Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am Not able to Install any Anti Virus !!


  • This topic is locked This topic is locked
35 replies to this topic

#1 im_adi

im_adi

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 01 October 2009 - 05:31 AM

Please help me !!! I am not able to install anti virus or cant even view anti virus/anti spyware software download site !!!!

Please help me.... I am posting all logs as bellow....

-AD!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:32 PM, on 10/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [121CCB] C:\WINDOWS\system32\3DAFC0\121CCB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: 121CCB.lnk = C:\WINDOWS\system32\3DAFC0\121CCB.EXE
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...744/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3436D55F-105F-442E-B870-441B555651CB}: NameServer = 218.248.255.177 218.248.240.134
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Windows_ServerDdos - Unknown owner - C:\WINDOWS\system32\WINDOWS

--
End of file - 5098 bytes





DDS (Ver_09-09-29.01) - NTFSx86
Run by amu at 15:41:14.17 on Thu 10/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.514 [GMT 5.5:30]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
D:\Softwares\Essential Softwares\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\amu\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [121CCB] c:\windows\system32\3dafc0\121CCB.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\amu\startm~1\programs\startup\121ccb.lnk - c:\windows\system32\3dafc0\121CCB.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5744/mcfscan.cab
TCP: {3436D55F-105F-442E-B870-441B555651CB} = 218.248.255.177 218.248.240.134
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll

============= SERVICES / DRIVERS ===============

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [2003-7-2 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [2003-7-2 124160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-18 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-18 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-18 108552]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 MCIDRV_2600_6_0;MCIDRV_2600_6_0;c:\windows\system32\drivers\pgollm.sys [2009-8-26 5077]
S2 Windows_ServerDdos;Windows_ServerDdos;c:\windows\system32\WINDOWS [2009-7-12 265216]
S2 zedxo;Time Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

=============== Created Last 30 ================

2009-10-01 15:17 110,592 a------- c:\docume~1\amu\applic~1\Wplugin.dll
2009-09-23 12:03 44,686 a---h--- c:\windows\system32\mx931256.dl_
2009-09-23 12:03 81,920 a------- c:\windows\system32\mx931256.dll
2009-09-18 21:28 <DIR> --d----- c:\docume~1\amu\applic~1\AVG8
2009-09-18 21:12 <DIR> --d----- c:\windows\McAfee.com
2009-09-13 22:38 <DIR> --d----- C:\s
2009-09-13 22:14 <DIR> --d----- C:\images for shraddha
2009-09-03 12:44 4,907,822 a------- C:\XCC_TFD_Shortcut_Installer.exe
2009-09-02 20:08 44,686 a---h--- c:\windows\system32\f}931256.dl_
2009-09-02 20:08 81,920 a------- c:\windows\system32\f}931256.dll

==================== Find3M ====================

2009-10-01 15:02 5,077 a------- c:\windows\system32\drivers\pgollm.sys
2009-10-01 15:02 81,920 a------- c:\windows\system32\rm294609.dll
2009-10-01 15:02 81,920 a------- c:\windows\system32\rm931256.dll
2009-10-01 15:01 81,920 a------- c:\windows\system32\sm931256.dll
2009-10-01 15:01 81,920 a------- c:\windows\system32\rt931256.dll
2009-09-25 12:13 294,400 a------- c:\windows\sporder.exe
2009-09-25 12:00 327,680 a------- c:\program files\Uninstall_CDS.exe
2009-09-23 12:31 2,985,984 a------- C:\googletalk-setup.exe
2009-09-08 13:56 82,432 a------- c:\windows\inst_tsp.exe
2009-09-08 13:50 14,559,845 a------- C:\RealPlayer11GOLD.exe
2009-08-26 11:14 495,616 a------- c:\windows\system32\igfxtray.exe
2009-08-22 20:22 117,900 a------- c:\windows\winsbak2.reg
2009-08-22 20:22 16,786 a------- c:\windows\winsbak.reg
2009-08-22 18:48 4,096 a------- c:\windows\system32\01.tmp
2009-08-22 13:14 2,318,880 a------- C:\install_flash_player.exe
2009-08-22 13:14 2,126,873 a------- C:\install.exe
2009-08-22 12:26 81,920 a------- c:\windows\system32\nv931256.dll
2009-08-21 13:13 1,111,729 a------- C:\Jet Audio.EXE
2009-08-21 12:07 81,920 a------- c:\windows\system32\kr931256.dll
2009-08-17 18:55 348,160 a------- c:\windows\system32\msvcr71.dll
2009-08-17 18:55 499,712 a------- c:\windows\system32\msvcp71.dll
2009-08-16 12:20 81,920 a------- c:\windows\system32\vj931256.dll
2009-08-16 11:27 110,592 a------- c:\windows\Wplugin.dll
2009-07-25 14:49 13,029,857 a------- C:\Wndows media player10.exe
2009-07-25 13:53 479,232 a------- c:\windows\system32\hkcmd.exe
2009-07-19 17:49 397,312 a------- c:\windows\sttray.exe
2004-08-04 06:37 158,443 a--shr-- c:\windows\system32\apfycs.dll

============= FINISH: 15:41:26.20 ===============

Attached Files


Edited by im_adi, 01 October 2009 - 05:38 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:21 PM

Posted 02 October 2009 - 04:09 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 04 October 2009 - 04:50 AM

Hello Sam !
Thanks for coming forward to help me.
Here I followed all the instructions u mentioned in ur reply and got following two log reports.

