

( 0 exports )

PDFiD.: -
RDS…: NSRL Reference Data Set

Hi, “oldman” (but I don’t believe it for a second):

Here’s the first scan results:

DaonolFix (15.04.09) by jpshortstuff
Log created at 22:01 on 24/04/2009 by Carol
Running from C:\Documents and Settings\Carol\Desktop\DaonolFix.exe

=====Find Daonol=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
“midi”=“wdmaud.drv”
“MIDI1”=“SYNCOR11.DLL”
“midi2”=“wdmaud.drv”
“midimapper”=“midimap.dll”
“mixer”=“wdmaud.drv”
“mixer1”=“wdmaud.drv”
“msacm.imaadpcm”=“imaadp32.acm”
“msacm.l3acm”=“C:\WINDOWS\System32\l3codeca.acm”
“msacm.msadpcm”=“msadp32.acm”
“msacm.msaudio1”=“msaud32.acm”
“msacm.msg711”=“msg711.acm”
“msacm.msg723”=“msg723.acm”
“msacm.msgsm610”=“msgsm32.acm”
“msacm.siren”=“sirenacm.dll”
“msacm.sl_anet”=“sl_anet.acm”
“msacm.trspch”=“tssoft32.acm”
“MSVideo8”=“VfWWDM32.dll”
“vidc.cvid”=“iccvid.dll”
“VIDC.I420”=“msh263.drv”
“vidc.iv31”=“ir32_32.dll”
“vidc.iv32”=“ir32_32.dll”
“VIDC.IYUV”=“iyuv_32.dll”
“vidc.M261”=“msh261.drv”
“vidc.M263”=“msh263.drv”
“vidc.mrle”=“msrle32.dll”
“vidc.msvc”=“msvidc32.dll”
“VIDC.UYVY”=“msyuv.dll”
“VIDC.WMV3”=“wmv9vcm.dll”
“VIDC.YUY2”=“msyuv.dll”
“VIDC.YVU9”=“tsbyuv.dll”
“VIDC.YVYU”=“msyuv.dll”
“wave”=“wdmaud.drv”
“wave1”=“serwvdrv.dll”
“wave2”=“wdmaud.drv”
“wavemapper”=“msacm32.drv”

-=Daonol Files=-
C:\WINDOWS\gqsfx.ktc
C:\WINDOWS\koeta.kpr

-=End Of File=-

Now I’ll go do the other. And I LOVE that site you showed, where multiple sites can go at the bug.

P.S. I just looked at the WINDOWS folder again – one of them is still there, the one without the x in the extension.

Yes, apparently I AM blocked from the other one as all I get is The page cannot be displayed. That’s in IE.

Tried Firefox: got Wikipedia page on HTTP!

Crazy Browser says “action cancelled”.

Hi

Thought that might happen. Try to download this tool just set it up for now, you will need to get a log from it at the end.

.
Click here to download HJTInstall.exe
Please follow the prompts to ensure it is installed in the proper folder and
a shortcut is created.
[*]Save HJTInstall.exe to your desktop.
[*]Doubleclick on the HJTInstall.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Close it for now you will use it later.

.
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you – please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post the combofix log and a HJT (hijackthis) log in your next reply.

To get the HJT log, open the program with the shortcut, click “Do a Systemscan and save a logfile”. The log will pop up when it’s finished.

Thanks

Found the problem as to why mbam not loading – http://http://etc. So now am getting it

Looked at my host file, found a lot of entries I didn’t make, says added by Spybot Search and Destroy. Does that program do that? Or was it done by malware?

Hi

Thanks, I thought I fixed all the links. The forum software here messes up my canned responses.

Yes, Spybot will add to the Hosts file.

After you have posted the MBAM log, please download HJT and post it’s log. We will see if we need combofix.

Thanks

At reboot, as computer was going down, Avast warned again about the same KTC thing, so after reboot, I ran another scan = nothing found!

BUT that file is still there in the WINDOWS folder, after reboot and second scan – only one copy though.

Yesterday I discovered the Windows Firewall had been disabled and I could not find a way to turn it off. Log shows Security Center disabled, and now it’s back on!

Here’s the log:

Malwarebytes’ Anti-Malware 1.36
Database version: 2039
Windows 5.1.2600 Service Pack 2

4/24/2009 11:00:53 PM
mbam-log-2009-04-24 (23-00-53).txt

Scan type: Quick Scan
Objects scanned: 109623
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0000ac13-3487-1583-c4be-be6a839db000} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{0000ac13-3487-1583-c4be-be6a839db000} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{0000ac13-3487-1583-c4be-be6a839db000} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler{3578cc4f-0e1f-445e-8072-e78435c71001} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler{42248c91-2117-477b-ac0e-c280556b1001} (Trojan.Downloader) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) → Bad: (C:\WINDOWS\system32\userinit.exe,userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) → Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\koeta.kpr (Trojan.Daonol) → Quarantined and deleted successfully.
C:\Program Files\win32com.dll (Spyware.OnlineGames) → Quarantined and deleted successfully.
C:\WINDOWS\system32\mprmsgse.axz (Adware.Cinmus) → Quarantined and deleted successfully.

