Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware problems


  • This topic is locked This topic is locked
34 replies to this topic

#1 Abu Jacob

Abu Jacob

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 22 May 2009 - 10:55 AM

The issues that I face are :
1) Constant threat of some unknown .exe file like vkjsz.exe,etc found in folders.
2) When the system goes into hibernation, a window appears that shows lack of system resources to run API.
3) When I double click on any drives to open, an open-with windows pops up.
4) I initially had svchost error, using Registry Easy, I believe I have managed to remove it.
5) Couple of other issues like pop ups with window name "a" and a msg that says to make a folder in the control panel folder options.
6) Generic Host 32 services error. After this msg appears, the taskbar freezes and system crashes if any new application is tried to run.
7) Files of name bxxsxm.exe found in certain folders.

Kindly look into the attached files and the below info.

DDS (Ver_09-05-14.01) - NTFSx86
Run by abu at 19:36:00.57 on 22/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1383 [GMT 4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\csrcs.exe
C:\Program Files\Lucent\ASL-2000\dslstat.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\abu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\net.exe
C:\Documents and Settings\abu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Shell=Explorer.exe csrcs.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [DSLSTATEXE] c:\program files\lucent\asl-2000\dslstat.exe icon
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [csrcs] c:\windows\system32\csrcs.exe
StartupFolder: c:\docume~1\abu\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217501011125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {A2B1A387-E2D5-4637-9BF1-D0B665079D8D} = 195.229.241.222 213.42.20.20
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-18 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-18 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-18 298776]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S2 njvki;njvki;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

=============== Created Last 30 ================

2009-05-22 13:00 264,952 a------- c:\windows\system32\xpsvc32.exe
2009-05-21 22:13 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-21 21:50 <DIR> --d----- c:\documents and settings\abu\.housecall6.6
2009-05-21 21:07 0 a--shr-- C:\khr
2009-05-21 21:07 384 a--shr-- C:\autorun.inf
2009-05-21 18:08 0 a------- c:\windows\system32\a
2009-05-19 21:19 529,210 a------- c:\windows\system32\korn.exe
2009-05-19 19:30 <DIR> --d----- c:\program files\Trend Micro
2009-05-19 19:29 82 a------- c:\windows\system32\asr_eqqwq
2009-05-19 19:29 42 a------- c:\windows\system32\RegistryEasy.lie
2009-05-19 19:28 <DIR> --d----- c:\program files\Registry Easy
2009-05-19 19:11 0 a--shr-- C:\khq
2009-05-19 18:12 521,362 a--shr-- C:\gmyqhd.exe
2009-05-18 14:56 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-18 14:25 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-18 14:25 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-18 14:25 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-18 14:25 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-18 14:25 <DIR> --d----- c:\program files\AVG
2009-05-18 14:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-16 21:53 0 a--shr-- C:\khp
2009-05-16 21:45 <DIR> --d----- c:\program files\Yahoo!
2009-05-16 21:14 <DIR> --d----- c:\windows\pss
2009-05-15 20:50 <DIR> --d----- C:\bin
2009-05-15 00:01 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-14 10:09 <DIR> --d----- c:\temp\ext256
2009-05-14 10:09 <DIR> --d----- c:\temp\ext2782
2009-05-14 10:09 173,494 a------- c:\windows\system32\drivers\mon_ac_w.bin
2009-05-14 10:09 158,592 a------- c:\windows\system32\drivers\gwausb.sys
2009-05-14 10:09 25,600 a------- c:\windows\system32\CoInst.dll
2009-05-14 10:09 <DIR> --d----- c:\program files\Lucent
2009-05-14 10:09 18,016 -------- c:\windows\wwdslcfg.ini
2009-05-14 10:09 12,288 -------- c:\windows\system32\CplEng.dll
2009-05-10 22:45 54,156 a---h--- c:\windows\QTFont.qfn
2009-05-10 22:45 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-03-17 21:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-03-17 00:27 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-03-17 00:26 328,704 a------- c:\windows\system32\ati2dvag.dll
2009-03-17 00:17 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-03-17 00:17 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-03-17 00:16 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-03-17 00:16 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-03-17 00:16 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-03-17 00:16 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-03-17 00:15 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-03-17 00:13 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-03-17 00:06 3,820,736 a------- c:\windows\system32\ati3duag.dll
2009-03-17 00:04 11,563,008 a------- c:\windows\system32\atioglxx.dll
2009-03-16 23:53 2,675,328 a------- c:\windows\system32\ativvaxx.dll
2009-03-16 23:40 49,664 a------- c:\windows\system32\atimpc32.dll
2009-03-16 23:40 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-03-16 23:36 475,136 a------- c:\windows\system32\atikvmag.dll
2009-03-16 23:35 303,104 a------- c:\windows\system32\atiok3x2.dll
2009-03-16 23:35 131,072 a------- c:\windows\system32\atiadlxx.dll
2009-03-16 23:35 45,056 a------- c:\windows\system32\aticalrt.dll
2009-03-16 23:34 45,056 a------- c:\windows\system32\aticalcl.dll
2009-03-16 23:34 17,408 a------- c:\windows\system32\atitvo32.dll
2009-03-16 23:33 3,264,512 a------- c:\windows\system32\aticaldd.dll
2009-03-16 23:28 630,784 a------- c:\windows\system32\ati2cqag.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-03 23:56 118,784 a------- c:\windows\system32\atibtmon.exe
2009-02-24 01:39 184,394 a------- c:\windows\system32\atiicdxx.dat
2004-08-04 19:41 1,074,108 a--shr-- c:\windows\system32\csrcs.exe

============= FINISH: 19:36:22.04 ===============

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 22 May 2009 - 07:10 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!



I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in training an Expert Coach will assist me in your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 24 May 2009 - 02:20 PM

Hi Abu Jacob.
Are you still in need of help?
If so then let's get started.