Before that I want to tell u,, I couldnt download that MBAM thing from my (infected) computer. It was saying couldnt locate to server /check internet setting etc etc . I tried Opera browser and IE. same problem for both browsers with all 3 Links u gave for that MBM... But dont worry I managed to download it on my mobile phone using GPRS and then transferred to computer via Bluetooth.

same thing happened while updating it.... got some error number 732(0, 0) so again I had to use gprs to download that update.

So I installed updates till 2nd october and done all the process as u told.

There was no problem in downloading second OLT thing.


After scanning from MBAM it prompted me to reboot and as u mentioned in Note bellow ,, I rebooted it as soon as it prompted.


Ok so here are my logs i am copy pasting. Kindly inspect them and suggest solution for my problem.

Thanks for your help !

Waiting for reply....

-Ad!



Malwarebytes' Anti-Malware 1.41
Database version: 2896
Windows 5.1.2600 Service Pack 2

10/4/2009 2:57:55 PM
mbam-log-2009-10-04 (14-57-55).txt

Scan type: Quick Scan
Objects scanned: 104652
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\system32\3DAFC0\121CCB.EXE (Worm.AutoRun) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\rt931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\sm931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\mx931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm294609.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm931256.dll (Trojan.KillAV) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows_serverddos (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windows_serverddos (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows_serverddos (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\121ccb (Worm.AutoRun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\3DAFC0 (Worm.AutoRun) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\rt931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\sm931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\mx931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm294609.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\01.tmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f}931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nc931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vj931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nv931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pb931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\pgollm.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3DAFC0\121CCB.EXE (Worm.AutoRun) -> Delete on reboot.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINDOWS (Rootkit.Agent) -> Delete on reboot.










OTL Extras logfile created on: 10/4/2009 3:09:55 PM - Run 1
OTL by OldTimer - Version 3.0.18.2 Folder = D:\Softwares\Essential Softwares
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.93 Mb Total Physical Memory | 587.46 Mb Available Physical Memory | 57.94% Memory free
2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.15% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.77 Gb Total Space | 3.14 Gb Free Space | 32.14% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 0.96 Gb Free Space | 6.59% Space Free | Partition Type: NTFS
Drive E: | 14.65 Gb Total Space | 0.13 Gb Free Space | 0.86% Space Free | Partition Type: NTFS
Drive F: | 14.65 Gb Total Space | 1.70 Gb Free Space | 11.59% Space Free | Partition Type: NTFS
Drive G: | 20.81 Gb Total Space | 0.20 Gb Free Space | 0.96% Space Free | Partition Type: NTFS
Drive H: | 2.20 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded

Computer Name: GOSAVI-1989DCCF
Current User Name: amu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1715:TCP" = 1715:TCP:*:Enabled:mdakgdc

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation)
"D:\Valve\Condition Zero\czero.exe" = D:\Valve\Condition Zero\czero.exe:*:Enabled:Condition Zero Launcher -- (Valve)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"G:\Age Of Empire-II The Conquerors on 192.168.1.74\empires2.exe" = G:\Age Of Empire-II The Conquerors on 192.168.1.74\empires2.exe:*:Enabled:Age of Empires II -- (Microsoft Corporation)
"D:\Call Of Duty\CoDMP.exe" = D:\Call Of Duty\CoDMP.exe:*:Enabled:CoDMP -- ()
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel® PRO Network Connections
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{95774351-6087-3A3B-8CA8-70BEE49D2BD5}" = Google Gears
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}" = BlueSoleil
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" = Alcohol 120%
"{EE5BC0BB-9EDA-423C-8276-48857B735D68}" = Prince of Persia Warrior Within
"{FC66E05E-8D39-47A6-8D07-759F33727EB0}" = Opera 10.00
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AlienGUIse" = AlienGUIse
"CobBackup8" = Cobian Backup 8
"Free Download Manager_is1" = Free Download Manager 3.0
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 1.40
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Orbit_is1" = Orbit Downloader
"Picasa 3" = Picasa 3
"RealPlayer 6.0" = RealPlayer
"Software Informer_is1" = Software Informer 1.0 BETA
"Theme Manager" = Theme Manager
"Total Video Converter 3.10_is1" = Total Video Converter 3.10
"URLSnooper 2_is1" = URL Snooper v2.23.01
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinPcapInst" = WinPcap 4.1 beta5
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-789336058-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/17/2009 9:43:37 AM | Computer Name = GOSAVI-1989DCCF | Source = Google Update | ID = 20
Description =

Error - 8/19/2009 11:40:26 AM | Computer Name = GOSAVI-1989DCCF | Source = Google Update | ID = 20
Description =

Error - 8/22/2009 3:04:30 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application claw.exe, version 0.0.0.0, faulting module claw.exe,
version 0.0.0.0, fault address 0x000011f6.

Error - 8/22/2009 3:04:35 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application claw.exe, version 0.0.0.0, faulting module claw.exe,
version 0.0.0.0, fault address 0x000011f6.

Error - 8/22/2009 3:27:21 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application speed.exe, version 0.0.0.0, faulting module speed.exe,
version 0.0.0.0, fault address 0x003c40a2.

Error - 8/22/2009 3:27:25 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application speed.exe, version 0.0.0.0, faulting module speed.exe,
version 0.0.0.0, fault address 0x003c40a2.