Okay, here’s the HJT log, attached because it exceeds the character limit.

Hi

You seem to have more problems than the Daonol infection, the MBAM log shows Vundo and a rogue and some signs of a nasty infection. HJt shows the remnants of spyware/adware.

MBAM turned your security center back on. If combofix doesn’t get that file, we will remove it.

We may as well continue on.

Open hijackthis, do a system scan only and checkmark these lines, if present

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8F192494-C34A-4de5-BF52-6F42445729A1} - (no file)
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - (no file)
O3 - Toolbar: (no name) - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - (no file)
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\system32\shdocvw.dll

Close ALL other windows/browsers and click Fix Checked. Answer Yes if prompted. Close HJT.

.
Next Download and run conbofix from one of the links I posted earlier. Please follow all instructions.

Post back with the combofix log and a new HJT log.

Hi oldman,

Thanks for picking this one up, how did you `see that it was a daonol infection from the OP’s first post ?

Presumably from the actions described that you had seen before in other malware hunts.

Avast keeps telling me this is Win32:Trojan-gen when I try to activate sound icon in the tray.

and

Earlier I had to “Start” Windows Audio in Services, even though it was set for “Automatic”.

Hi DavidR,

From the filename and description of sysmptoms. It usually places it self in the registry as a sound driver. Usually 5 character name with an unusual extentention. It usually goes away quite easily, but as you can see this pc has other problems.

Thanks for that.

I have been infected by the Win32: Daonol virus. I found this thread after Avast identified the malware. I downloaded and ran the Daonol Fix executable. I already had Malwarebytes installed and ran a Quick Scan as suggested above.

Please forgive me if this is the inappropriate place to be posting this. Here are the logs from the Daonol Fix and Malware scans respectively.

I would appreciate if someone would take a gander at them and see if I am clean now.

Thanks in advance:

=====Find Daonol=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
“midi”=“wdmaud.drv”
“midimapper”=“midimap.dll”
“mixer”=“wdmaud.drv”
“msacm.iac2”=“C:\WINDOWS\system32\iac25_32.ax”
“msacm.imaadpcm”=“imaadp32.acm”
“msacm.l3acm”=“C:\WINDOWS\system32\l3codeca.acm”
“msacm.msadpcm”=“msadp32.acm”
“msacm.msaudio1”=“msaud32.acm”
“msacm.msg711”=“msg711.acm”
“msacm.msg723”=“msg723.acm”
“msacm.msgsm610”=“msgsm32.acm”
“msacm.sl_anet”=“sl_anet.acm”
“msacm.trspch”=“tssoft32.acm”
“MSVideo8”=“VfWWDM32.dll”
“vidc.cvid”=“iccvid.dll”
“VIDC.I420”=“msh263.drv”
“vidc.iv31”=“ir32_32.dll”
“vidc.iv32”=“ir32_32.dll”
“vidc.iv41”=“ir41_32.ax”
“vidc.iv50”=“ir50_32.dll”
“VIDC.IYUV”=“iyuv_32.dll”
“vidc.M261”=“msh261.drv”
“vidc.M263”=“msh263.drv”
“vidc.mrle”=“msrle32.dll”
“vidc.msvc”=“msvidc32.dll”
“VIDC.UYVY”=“msyuv.dll”
“VIDC.YUY2”=“msyuv.dll”
“VIDC.YVU9”=“tsbyuv.dll”
“VIDC.YVYU”=“msyuv.dll”
“wave”=“wdmaud.drv”
“wavemapper”=“msacm32.drv”

-=Daonol Files=-
C:\WINDOWS\mbhcgfp.ckr

-=End Of File=-

Malware log to follow:

Here’s the Malware Log

Malwarebytes’ Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 3

5/20/2009 9:09:40 PM
mbam-log-2009-05-20 (21-09-40).txt

Scan type: Quick Scan
Objects scanned: 146427
Time elapsed: 52 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mbhcgfp.ckr (Trojan.Gumblar) → Quarantined and deleted successfully.
C:\WINDOWS\mbhcgfp.ckrxxx (Trojan.Gumblar) → Quarantined and deleted successfully.
C:\WINDOWS\mbhcgfp.ckrxxxx (Trojan.Gumblar) → Quarantined and deleted successfully.

Thanks again for looking at this.