**********

The following is referring to Registry Cleaner

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

**********

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


**********

With your next post please provide:
- Combofix.txt
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 Abu Jacob

Abu Jacob
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 25 May 2009 - 12:46 PM

ComboFix 09-05-24.06 - abu 25/05/2009 21:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1544 [GMT 4:00]
Running from: c:\documents and settings\abu\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\a
c:\windows\system32\AutoRun.inf
c:\windows\system32\csrcs.exe
c:\windows\system32\drivers\8f5678c4.sys
c:\windows\system32\tmp66.tmp
c:\windows\system32\tmp67.tmp
c:\windows\system32\tmp68.tmp
c:\windows\system32\tmp69.tmp
F:\Autorun.inf
G:\Autorun.inf
G:\Desktop.ini
H:\Autorun.inf
H:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_8f5678c4


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-22 09:00 . 2009-05-22 09:00 264952 ----a-w c:\windows\system32\xpsvc32.exe
2009-05-21 18:13 . 2009-05-21 18:12 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-21 18:05 . 2009-05-21 18:05 57344 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-376a22c0-n\Decora-SSE.dll
2009-05-21 18:05 . 2009-05-21 18:05 24064 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-6eca9f1f-n\Decora-D3D.dll
2009-05-21 18:05 . 2009-05-21 18:05 315392 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4ab4a6ad-n\jogl.dll
2009-05-21 18:05 . 2009-05-21 18:05 20480 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4ab4a6ad-n\jogl_awt.dll
2009-05-21 18:05 . 2009-05-21 18:05 114688 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4ab4a6ad-n\jogl_cg.dll
2009-05-21 18:04 . 2009-05-21 18:04 20480 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-16a16cbd-n\gluegen-rt.dll
2009-05-21 18:04 . 2009-05-21 18:04 499712 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4afa8475-n\msvcp71.dll
2009-05-21 18:04 . 2009-05-21 18:04 499712 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4afa8475-n\jmc.dll
2009-05-21 18:04 . 2009-05-21 18:04 348160 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4afa8475-n\msvcr71.dll
2009-05-21 18:03 . 2009-05-21 18:03 152576 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-21 17:50 . 2009-05-21 19:39 -------- d-----w c:\documents and settings\abu\.housecall6.6
2009-05-19 17:19 . 2009-05-19 17:19 529210 ----a-w c:\windows\system32\korn.exe
2009-05-19 15:30 . 2009-05-19 15:30 -------- d-----w c:\program files\Trend Micro
2009-05-19 15:28 . 2009-05-25 17:16 -------- d-----w c:\program files\Registry Easy
2009-05-19 14:12 . 2009-05-19 14:13 521362 --sha-r C:\gmyqhd.exe
2009-05-18 19:22 . 2009-05-18 19:22 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-05-18 10:56 . 2009-05-24 14:06 -------- d--h--w C:\$AVG8.VAULT$
2009-05-18 10:25 . 2009-05-18 10:25 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-18 10:25 . 2009-05-18 10:25 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-18 10:25 . 2009-05-18 10:25 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-18 10:25 . 2009-05-18 10:52 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-18 10:25 . 2009-05-18 10:25 -------- d-----w c:\program files\AVG
2009-05-18 10:25 . 2009-05-25 17:21 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-16 17:49 . 2009-05-16 17:49 -------- d-----w c:\documents and settings\abu\Local Settings\Application Data\Yahoo
2009-05-16 17:47 . 2009-05-17 10:42 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-16 17:47 . 2009-05-16 17:47 -------- d-----w c:\documents and settings\abu\Application Data\Yahoo!
2009-05-16 17:45 . 2009-05-16 17:49 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-16 17:45 . 2009-05-13 11:32 607472 ----a-w c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-16 17:45 . 2009-05-16 17:47 -------- d-----w c:\program files\Yahoo!
2009-05-15 16:50 . 2009-05-15 16:50 -------- d-----w C:\bin
2009-05-14 06:09 . 2009-05-14 06:09 -------- d-----w c:\temp\ext256
2009-05-14 06:09 . 2009-05-14 06:09 -------- d-----w c:\temp\ext2782
2009-05-14 06:09 . 2005-09-07 06:10 173494 ----a-w c:\windows\system32\drivers\mon_ac_w.bin
2009-05-14 06:09 . 2005-09-22 08:31 158592 ----a-w c:\windows\system32\drivers\gwausb.sys
2009-05-14 06:09 . 2005-08-25 09:48 25600 ----a-w c:\windows\system32\CoInst.dll
2009-05-14 06:09 . 2009-05-14 06:09 -------- d-----w c:\program files\Lucent
2009-05-14 06:09 . 2005-08-25 10:00 12288 ------w c:\windows\system32\CplEng.dll
2009-05-10 17:43 . 2009-05-10 17:43 -------- d-----w c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 18:03 . 2008-11-18 20:55 -------- d-----w c:\program files\Java
2009-05-18 19:20 . 2008-07-31 09:26 -------- d-----w c:\program files\ATI Technologies
2009-05-18 17:48 . 2008-07-31 13:07 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-18 17:48 . 2008-07-31 13:07 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-18 10:25 . 2008-07-31 09:57 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-03-24 14:33 . 2009-03-24 14:33 237264 ----a-w c:\documents and settings\abu\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-03-17 17:05 . 2008-10-15 17:34 593920 ------w c:\windows\system32\ati2sgag.exe
2009-03-16 21:33 . 2008-07-31 09:10 3597312 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-03-16 20:27 . 2008-08-01 04:33 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-03-16 20:26 . 2008-07-31 09:10 328704 ----a-w c:\windows\system32\ati2dvag.dll
2009-03-16 20:17 . 2008-08-01 03:39 307200 ----a-w c:\windows\system32\atiiiexx.dll
2009-03-16 20:17 . 2008-08-01 04:23 204800 ----a-w c:\windows\system32\atipdlxx.dll
2009-03-16 20:16 . 2008-08-01 04:23 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-03-16 20:16 . 2008-08-01 04:22 26112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-03-16 20:16 . 2008-08-01 04:22 43520 ----a-w c:\windows\system32\ati2edxx.dll
2009-03-16 20:16 . 2008-08-01 04:22 155648 ----a-w c:\windows\system32\ati2evxx.dll
2009-03-16 20:15 . 2008-08-01 04:21 602112 ----a-w c:\windows\system32\ati2evxx.exe
2009-03-16 20:13 . 2008-08-01 04:19 53248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-03-16 20:06 . 2008-07-31 09:10 3820736 ----a-w c:\windows\system32\ati3duag.dll
2009-03-16 20:04 . 2008-08-01 05:40 11563008 ----a-w c:\windows\system32\atioglxx.dll
2009-03-16 19:53 . 2008-07-31 09:10 2675328 ----a-w c:\windows\system32\ativvaxx.dll
2009-03-16 19:40 . 2009-03-16 19:40 49664 ----a-w c:\windows\system32\atimpc32.dll
2009-03-16 19:40 . 2008-08-01 03:46 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-03-16 19:36 . 2008-08-01 03:42 475136 ----a-w c:\windows\system32\atikvmag.dll
2009-03-16 19:35 . 2008-08-01 04:58 303104 ----a-w c:\windows\system32\atiok3x2.dll
2009-03-16 19:35 . 2009-03-16 19:35 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-03-16 19:35 . 2008-08-01 03:40 131072 ----a-w c:\windows\system32\atiadlxx.dll
2009-03-16 19:34 . 2009-03-16 19:34 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-03-16 19:34 . 2008-08-01 03:40 17408 ----a-w c:\windows\system32\atitvo32.dll
2009-03-16 19:34 . 2008-08-01 03:39 53248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-03-16 19:33 . 2009-03-16 19:33 3264512 ----a-w c:\windows\system32\aticaldd.dll
2009-03-16 19:28 . 2008-07-31 09:10 630784 ----a-w c:\windows\system32\ati2cqag.dll
2009-03-09 01:19 . 2008-11-18 20:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-03 19:56 . 2009-03-03 19:56 118784 ----a-w c:\windows\system32\atibtmon.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="c:\program files\Lucent\ASL-2000\dslstat.exe" [2006-09-07 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-18 1947928]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-17 61440]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-28 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-31 16859136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\abu\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-8-16 157008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-18 10:25 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave3"= serwvdrv.dll
"aux2"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^abu^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"matlabserver"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\Codemasters\\GRID Demo\\GRID.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\abu\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\abu\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=
"f:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9780:TCP"= 9780:TCP:WWW