Error - 8/22/2009 3:27:37 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application speed.exe, version 0.0.0.0, faulting module speed.exe,
version 0.0.0.0, fault address 0x003c40a2.

Error - 9/20/2009 3:34:15 AM | Computer Name = GOSAVI-1989DCCF | Source = Ci | ID = 4124
Description = Content index on c:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 9/20/2009 3:34:15 AM | Computer Name = GOSAVI-1989DCCF | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 9/21/2009 2:09:58 AM | Computer Name = GOSAVI-1989DCCF | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

[ System Events ]
Error - 10/2/2009 12:40:59 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The MCIDRV_2600_6_0 service failed to start due to the following error:
%%2001

Error - 10/2/2009 3:29:12 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 001676C6ADBA has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/2/2009 3:44:26 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 001676C6ADBA has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/4/2009 2:10:21 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.2 on
the Network Card with network address 001676C6ADBA.

Error - 10/4/2009 5:31:05 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 001676C6ADBA has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The AVG8 WatchDog service failed to start due to the following error:
%%2

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The MCIDRV_2600_6_0 service failed to start due to the following error:
%%2

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7001
Description = The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service
which failed to start because of the following error: %%2

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7023
Description = The Time Monitor service terminated with the following error: %%1114

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The MCIDRV_2600_6_0 service failed to start due to the following error:
%%2


< End of report >

#4 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 04 October 2009 - 04:50 AM

Hello Sam !
Thanks for coming forward to help me.
Here I followed all the instructions u mentioned in ur reply and got following two log reports.

Before that I want to tell u,, I couldnt download that MBAM thing from my (infected) computer. It was saying couldnt locate to server /check internet setting etc etc . I tried Opera browser and IE. same problem for both browsers with all 3 Links u gave for that MBM... But dont worry I managed to download it on my mobile phone using GPRS and then transferred to computer via Bluetooth.

same thing happened while updating it.... got some error number 732(0, 0) so again I had to use gprs to download that update.

So I installed updates till 2nd october and done all the process as u told.

There was no problem in downloading second OLT thing.


After scanning from MBAM it prompted me to reboot and as u mentioned in Note bellow ,, I rebooted it as soon as it prompted.


Ok so here are my logs i am copy pasting. Kindly inspect them and suggest solution for my problem.

Thanks for your help !

Waiting for reply....

-Ad!



Malwarebytes' Anti-Malware 1.41
Database version: 2896
Windows 5.1.2600 Service Pack 2

10/4/2009 2:57:55 PM
mbam-log-2009-10-04 (14-57-55).txt

Scan type: Quick Scan
Objects scanned: 104652
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\system32\3DAFC0\121CCB.EXE (Worm.AutoRun) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\rt931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\sm931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\mx931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm294609.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm931256.dll (Trojan.KillAV) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windows_serverddos (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windows_serverddos (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows_serverddos (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\121ccb (Worm.AutoRun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\3DAFC0 (Worm.AutoRun) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\rt931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\sm931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\mx931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm294609.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\rm931256.dll (Trojan.KillAV) -> Delete on reboot.
C:\WINDOWS\system32\01.tmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f}931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nc931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vj931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nv931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pb931256.dll (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\pgollm.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3DAFC0\121CCB.EXE (Worm.AutoRun) -> Delete on reboot.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINDOWS (Rootkit.Agent) -> Delete on reboot.










OTL Extras logfile created on: 10/4/2009 3:09:55 PM - Run 1
OTL by OldTimer - Version 3.0.18.2 Folder = D:\Softwares\Essential Softwares
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.93 Mb Total Physical Memory | 587.46 Mb Available Physical Memory | 57.94% Memory free
2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.15% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.77 Gb Total Space | 3.14 Gb Free Space | 32.14% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 0.96 Gb Free Space | 6.59% Space Free | Partition Type: NTFS
Drive E: | 14.65 Gb Total Space | 0.13 Gb Free Space | 0.86% Space Free | Partition Type: NTFS
Drive F: | 14.65 Gb Total Space | 1.70 Gb Free Space | 11.59% Space Free | Partition Type: NTFS
Drive G: | 20.81 Gb Total Space | 0.20 Gb Free Space | 0.96% Space Free | Partition Type: NTFS
Drive H: | 2.20 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded

Computer Name: GOSAVI-1989DCCF
Current User Name: amu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1715:TCP" = 1715:TCP:*:Enabled:mdakgdc

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation)
"D:\Valve\Condition Zero\czero.exe" = D:\Valve\Condition Zero\czero.exe:*:Enabled:Condition Zero Launcher -- (Valve)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"G:\Age Of Empire-II The Conquerors on 192.168.1.74\empires2.exe" = G:\Age Of Empire-II The Conquerors on 192.168.1.74\empires2.exe:*:Enabled:Age of Empires II -- (Microsoft Corporation)
"D:\Call Of Duty\CoDMP.exe" = D:\Call Of Duty\CoDMP.exe:*:Enabled:CoDMP -- ()
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel® PRO Network Connections
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{95774351-6087-3A3B-8CA8-70BEE49D2BD5}" = Google Gears
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}" = BlueSoleil
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" = Alcohol 120%
"{EE5BC0BB-9EDA-423C-8276-48857B735D68}" = Prince of Persia Warrior Within
"{FC66E05E-8D39-47A6-8D07-759F33727EB0}" = Opera 10.00
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AlienGUIse" = AlienGUIse
"CobBackup8" = Cobian Backup 8
"Free Download Manager_is1" = Free Download Manager 3.0
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 1.40
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Orbit_is1" = Orbit Downloader
"Picasa 3" = Picasa 3
"RealPlayer 6.0" = RealPlayer
"Software Informer_is1" = Software Informer 1.0 BETA
"Theme Manager" = Theme Manager
"Total Video Converter 3.10_is1" = Total Video Converter 3.10
"URLSnooper 2_is1" = URL Snooper v2.23.01
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinPcapInst" = WinPcap 4.1 beta5
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-789336058-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/17/2009 9:43:37 AM | Computer Name = GOSAVI-1989DCCF | Source = Google Update | ID = 20
Description =

Error - 8/19/2009 11:40:26 AM | Computer Name = GOSAVI-1989DCCF | Source = Google Update | ID = 20
Description =

Error - 8/22/2009 3:04:30 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application claw.exe, version 0.0.0.0, faulting module claw.exe,
version 0.0.0.0, fault address 0x000011f6.

Error - 8/22/2009 3:04:35 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application claw.exe, version 0.0.0.0, faulting module claw.exe,
version 0.0.0.0, fault address 0x000011f6.

Error - 8/22/2009 3:27:21 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application speed.exe, version 0.0.0.0, faulting module speed.exe,
version 0.0.0.0, fault address 0x003c40a2.

Error - 8/22/2009 3:27:25 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application speed.exe, version 0.0.0.0, faulting module speed.exe,
version 0.0.0.0, fault address 0x003c40a2.

Error - 8/22/2009 3:27:37 AM | Computer Name = GOSAVI-1989DCCF | Source = Application Error | ID = 1000
Description = Faulting application speed.exe, version 0.0.0.0, faulting module speed.exe,
version 0.0.0.0, fault address 0x003c40a2.

Error - 9/20/2009 3:34:15 AM | Computer Name = GOSAVI-1989DCCF | Source = Ci | ID = 4124
Description = Content index on c:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 9/20/2009 3:34:15 AM | Computer Name = GOSAVI-1989DCCF | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 9/21/2009 2:09:58 AM | Computer Name = GOSAVI-1989DCCF | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

[ System Events ]
Error - 10/2/2009 12:40:59 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The MCIDRV_2600_6_0 service failed to start due to the following error:
%%2001

Error - 10/2/2009 3:29:12 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 001676C6ADBA has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/2/2009 3:44:26 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 001676C6ADBA has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/4/2009 2:10:21 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.2 on
the Network Card with network address 001676C6ADBA.

Error - 10/4/2009 5:31:05 AM | Computer Name = GOSAVI-1989DCCF | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 001676C6ADBA has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The AVG8 WatchDog service failed to start due to the following error:
%%2

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The MCIDRV_2600_6_0 service failed to start due to the following error:
%%2

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7001
Description = The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service
which failed to start because of the following error: %%2

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7023
Description = The Time Monitor service terminated with the following error: %%1114

Error - 10/4/2009 5:32:41 AM | Computer Name = GOSAVI-1989DCCF | Source = Service Control Manager | ID = 7000
Description = The MCIDRV_2600_6_0 service failed to start due to the following error:
%%2


< End of report >

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:21 PM

Posted 04 October 2009 - 09:56 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 05 October 2009 - 09:28 AM

hello again sam !
i downloaded and used combofix.
but there was one problem.... i couldnt stop my so called avg real time scanner. i checked in system tray but there was no icon of it. i went to start/programmes list and tried opening but it was saying missing shortcut.
then i tried opening it from c program files. but still couldnt.
i opened task manager but couldnt locate any active process named avg. so i stopped trying n went aheadwith combofix without bothering to warning.

and i got following log report.
kindly inspect it and guide me further...

thanks for ur help :(
waiting for reply.....

-Ad!




ComboFix 09-10-04.01 - amu 10/05/2009 19:36.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.502 [GMT 5.5:30]
Running from: d:\softwares\Essential Softwares\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\amu\LOCALS~1\Temp\E_N4
c:\docume~1\amu\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\amu\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\amu\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\amu\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\amu\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\amu\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\amu\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\amu\LOCALS~1\Temp\E_N4\spec.fne
c:\windows\regedit.com
c:\windows\system32\apfycs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_SERVERDDOS
-------\Legacy_ZEDXO
-------\Service_zedxo