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/05/2009 14:25 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/05/2009 14:25 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/05/2009 14:25 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18/05/2009 14:25 298776]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [20/07/2007 18:40 84992]
S2 njvki;njvki;c:\windows\system32\svchost.exe -k netsvcs [23/08/2001 16:00 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
njvki
.
Contents of the 'Scheduled Tasks' folder

2009-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1960408961-839522115-1003.job
- c:\documents and settings\abu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 18:19]

2009-05-19 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-05-19 15:54]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-csrcs - c:\windows\system32\csrcs.exe
SafeBoot-procexp90.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A2B1A387-E2D5-4637-9BF1-D0B665079D8D} = 195.229.241.222 213.42.20.20
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 21:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2428)
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\devldr32.exe
c:\progra~1\Webshots\Webshots.scr
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-05-25 21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 17:37

Pre-Run: 107,924,729,856 bytes free
Post-Run: 107,844,112,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

234

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 25 May 2009 - 10:50 PM

Hi again,
We still have some work to do.

**********

Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


**********

With your next post please provide:
- MBAM log
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 Abu Jacob

Abu Jacob
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 26 May 2009 - 12:18 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2181
Windows 5.1.2600 Service Pack 2

26/05/2009 21:09:18
mbam-log-2009-05-26 (21-09-18).txt

Scan type: Quick Scan
Objects scanned: 78161
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\abu\Desktop\svchost.exe-generic-host-process-win32-services-encountered-problem.html (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 26 May 2009 - 06:15 PM

Hello again,
We still have more cleanup to do. After I get approval from my coach I will post your instructions. Please let me know if you have any questions in the meantime.
Thanks,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 26 May 2009 - 06:27 PM

Hello again.

How is your computer running now?

**********

Please note!!!!

Among others.....you have a flash drive infection. It will be very important that you connect all flash and peripheral drives during the rest of the cleanup!

**********

Did you install this program? Team Viewer 3. Here is a link.

**********

:thumbup2: P2P Warning :)

Your log indicates that you have Limewire installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall Limewire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

**********

:) Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :cool:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
njvki

NetSvc::
njvki

File::
c:\windows\system32\xpsvc32.exe
c:\windows\system32\korn.exe
C:\gmyqhd.exe

Dirlook::
C:\khq
C:\khp
C:\bin
c:\temp\ext256
c:\temp\ext2782
c:\windows\system32\drivers\mon_ac_w.bin


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**********

With your next post please provide:
- Answers to my questions
- Combofix.txt
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Abu Jacob

Abu Jacob
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 27 May 2009 - 12:41 PM

ComboFix 09-05-24.06 - abu 27/05/2009 21:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1572 [GMT 4:00]
Running from: c:\documents and settings\abu\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\abu\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
C:\gmyqhd.exe
c:\windows\system32\korn.exe
c:\windows\system32\xpsvc32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\gmyqhd.exe
c:\windows\system32\korn.exe
c:\windows\system32\xpsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NJVKI
-------\Service_njvki


((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.