((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-05 09:53 . 2009-10-05 09:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-05 09:53 . 2009-10-05 10:33 -------- d-----w- c:\documents and settings\amu\Application Data\skypePM
2009-10-05 09:52 . 2009-10-05 12:23 -------- d-----w- c:\documents and settings\amu\Application Data\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----r- c:\program files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-05 08:41 . 2009-10-05 13:55 5077 ----a-w- c:\windows\system32\drivers\pgollm.sys
2009-10-04 09:31 . 2009-10-05 14:11 81920 ----a-w- c:\windows\system32\sb931256.dll
2009-10-04 09:31 . 2009-10-05 14:11 81920 ----a-w- c:\windows\system32\ne931256.dll
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\amu\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-04 08:34 . 2009-10-04 08:34 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Apple Computer
2009-10-04 07:30 . 2009-10-04 07:30 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\amu\Application Data\DonationCoder
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\program files\WinPcap
2009-10-04 07:30 . 2009-10-04 07:54 -------- d-----w- c:\program files\URLSnooper2
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-10-04 06:34 . 2009-10-04 07:42 -------- d-----w- c:\documents and settings\amu\Application Data\Software Informer
2009-10-04 06:34 . 2009-10-04 06:34 -------- d-----w- c:\program files\Software Informer
2009-10-04 06:34 . 2009-10-04 09:29 -------- d-----w- c:\documents and settings\amu\Application Data\Free Download Manager
2009-10-04 06:33 . 2009-10-04 06:34 -------- d-----w- c:\program files\Free Download Manager
2009-10-04 06:33 . 2009-10-04 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-10-02 04:40 . 2009-10-02 04:41 -------- d-----w- c:\documents and settings\bestameya\Application Data\Orbit
2009-10-01 13:50 . 2009-10-04 08:31 -------- d-----w- C:\downloads
2009-10-01 13:50 . 2009-10-01 13:50 -------- d-----w- c:\documents and settings\amu\Application Data\GrabPro
2009-10-01 13:50 . 2009-10-05 14:11 -------- d-----w- c:\documents and settings\amu\Application Data\Orbit
2009-10-01 13:50 . 2009-10-04 09:12 -------- d-----w- c:\program files\Orbitdownloader
2009-10-01 10:40 . 2009-10-01 10:40 -------- d-----w- c:\program files\Cobian Backup 8
2009-10-01 10:38 . 2009-10-05 05:56 81920 ----a-w- c:\windows\system32\pb931256.dll
2009-10-01 09:33 . 2009-10-01 09:33 12720 ----a-w- c:\documents and settings\amu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 11:37 . 2009-09-30 11:37 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\WMTools Downloaded Files
2009-09-23 06:33 . 2009-10-05 14:11 81920 ----a-w- c:\windows\system32\mx931256.dll
2009-09-21 06:04 . 2009-09-21 06:04 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\Opera
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\documents and settings\amu\Application Data\AVG8
2009-09-18 15:42 . 2009-09-18 15:42 -------- d-----w- c:\windows\McAfee.com
2009-09-18 13:58 . 2009-09-18 14:00 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Temp
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Opera
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\program files\Opera
2009-09-13 17:08 . 2009-09-13 17:09 -------- d-----w- C:\s
2009-09-13 16:44 . 2009-09-13 16:58 -------- d-----w- C:\images for shraddha

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 14:11 . 2009-10-05 14:11 110592 ----a-w- c:\documents and settings\amu\Application Data\Wplugin.dll
2009-10-05 14:11 . 2009-07-12 12:27 81920 ----a-w- c:\windows\system32\rm931256.dll
2009-10-05 14:11 . 2009-07-12 13:39 81920 ----a-w- c:\windows\system32\sm931256.dll
2009-10-05 14:11 . 2009-07-19 12:17 81920 ----a-w- c:\windows\system32\rt931256.dll
2009-10-05 14:11 . 2009-10-05 14:09 81920 ----a-w- c:\windows\system32\tf931256.dll
2009-10-05 12:29 . 2009-08-26 05:41 13029857 ----a-w- C:\Wndows media player10.exe
2009-10-05 08:53 . 1997-09-18 00:42 351744 ----a-w- c:\windows\sporder.exe
2009-10-04 09:29 . 2009-06-18 08:03 -------- d-----w- c:\program files\Google
2009-10-02 04:40 . 2009-09-22 07:05 110592 ----a-w- c:\documents and settings\bestameya\Application Data\Wplugin.dll
2009-10-01 09:50 . 2009-08-23 12:44 -------- d-----w- c:\program files\Trend Micro
2009-09-25 06:30 . 2009-07-02 05:35 327680 ----a-w- c:\program files\Uninstall_CDS.exe
2009-09-23 07:01 . 2009-07-16 14:09 2985984 ----a-w- C:\googletalk-setup.exe
2009-09-18 14:00 . 2009-09-03 07:14 4907822 ----a-w- C:\XCC_TFD_Shortcut_Installer.exe
2009-09-08 08:26 . 2004-09-24 10:29 82432 ----a-w- c:\windows\inst_tsp.exe
2009-09-08 08:20 . 2009-08-17 13:24 14559845 ----a-w- C:\RealPlayer11GOLD.exe
2009-08-26 05:44 . 2009-06-17 15:55 495616 ----a-w- c:\windows\system32\igfxtray.exe
2009-08-23 12:45 . 2009-08-23 12:45 110592 ----a-w- c:\documents and settings\LocalService\Application Data\Wplugin.dll
2009-08-23 12:41 . 2009-08-23 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Net Protector
2009-08-22 14:52 . 2009-08-22 14:52 16786 ----a-w- c:\windows\winsbak.reg
2009-08-22 14:52 . 2009-08-22 14:52 117900 ----a-w- c:\windows\winsbak2.reg
2009-08-22 07:44 . 2009-08-09 12:19 2318880 ----a-w- C:\install_flash_player.exe
2009-08-21 07:47 . 2009-08-21 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\POPWWPROFILES
2009-08-21 07:43 . 2009-08-17 13:16 1111729 ----a-w- C:\Jet Audio.EXE
2009-08-21 07:38 . 2009-06-17 15:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 06:33 . 2009-08-21 06:33 -------- d-----w- c:\program files\Common Files\Stardock
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\Real
2009-08-17 13:25 . 2009-06-17 16:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-17 13:25 . 2009-08-17 13:25 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Real
2009-08-16 06:50 . 2009-07-02 05:35 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-08-16 05:57 . 2009-08-16 05:57 110592 ----a-w- c:\windows\Wplugin.dll
2009-07-25 08:23 . 2009-06-17 15:55 479232 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-19 12:19 . 2009-06-17 15:52 397312 ----a-w- c:\windows\sttray.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-05 584952]
"Google Update"="c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-05 5292513]
"Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2009-10-05 673280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-07-25 479232]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 176128]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3796992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-05 9039872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-21 816680]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-10-05 7622656]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2009-07-19 397312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-6-18 13946880]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-10-1 1830912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 06:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Valve\\Condition Zero\\czero.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"g:\\Age Of Empire-II The Conquerors on 192.168.1.74\\empires2.exe"=
"d:\\Call Of Duty\\CoDMP.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1715:TCP"= 1715:TCP:mdakgdc

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2009 12:12 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2009 12:12 PM 108552]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 9:05 PM 50704]
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003Core.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003UA.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]

2009-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1004Core.job
- c:\documents and settings\bestameya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 10:15]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1004UA.job
- c:\documents and settings\bestameya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 10:15]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {3436D55F-105F-442E-B870-441B555651CB} = 218.248.255.177 218.248.240.134
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-fsm - (no file)
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
Notify-WB - c:\program files\AlienGUIse\fastload.dll
AddRemove-AlienGUIse - c:\progra~1\ALIENG~1\thememgr.exe
AddRemove-Theme Manager - c:\progra~1\ALIENG~1\thememgr.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 19:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\rm931256.dll
c:\windows\Wplugin.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\Cobian Backup 8\cbInterface.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-10-05 19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 14:15

Pre-Run: 3,150,745,600 bytes free
Post-Run: 4,285,116,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

233

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:21 PM

Posted 05 October 2009 - 06:19 PM

That's ok. It will run along with AVG ok most of the time.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\documents and settings\amu\Application Data\Wplugin.dll
c:\documents and settings\bestameya\Application Data\Wplugin.dll
c:\windows\system32\rm931256.dll
c:\windows\system32\sm931256.dll
c:\windows\system32\rt931256.dll
c:\windows\system32\tf931256.dll
c:\windows\system32\pb931256.dll
c:\windows\system32\mx931256.dll
c:\windows\system32\sb931256.dll
c:\windows\system32\ne931256.dll
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



=======================


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 06 October 2009 - 01:53 AM

Hello sam !
I am done with all the instructions u told me to do.
So here I am posting two logs which u asked to put me here.
Kindly inspect them and guide me further.

Thanks for ur valuable help !

-Ad!

ComboFix 09-10-04.01 - amu 10/06/2009 11:06.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.460 [GMT 5.5:30]
Running from: d:\softwares\Essential Softwares\ComboFix.exe
Command switches used :: d:\softwares\Essential Softwares\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\amu\Application Data\Wplugin.dll"
"c:\documents and settings\bestameya\Application Data\Wplugin.dll"
"c:\windows\system32\mx931256.dll"
"c:\windows\system32\ne931256.dll"
"c:\windows\system32\pb931256.dll"
"c:\windows\system32\rm931256.dll"
"c:\windows\system32\rt931256.dll"
"c:\windows\system32\sb931256.dll"
"c:\windows\system32\sm931256.dll"
"c:\windows\system32\tf931256.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\bestameya\Application Data\Wplugin.dll
c:\windows\system32\mx931256.dll
c:\windows\system32\ne931256.dll
c:\windows\system32\pb931256.dll
c:\windows\system32\rm931256.dll
c:\windows\system32\rt931256.dll
c:\windows\system32\sb931256.dll
c:\windows\system32\sm931256.dll
c:\windows\system32\tf931256.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 05:41 . 2009-10-06 05:41 81920 ----a-w- c:\windows\system32\uf931256.dll
2009-10-06 05:36 . 2009-10-06 05:41 81920 ----a-w- c:\windows\system32\lg931256.dll
2009-10-05 09:53 . 2009-10-05 09:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-05 09:53 . 2009-10-05 10:33 -------- d-----w- c:\documents and settings\amu\Application Data\skypePM
2009-10-05 09:52 . 2009-10-05 12:23 -------- d-----w- c:\documents and settings\amu\Application Data\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----r- c:\program files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-05 08:41 . 2009-10-06 05:42 5077 ----a-w- c:\windows\system32\drivers\pgollm.sys
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\amu\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-04 08:34 . 2009-10-04 08:34 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Apple Computer
2009-10-04 07:30 . 2009-10-04 07:30 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\amu\Application Data\DonationCoder
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\program files\WinPcap
2009-10-04 07:30 . 2009-10-04 07:54 -------- d-----w- c:\program files\URLSnooper2
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-10-04 06:34 . 2009-10-04 07:42 -------- d-----w- c:\documents and settings\amu\Application Data\Software Informer
2009-10-04 06:34 . 2009-10-04 06:34 -------- d-----w- c:\program files\Software Informer
2009-10-04 06:34 . 2009-10-04 09:29 -------- d-----w- c:\documents and settings\amu\Application Data\Free Download Manager
2009-10-04 06:33 . 2009-10-04 06:34 -------- d-----w- c:\program files\Free Download Manager
2009-10-04 06:33 . 2009-10-04 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-10-02 04:40 . 2009-10-02 04:41 -------- d-----w- c:\documents and settings\bestameya\Application Data\Orbit
2009-10-01 13:50 . 2009-10-04 08:31 -------- d-----w- C:\downloads
2009-10-01 13:50 . 2009-10-01 13:50 -------- d-----w- c:\documents and settings\amu\Application Data\GrabPro
2009-10-01 13:50 . 2009-10-06 05:41 -------- d-----w- c:\documents and settings\amu\Application Data\Orbit
2009-10-01 13:50 . 2009-10-04 09:12 -------- d-----w- c:\program files\Orbitdownloader
2009-10-01 10:40 . 2009-10-01 10:40 -------- d-----w- c:\program files\Cobian Backup 8
2009-10-01 09:33 . 2009-10-01 09:33 12720 ----a-w- c:\documents and settings\amu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 11:37 . 2009-09-30 11:37 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\WMTools Downloaded Files
2009-09-21 06:04 . 2009-09-21 06:04 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\Opera
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\documents and settings\amu\Application Data\AVG8
2009-09-18 15:42 . 2009-09-18 15:42 -------- d-----w- c:\windows\McAfee.com
2009-09-18 13:58 . 2009-09-18 14:00 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Temp
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Opera
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\program files\Opera
2009-09-13 17:08 . 2009-09-13 17:09 -------- d-----w- C:\s
2009-09-13 16:44 . 2009-09-13 16:58 -------- d-----w- C:\images for shraddha