2009-05-26 16:54 . 2009-05-26 16:54 -------- d-----w c:\documents and settings\abu\Application Data\Malwarebytes
2009-05-26 16:54 . 2009-04-06 11:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-26 16:54 . 2009-04-06 11:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 16:54 . 2009-05-26 16:54 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-26 16:54 . 2009-05-26 17:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-21 18:13 . 2009-05-21 18:12 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-21 18:05 . 2009-05-21 18:05 57344 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-376a22c0-n\Decora-SSE.dll
2009-05-21 18:05 . 2009-05-21 18:05 24064 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-6eca9f1f-n\Decora-D3D.dll
2009-05-21 18:05 . 2009-05-21 18:05 315392 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4ab4a6ad-n\jogl.dll
2009-05-21 18:05 . 2009-05-21 18:05 20480 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4ab4a6ad-n\jogl_awt.dll
2009-05-21 18:05 . 2009-05-21 18:05 114688 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4ab4a6ad-n\jogl_cg.dll
2009-05-21 18:04 . 2009-05-21 18:04 20480 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-16a16cbd-n\gluegen-rt.dll
2009-05-21 18:04 . 2009-05-21 18:04 499712 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4afa8475-n\msvcp71.dll
2009-05-21 18:04 . 2009-05-21 18:04 499712 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4afa8475-n\jmc.dll
2009-05-21 18:04 . 2009-05-21 18:04 348160 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4afa8475-n\msvcr71.dll
2009-05-21 18:03 . 2009-05-21 18:03 152576 ----a-w c:\documents and settings\abu\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-21 17:50 . 2009-05-21 19:39 -------- d-----w c:\documents and settings\abu\.housecall6.6
2009-05-19 15:30 . 2009-05-19 15:30 -------- d-----w c:\program files\Trend Micro
2009-05-19 15:28 . 2009-05-25 17:16 -------- d-----w c:\program files\Registry Easy
2009-05-18 19:22 . 2009-05-18 19:22 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-05-18 10:56 . 2009-05-25 18:42 -------- d--h--w C:\$AVG8.VAULT$
2009-05-18 10:25 . 2009-05-18 10:25 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-18 10:25 . 2009-05-18 10:25 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-18 10:25 . 2009-05-18 10:25 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-18 10:25 . 2009-05-25 18:38 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-18 10:25 . 2009-05-18 10:25 -------- d-----w c:\program files\AVG
2009-05-18 10:25 . 2009-05-25 17:21 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-16 17:49 . 2009-05-16 17:49 -------- d-----w c:\documents and settings\abu\Local Settings\Application Data\Yahoo
2009-05-16 17:47 . 2009-05-17 10:42 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-16 17:47 . 2009-05-16 17:47 -------- d-----w c:\documents and settings\abu\Application Data\Yahoo!
2009-05-16 17:45 . 2009-05-16 17:49 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-16 17:45 . 2009-05-13 11:32 607472 ----a-w c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-16 17:45 . 2009-05-16 17:47 -------- d-----w c:\program files\Yahoo!
2009-05-15 16:50 . 2009-05-15 16:50 -------- d-----w C:\bin
2009-05-14 06:09 . 2009-05-14 06:09 -------- d-----w c:\temp\ext256
2009-05-14 06:09 . 2009-05-14 06:09 -------- d-----w c:\temp\ext2782
2009-05-14 06:09 . 2005-09-07 06:10 173494 ----a-w c:\windows\system32\drivers\mon_ac_w.bin
2009-05-14 06:09 . 2005-09-22 08:31 158592 ----a-w c:\windows\system32\drivers\gwausb.sys
2009-05-14 06:09 . 2005-08-25 09:48 25600 ----a-w c:\windows\system32\CoInst.dll
2009-05-14 06:09 . 2009-05-14 06:09 -------- d-----w c:\program files\Lucent
2009-05-14 06:09 . 2005-08-25 10:00 12288 ------w c:\windows\system32\CplEng.dll
2009-05-10 17:43 . 2009-05-10 17:43 -------- d-----w c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 18:03 . 2008-11-18 20:55 -------- d-----w c:\program files\Java
2009-05-18 19:20 . 2008-07-31 09:26 -------- d-----w c:\program files\ATI Technologies
2009-05-18 17:48 . 2008-07-31 13:07 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-18 17:48 . 2008-07-31 13:07 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-18 10:25 . 2008-07-31 09:57 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-03-24 14:33 . 2009-03-24 14:33 237264 ----a-w c:\documents and settings\abu\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-03-17 17:05 . 2008-10-15 17:34 593920 ------w c:\windows\system32\ati2sgag.exe
2009-03-16 21:33 . 2008-07-31 09:10 3597312 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-03-16 20:27 . 2008-08-01 04:33 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-03-16 20:26 . 2008-07-31 09:10 328704 ----a-w c:\windows\system32\ati2dvag.dll
2009-03-16 20:17 . 2008-08-01 03:39 307200 ----a-w c:\windows\system32\atiiiexx.dll
2009-03-16 20:17 . 2008-08-01 04:23 204800 ----a-w c:\windows\system32\atipdlxx.dll
2009-03-16 20:16 . 2008-08-01 04:23 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-03-16 20:16 . 2008-08-01 04:22 26112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-03-16 20:16 . 2008-08-01 04:22 43520 ----a-w c:\windows\system32\ati2edxx.dll
2009-03-16 20:16 . 2008-08-01 04:22 155648 ----a-w c:\windows\system32\ati2evxx.dll
2009-03-16 20:15 . 2008-08-01 04:21 602112 ----a-w c:\windows\system32\ati2evxx.exe
2009-03-16 20:13 . 2008-08-01 04:19 53248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-03-16 20:06 . 2008-07-31 09:10 3820736 ----a-w c:\windows\system32\ati3duag.dll
2009-03-16 20:04 . 2008-08-01 05:40 11563008 ----a-w c:\windows\system32\atioglxx.dll
2009-03-16 19:53 . 2008-07-31 09:10 2675328 ----a-w c:\windows\system32\ativvaxx.dll
2009-03-16 19:40 . 2009-03-16 19:40 49664 ----a-w c:\windows\system32\atimpc32.dll
2009-03-16 19:40 . 2008-08-01 03:46 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-03-16 19:36 . 2008-08-01 03:42 475136 ----a-w c:\windows\system32\atikvmag.dll
2009-03-16 19:35 . 2008-08-01 04:58 303104 ----a-w c:\windows\system32\atiok3x2.dll
2009-03-16 19:35 . 2009-03-16 19:35 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-03-16 19:35 . 2008-08-01 03:40 131072 ----a-w c:\windows\system32\atiadlxx.dll
2009-03-16 19:34 . 2009-03-16 19:34 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-03-16 19:34 . 2008-08-01 03:40 17408 ----a-w c:\windows\system32\atitvo32.dll
2009-03-16 19:34 . 2008-08-01 03:39 53248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-03-16 19:33 . 2009-03-16 19:33 3264512 ----a-w c:\windows\system32\aticaldd.dll
2009-03-16 19:28 . 2008-07-31 09:10 630784 ----a-w c:\windows\system32\ati2cqag.dll
2009-03-09 01:19 . 2008-11-18 20:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-03 19:56 . 2009-03-03 19:56 118784 ----a-w c:\windows\system32\atibtmon.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\bin ----