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 05:41 . 2009-10-06 05:41 110592 ----a-w- c:\documents and settings\amu\Application Data\Wplugin.dll
2009-10-05 12:29 . 2009-08-26 05:41 13029857 ----a-w- C:\Wndows media player10.exe
2009-10-05 08:53 . 1997-09-18 00:42 351744 ----a-w- c:\windows\sporder.exe
2009-10-04 09:29 . 2009-06-18 08:03 -------- d-----w- c:\program files\Google
2009-10-01 09:50 . 2009-08-23 12:44 -------- d-----w- c:\program files\Trend Micro
2009-09-25 06:30 . 2009-07-02 05:35 327680 ----a-w- c:\program files\Uninstall_CDS.exe
2009-09-23 07:01 . 2009-07-16 14:09 2985984 ----a-w- C:\googletalk-setup.exe
2009-09-18 14:00 . 2009-09-03 07:14 4907822 ----a-w- C:\XCC_TFD_Shortcut_Installer.exe
2009-09-08 08:26 . 2004-09-24 10:29 82432 ----a-w- c:\windows\inst_tsp.exe
2009-09-08 08:20 . 2009-08-17 13:24 14559845 ----a-w- C:\RealPlayer11GOLD.exe
2009-08-26 05:44 . 2009-06-17 15:55 495616 ----a-w- c:\windows\system32\igfxtray.exe
2009-08-23 12:45 . 2009-08-23 12:45 110592 ----a-w- c:\documents and settings\LocalService\Application Data\Wplugin.dll
2009-08-23 12:41 . 2009-08-23 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Net Protector
2009-08-22 14:52 . 2009-08-22 14:52 16786 ----a-w- c:\windows\winsbak.reg
2009-08-22 14:52 . 2009-08-22 14:52 117900 ----a-w- c:\windows\winsbak2.reg
2009-08-22 07:44 . 2009-08-09 12:19 2318880 ----a-w- C:\install_flash_player.exe
2009-08-21 07:47 . 2009-08-21 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\POPWWPROFILES
2009-08-21 07:43 . 2009-08-17 13:16 1111729 ----a-w- C:\Jet Audio.EXE
2009-08-21 07:38 . 2009-06-17 15:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 06:33 . 2009-08-21 06:33 -------- d-----w- c:\program files\Common Files\Stardock
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\Real
2009-08-17 13:25 . 2009-06-17 16:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-17 13:25 . 2009-08-17 13:25 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Real
2009-08-16 06:50 . 2009-07-02 05:35 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-08-16 05:57 . 2009-08-16 05:57 110592 ----a-w- c:\windows\Wplugin.dll
2009-07-25 08:23 . 2009-06-17 15:55 479232 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-19 12:19 . 2009-06-17 15:52 397312 ----a-w- c:\windows\sttray.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-05 584952]
"Google Update"="c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-05 5292513]
"Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2009-10-05 673280]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-07-25 479232]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 176128]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3796992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-05 9039872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-21 816680]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-10-05 7622656]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2009-07-19 397312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-6-18 13946880]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-10-1 1830912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 06:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Valve\\Condition Zero\\czero.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"g:\\Age Of Empire-II The Conquerors on 192.168.1.74\\empires2.exe"=
"d:\\Call Of Duty\\CoDMP.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1715:TCP"= 1715:TCP:mdakgdc

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2009 12:12 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2009 12:12 PM 108552]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 MCIDRV_2600_6_0;MCIDRV_2600_6_0;c:\windows\system32\drivers\pgollm.sys [10/5/2009 2:11 PM 5077]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 9:05 PM 50704]
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003Core.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003UA.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1004Core.job
- c:\documents and settings\bestameya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 10:15]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1004UA.job
- c:\documents and settings\bestameya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 10:15]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {3436D55F-105F-442E-B870-441B555651CB} = 218.248.255.177 218.248.240.134
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 11:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2844)
c:\windows\Wplugin.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\windows\system32\locator.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Cobian Backup 8\cbInterface.exe
.
**************************************************************************
.
Completion time: 2009-10-06 11:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 05:45
ComboFix2.txt 2009-10-05 14:15