2008-12-08 14:06 . 2008-04-23 11:27 18494 ---ha-w c:\bin\New Folder\angelina_jolie010.jpg
2008-12-08 14:06 . 2001-09-23 22:31 668607788 ---ha-w c:\bin\New Folder\Barely Leagal.DAT
2008-12-08 14:06 . 2008-09-24 19:30 548339 ---ha-w c:\bin\New Folder\bethany_lorraine_(femalien2-2).jpg
2008-12-08 14:06 . 2008-09-24 19:30 525789 ---ha-w c:\bin\New Folder\bethany_lorraine_(femalien2-3).jpg
2008-12-08 14:06 . 2008-06-27 20:48 26539 ---ha-w c:\bin\New Folder\beyonce_knowles_3.jpg
2008-12-08 14:06 . 2008-04-11 00:20 30509 ---ha-w c:\bin\New Folder\beyonce_nude_1.jpg
2008-12-08 14:06 . 2008-09-14 10:24 182605 ---ha-w c:\bin\New Folder\eva-mendes-topless-italian-vogue-09.jpg
2008-12-08 14:06 . 2008-06-17 18:56 91269 ---ha-w c:\bin\New Folder\Gillian-Anderson-0829.jpg
2008-12-08 14:06 . 2008-09-14 10:19 17241 ---ha-w c:\bin\New Folder\Julia Stiles.jpg
2008-12-08 14:06 . 2008-09-14 10:17 133893 ---ha-w c:\bin\New Folder\julia-stiles-nude_005.jpg
2008-12-08 14:06 . 2008-08-19 22:12 119091 ---ha-w c:\bin\New Folder\katrina-kaif-2.JPG
2008-12-08 14:06 . 2008-08-19 22:09 22781 ---ha-w c:\bin\New Folder\Katrina-Kaif-new 1.jpg
2008-12-08 14:06 . 2007-07-27 15:32 204586412 ---ha-w c:\bin\New Folder\LebanesePussy&Whitecock.DAT
2008-12-08 14:06 . 2008-07-17 20:38 40925 ---ha-w c:\bin\New Folder\megan-fox-topless-vancouver.jpg
2008-12-08 14:06 . 2008-07-17 20:42 516217 ---ha-w c:\bin\New Folder\megan-fox-topless.jpg
2008-12-08 14:06 . 2008-11-23 19:36 62830 ---ha-w c:\bin\New Folder\Megan_Fox-FHM_h07.jpg
2008-12-08 14:06 . 2008-11-23 19:38 68447 ---ha-w c:\bin\New Folder\Megan_Fox-FHM_h11.jpg
2008-12-08 14:06 . 2008-11-23 19:26 26286 ---ha-w c:\bin\New Folder\Megan_Fox-Rolling_Stone-2008_h01.jpg
2008-12-08 14:06 . 2008-11-23 19:26 30613 ---ha-w c:\bin\New Folder\Megan_Fox-Rolling_Stone-2008_h02.jpg
2008-12-08 14:06 . 2008-11-23 19:26 41370 ---ha-w c:\bin\New Folder\Megan_Fox-Rolling_Stone-2008_h03.jpg
2008-12-08 14:06 . 2008-11-23 19:25 46386 ---ha-w c:\bin\New Folder\Megan_Fox-Rolling_Stone-2008_h09.jpg
2008-12-08 14:06 . 2008-11-23 19:24 26430 ---ha-w c:\bin\New Folder\Megan_Fox-Rolling_Stone-2008_h14.jpg
2008-12-08 14:06 . 2008-09-11 17:40 276240 ---ha-w c:\bin\New Folder\Megan_Fox_naked_01.jpg
2008-12-08 14:06 . 2008-07-17 20:42 43879 ---ha-w c:\bin\New Folder\megan_fox_topless_.jpg
2008-12-08 14:06 . 2008-07-17 20:40 50155 ---ha-w c:\bin\New Folder\megan_fox_topless_jennifer_banner.jpg
2008-12-08 14:06 . 2008-02-05 18:05 94425010 ---ha-w c:\bin\New Folder\Naughty America - My Sisters Best Friend.mpg
2008-12-08 14:06 . 2006-05-22 12:36 1331200 ---ha-r c:\bin\New Folder\Nicole Kidman.avi
2008-12-08 14:06 . 2008-04-11 00:40 281136 ---ha-w c:\bin\New Folder\Shakira_nude.jpg
2008-12-08 14:06 . 2008-06-16 19:37 41498 ---ha-w c:\bin\New Folder\teri_hatcher_6.jpg
2008-12-08 14:06 . 2008-11-23 19:41 114688 --sha-w c:\bin\New Folder\Thumbs.db
2008-12-08 14:06 . 2003-09-30 08:43 69106508 ---ha-w c:\bin\New Folder\XFrench.DAT
2008-12-08 14:06 . 2003-09-30 08:45 192725276 ---ha-w c:\bin\New Folder\XMexican.DAT
2009-05-11 19:42 . 2009-03-25 20:02 1190992 ----a-w c:\bin\New Folder\New Folder\ [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-26 00:02 2127554 ----a-w c:\bin\New Folder\New Folder\#3100 Desirable Woman - Kate Beckinsale Hot Scene [from www.metacafe.com].flv
2009-05-11 20:18 . 2009-05-11 20:18 62150 ----a-w c:\bin\New Folder\New Folder\45325581.jpg
2009-05-19 19:48 . 2009-05-19 19:48 310055 ----a-w c:\bin\New Folder\New Folder\5271_6998065259.jpg
2009-05-11 20:32 . 2009-05-11 20:32 136272 ----a-w c:\bin\New Folder\New Folder\6a00cdf3aaad25cb8f00e398a9bf2e0002.jpg
2009-05-11 19:42 . 2009-03-24 21:08 2752802 ----a-w c:\bin\New Folder\New Folder\Alicia Silverstone Getting 'Busy' [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-24 20:29 2337974 ----a-w c:\bin\New Folder\New Folder\Alicia Silverstone Hot Clips [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-24 21:13 5471235 ----a-w c:\bin\New Folder\New Folder\Alyssa Milano - 1994 - Embrace Of The Vampire [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-24 21:11 885725 ----a-w c:\bin\New Folder\New Folder\Alyssa Milano In Action [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-24 21:12 1808853 ----a-w c:\bin\New Folder\New Folder\Alyssa Milano [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-24 21:46 1917299 ----a-w c:\bin\New Folder\New Folder\Catherine Zeta Jones Fireplace Sex [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-24 20:11 9519632 ----a-w c:\bin\New Folder\New Folder\Charlize Theron - Various Sex Scenes [from www.metacafe.com].flv
2009-05-11 19:42 . 2009-03-25 22:11 7155364 ----a-w c:\bin\New Folder\New Folder\Charlize Theron and Connie Neilsen in The Devil's [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 20:09 4667380 ----a-w c:\bin\New Folder\New Folder\Charlize Theron [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 20:11 2199474 ----a-w c:\bin\New Folder\New Folder\Charlize-theron Nude Having Sex [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-25 19:42 2154607 ----a-w c:\bin\New Folder\New Folder\Claudia Schiffer Sexy Sex Scene [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 21:30 7202077 ----a-w c:\bin\New Folder\New Folder\Clive Oven & Monica Bellucci [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 20:44 17327739 ----a-w c:\bin\New Folder\New Folder\Courteney Cox Sex Scene from Dirt Getting Her Pu [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-26 00:06 1092392 ----a-w c:\bin\New Folder\New Folder\Demi Moore Hot Scene [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-26 00:06 547208 ----a-w c:\bin\New Folder\New Folder\Demi Moore Sex Scene - About Last Night! [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-26 00:06 2679084 ----a-w c:\bin\New Folder\New Folder\Demi Moore Very Hot Sex [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-26 00:06 4642242 ----a-w c:\bin\New Folder\New Folder\Demi Moore Wild F&king Scene [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 19:59 818759 ----a-w c:\bin\New Folder\New Folder\Denise Richards Wild Things [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 20:06 2481265 ----a-w c:\bin\New Folder\New Folder\Diane Kruger Sex Scene [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 20:34 930129 ----a-w c:\bin\New Folder\New Folder\Drew Barrymore Hot [from www.metacafe.com].flv
2009-05-11 19:43 . 2009-03-24 20:34 4128215 ----a-w c:\bin\New Folder\New Folder\Drew Barrymore Nude & Erotic [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 20:34 919690 ----a-w c:\bin\New Folder\New Folder\Drew Barrymore Show Nude Body [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 21:52 2198957 ----a-w c:\bin\New Folder\New Folder\Elizabeth Hurley Wild Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 21:54 1501852 ----a-w c:\bin\New Folder\New Folder\Eva Mendes-we Own the Night [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 22:14 2226082 ----a-w c:\bin\New Folder\New Folder\Gemma Arterton Very Hot Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 21:18 12693458 ----a-w c:\bin\New Folder\New Folder\Halle Berry's Uncut Sex Scene in Monsters Ball [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 23:29 1655865 ----a-w c:\bin\New Folder\New Folder\Hot Sex Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 20:00 2984629 ----a-w c:\bin\New Folder\New Folder\Jelia Anderson Hottest Sex Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 20:41 1532390 ----a-w c:\bin\New Folder\New Folder\Jennifer Aniston Intense Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 20:38 894400 ----a-w c:\bin\New Folder\New Folder\Jennifer Aniston Sex Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 20:04 4527779 ----a-w c:\bin\New Folder\New Folder\Jennifer Esposito Shows Nice Tits In Crash [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 22:23 3223763 ----a-w c:\bin\New Folder\New Folder\Jessica Biel Hot Sex Scene in Bathroom [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 23:58 1852385 ----a-w c:\bin\New Folder\New Folder\Kate Beckinsale Sex Clip [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 18:18 1545628 ----a-w c:\bin\New Folder\New Folder\Katie Holms Sex Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 18:13 2095728 ----a-w c:\bin\New Folder\New Folder\Katie Holms- Going to Be Hot Sex [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 21:00 5411051 ----a-w c:\bin\New Folder\New Folder\Katrina Kaif in BOOM [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 21:20 2573294 ----a-w c:\bin\New Folder\New Folder\Keira Knightley in Doctor Zhivago [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 21:22 1853010 ----a-w c:\bin\New Folder\New Folder\Keira-knightley [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 21:25 3722108 ----a-w c:\bin\New Folder\New Folder\Kelly Preston & Tom Cruise [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 21:24 4125527 ----a-w c:\bin\New Folder\New Folder\Kelly Preston Hot Sex Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 21:26 2090316 ----a-w c:\bin\New Folder\New Folder\Kelly Preston [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 21:26 3399606 ----a-w c:\bin\New Folder\New Folder\Keri Russell Nude Sex Scene [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 22:02 831407 ----a-w c:\bin\New Folder\New Folder\Kirsten Dunst Accidental Nudity [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 21:57 1684402 ----a-w c:\bin\New Folder\New Folder\Kirsten Dunst Sexclip [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 21:38 2581322 ----a-w c:\bin\New Folder\New Folder\Lisa Ray in Movie KKFF-Part 2 [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-25 21:39 5767778 ----a-w c:\bin\New Folder\New Folder\Lisa Ray Sex in KKFF-Part 1 [from www.metacafe.com].flv
2009-05-11 19:44 . 2009-03-24 20:02 9239947 ----a-w c:\bin\New Folder\New Folder\Madonna Sex Scene Body Of Evidence [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 20:55 9500772 ----a-w c:\bin\New Folder\New Folder\Malin Akerman &amp; Ben Stiller [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:22 5091570 ----a-w c:\bin\New Folder\New Folder\Malin Akerman Sexy in Watchmen [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 16:41 937554 ----a-w c:\bin\New Folder\New Folder\malin_akerman.bmp
2009-05-19 19:48 . 2009-05-19 19:48 35288 ----a-w c:\bin\New Folder\New Folder\Megan-Fox-dumb-quotes.jpg
2009-05-19 19:48 . 2009-05-19 19:48 25024 ----a-w c:\bin\New Folder\New Folder\megan-fox-GQ-naked.jpg
2009-05-11 19:45 . 2009-03-24 16:40 117584 ----a-w c:\bin\New Folder\New Folder\mini-carmen-electra-topless-maxim-mexico-2.jpg
2009-05-11 19:45 . 2009-03-24 21:25 5254282 ----a-w c:\bin\New Folder\New Folder\Mischief Kelly Preston [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:34 2144237 ----a-w c:\bin\New Folder\New Folder\Monica Bellucci Nude [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 21:33 2437868 ----a-w c:\bin\New Folder\New Folder\Monica Bellucci Sex Scene [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 21:29 1074689 ----a-w c:\bin\New Folder\New Folder\Monica Bellucci [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:42 615779 ----a-w c:\bin\New Folder\New Folder\Monica Belluci in Malena Scene4 [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 20:21 4184484 ----a-w c:\bin\New Folder\New Folder\Penelope Cruz Hottest Scene Ever (Must See) [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 20:20 4057997 ----a-w c:\bin\New Folder\New Folder\Penelope Cruz Nude [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 20:20 4106127 ----a-w c:\bin\New Folder\New Folder\Penelope Cruz Nude2 [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-25 21:58 2792023 ----a-w c:\bin\New Folder\New Folder\Rachel Weisz Erotic Scene [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-25 21:57 430359 ----a-w c:\bin\New Folder\New Folder\Rachel Weisz Hot Scene [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-25 23:31 5382739 ----a-w c:\bin\New Folder\New Folder\Reese Witherspoon in Fear [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-25 21:30 1847038 ----a-w c:\bin\New Folder\New Folder\Rene Russo in The Thomas Crown Affair 2 [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-25 21:30 1288928 ----a-w c:\bin\New Folder\New Folder\Rene Russo is Making Love with Pierce Brosnan [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 20:27 1573591 ----a-w c:\bin\New Folder\New Folder\Salmay Hayek Lovescene [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:57 747029 ----a-w c:\bin\New Folder\New Folder\Scarlett Johansson's Boob [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-26 00:03 2130490 ----a-w c:\bin\New Folder\New Folder\Sexy Love Scene Sexy Kate Beckinsale Hot Love Scen [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-25 21:48 2267669 ----a-w c:\bin\New Folder\New Folder\Shilpa Shetty Nipple Slip [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:54 4381303 ----a-w c:\bin\New Folder\New Folder\Shortened 300 Sex Scene [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 22:00 1304081 ----a-w c:\bin\New Folder\New Folder\Teri Hatcher Boobs Pressed [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 22:01 2037002 ----a-w c:\bin\New Folder\New Folder\Teri Hatcher-The Cool Surface1 [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 21:59 1090699 ----a-w c:\bin\New Folder\New Folder\Teri Hatcher-The Cool Surface2 [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-05-20 18:05 34304 --sha-w c:\bin\New Folder\New Folder\Thumbs.db
2009-05-11 19:45 . 2009-03-25 21:11 748962 ----a-w c:\bin\New Folder\New Folder\Uma Thurman Love Scene [from www.metacafe.com].flv
2009-05-11 19:46 . 2009-03-24 19:54 4381303 ----a-w c:\bin\New Folder\New Folder\300\Shortened 300 Sex Scene [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:27 2217502 ----a-w c:\bin\New Folder\New Folder\Kate Winslet\Kate Winslet Rare [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:27 1998803 ----a-w c:\bin\New Folder\New Folder\Kate Winslet\Kate Winslet Sex Scene (Must See) [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:22 5091570 ----a-w c:\bin\New Folder\New Folder\Malin Akerman\Malin Akerman Sexy in Watchmen [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:48 807486 ----a-w c:\bin\New Folder\New Folder\Megan Fox\Transformers Megan Fox ToplessTrailerParCcom [from www.metacafe.com].flv
2009-05-11 19:45 . 2009-03-24 19:42 615779 ----a-w c:\bin\New Folder\New Folder\Monica\Monica Belluci in Malena Scene4 [from www.metacafe.com].flv

---- Directory of C:\khp ----


---- Directory of C:\khq ----


---- Directory of c:\temp\ext256 ----

2001-09-24 09:17 . 2001-09-24 09:17 243712 ----a-w c:\temp\ext256\update\update.exe

---- Directory of c:\temp\ext2782 ----

2001-09-06 05:01 . 2001-09-06 05:01 241664 ----a-w c:\temp\ext2782\update\update.exe

---- Directory of c:\windows\system32\drivers\mon_ac_w.bin ----



((((((((((((((((((((((((((((( SnapShot@2009-05-25_17.35.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-27 17:30 . 2009-05-27 17:30 16384 c:\windows\Temp\Perflib_Perfdata_b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="c:\program files\Lucent\ASL-2000\dslstat.exe" [2006-09-07 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-18 1947928]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-17 61440]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-28 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-31 16859136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\abu\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-8-16 157008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-18 10:25 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave3"= serwvdrv.dll
"aux2"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^abu^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"matlabserver"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\Codemasters\\GRID Demo\\GRID.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\abu\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\abu\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=
"f:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9780:TCP"= 9780:TCP:WWW

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/05/2009 14:25 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/05/2009 14:25 108552]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [20/07/2007 18:40 84992]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/05/2009 14:25 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18/05/2009 14:25 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1960408961-839522115-1003.job
- c:\documents and settings\abu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 18:19]

2009-05-19 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-05-19 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 21:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3344)
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\Webshots\Webshots.scr
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-05-27 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-27 17:34
ComboFix2.txt 2009-05-25 17:37

Pre-Run: 107,738,071,040 bytes free
Post-Run: 107,714,457,600 bytes free

349


Answers to your questions:

The computer seems fine with respect to pop-ups and virus alerts but just now i had a msg saying the svchost.exe error.
So seems like that error still exits.

Why do you want to me install teamviewer software?
Though limewire has been installed in my pc, I have not used it for quite some time now.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 27 May 2009 - 01:12 PM

Hello again,

The computer seems fine with respect to pop-ups and virus alerts but just now i had a msg saying the svchost.exe error.
So seems like that error still exits.

We still have more work to do. Your computer is heavily infected. More instructions will be forthcoming after I review your most recent logs and get clearance from my coach.

Why do you want to me install teamviewer software?

I am not asking you to install this software. Team Viewer 3 software is installed and running on your computer!! I was concerned that it might have been installed without your consent in relation to your current infection. Based on your response I suspect this is the case. Please correct me if I am wrong.

Though limewire has been installed in my pc, I have not used it for quite some time now.

Okay. Thanks.

Will post back soon with your next step,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 28 May 2009 - 06:56 AM

Hello again, :thumbup2:
Let's proceed.
Please do this.....

**********

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\drivers\mon_ac_w.bin


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

**********

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Go to Start > Control Panel > Add or Remove Programs.

Remove the following program(s), if still present.
  • Team Viewer
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

**********

:) Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\khp
C:\khq

Folder::
C:\bin
c:\temp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"TeamViewer"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**********

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

**********

With your next post please provide:
* How is your computer running now?
* Jotti/Virustotal results
* Combofix.txt
* Gmer.log

Edited by thcbytes, 28 May 2009 - 07:27 AM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 Abu Jacob

Abu Jacob
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 May 2009 - 05:27 AM

The teamviewer was installed with my consent. Its been prettty long time since I have used the software so i forgot that i had installed such a software in my pc.

#13 Abu Jacob

Abu Jacob
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 May 2009 - 05:36 AM

[ArcaVir]
2009-05-29 Found nothing
[F-Secure Anti-Virus]
2009-05-29 Found nothing
[Emsisoft A-squared]
2009-05-29 Found nothing
[Ikarus]
2009-05-29 Found nothing
[Avast! antivirus]
2009-05-28 Found nothing
[Kaspersky Anti-Virus]
2009-05-29 Found nothing
[Grisoft AVG Anti-Virus]
Operation timed out
[ESET NOD32]
2009-05-29 Found nothing
[Avira AntiVir]
2009-05-29 Found nothing
[Norman Virus Control]
2009-05-28 Found nothing
[Softwin BitDefender]
2009-05-29 Found nothing
[Panda Antivirus]
2009-05-28 Found nothing
[ClamAV]
2009-05-29 Found nothing
[Quick Heal]
2009-05-29 Found nothing
[CPsecure]
2009-05-29 Found nothing
[Sophos]
2009-05-29 Found nothing
[Dr.Web]
2009-05-29 Found nothing
[VirusBlokAda VBA32]
2009-05-27 Found nothing
[Frisk F-Prot Antivirus]
2009-05-28 Found nothing
[VirusBuster]
2009-05-28 Found nothing


Should I remove the teamviwer software?

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 AM

Posted 29 May 2009 - 06:04 AM

Hello,
No need to remove the Team Viewer software. It is a legitimate program. I would have been concerned though if it was installed without your consent as it could be used for deceptive purposes.

Unfortunately we are not done yet. Your computer is still infected. Your doing a very good job and we are getting close to finishing.

Please proceed as outlined below.....

**********

:thumbup2: Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\khp
C:\khq

Folder::
C:\bin
c:\temp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**********

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

**********

With your next post please provide:
* How is your computer running now?
* Combofix.txt
* Gmer.log

Edited by thcbytes, 29 May 2009 - 06:14 AM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 Abu Jacob

Abu Jacob
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 May 2009 - 03:17 PM

When i ran the gmer application, it took couple of hours to finish the scanning which I am not sure because, though I enabled drives F,G and H to be scanned, last file it was scanning that I saw was in C drive and then thats it, as if the scanning got over. After that, I tried to save the file, it said insufficient system resources to open C:\Windows\system32\Desktop and then the pop up window for saving opened and when I clicked the save button, the system crashed.

Moreover, my AVG anit-virus does not seems to run now when I boot up my PC. Even when I click .exe file, it does not open the application. What could be reason?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users