Pre-Run: 4,251,529,216 bytes free
Post-Run: 4,224,000,000 bytes free

217









ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=83a5bf84d9f91f498386a7cb589d686f
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-06 06:34:33
# local_time=2009-10-06 12:04:33 (+0530, India Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1027 21 66 12 10331995878644
# scanned=56218
# found=243
# cleaned=234
# scan_time=2396
C:\Documents and Settings\bestameya\Local Settings\Application Data\Google\Chrome\Application\4.0.206.1\Installer\setup.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\bestameya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\LocalService\Application Data\Wplugin.dll Win32/TrojanProxy.Agent.NES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Uninstall_CDS.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Cobian Backup 8\cbDecompressor.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Cobian Backup 8\cbDecryptorW.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Cobian Backup 8\cbInterface.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\Program Files\Cobian Backup 8\cbService.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Cobian Backup 8\cbTranslator.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Cobian Backup 8\cbUninstall.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\CyberLink DVD Solution\PowerProducer\Producer.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\CyberLink DVD Solution\PowerProducer\OLRSubmission\OLRStateCheck.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\CyberLink DVD Solution\PowerProducer\OLRSubmission\OLRSubmission.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Free Download Manager\fdm.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Free Download Manager\fdmwi.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Free Download Manager\Updater.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Google\Google Talk\googletalk.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\InstallShield Installation Information\{B97CF5C3-0487-11D8-A36E-0050BAE317E1}\Setup.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\Setup.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\InstallShield Installation Information\{E0AD4033-D89B-11D7-97C2-00055D0CA761}\Setup.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Intel\NCS2\WMIProv\ncs2prov.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Intel\NCS2\WMIProv\NCSDiag.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\Program Files\IVT Corporation\BlueSoleil\gprs.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\IVT Corporation\BlueSoleil\hid2hci.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\IVT Corporation\BlueSoleil\mhid.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\Real\Update_OB\upgrdhlp.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\3ivxConfig.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\avifixed.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\fourcc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\lamedropxpd.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\minicalc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\StatsReader.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\VobSubStrip.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\K-Lite Codec Pack\tools\gspot\gspot.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Messenger\msmsgs.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MSN\MSNIA\msniasvc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MSN\MSNIA\prestp.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MSN\MsnInstaller\msninst.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Orbitdownloader\Grab.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Orbitdownloader\orbitdm.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\Program Files\Real\RealPlayer\fixrjb.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Real\RealPlayer\realjbox.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Real\RealPlayer\rphelperapp.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\HDAQFE\srvrtm\us\kb888111srvrtm.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\HDAQFE\win2k3\jpn\KB901105.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\HDAQFE\win2k3\us\kb901105.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\HDAQFE\win2ksp4\us\kb888111w2ksp4.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\HDAQFE\win2k_xp\us\kb835221.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\HDAQFE\xpsp1\us\kb888111xpsp1.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\HDAQFE\xpsp2\us\kb888111xpsp2.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\STACGUI\stacsv.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\STACGUI\sttray.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SigmaTel\C-Major Audio\WDM\suhlp.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Skype\Plugin Manager\skypePM.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Software Informer\softinfo.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Total Video Converter\Kdc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Total Video Converter\MediaBurner.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Total Video Converter\regsvr32.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Total Video Converter\tvc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Total Video Converter\tvp.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\URLSnooper2\URLSnooper.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\VideoLAN\VLC\vlc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Windows NT\hypertrm.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\WinRAR\Rar.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\WinRAR\RarExtLoader.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\WinRAR\Uninstall.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\WinRAR\UnRAR.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\WinRAR\WinRAR.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\[4]-Submit_2009-10-06_11.06.19.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\mx931256.dll.vir Win32/Sality.AD virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ne931256.dll.vir Win32/Sality.AD virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\rm931256.dll.vir Win32/Sality.AD virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\rt931256.dll.vir Win32/Sality.AD virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\sb931256.dll.vir Win32/Sality.AD virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\sm931256.dll.vir Win32/Sality.AD virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\_apfycs_.dll.zip Win32/Conficker.X worm (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\inst_tsp.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\killproc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\sporder.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\sttray.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\WINDOWS\Wplugin.dll Win32/TrojanProxy.Agent.NES trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ws2help.dll Win32/Agent.NAG virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ERDNT\subs\ERDNT.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ie7\ie4uinit.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ie7\iedw.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ie7\iexplore.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ie7\mshta.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ie7\spuninst\ieResetIcons.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Installer\{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}\ARPPRODUCTICON.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Installer\{716E0306-8318-4364-8B8F-0CC4E9376BAC}\icon.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814234.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814236.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\McAfee.com\FreeScan\avdat.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\setup_wm.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\uwdf.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfmgr.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\logagent.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\migrate.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\unregmp2.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmlaunch.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpenc.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmplayer.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\f}931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\hkcmd.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\WINDOWS\system32\igfxpers.exe Win32/Sality.NAS virus (error while cleaning) 00000000000000000000000000000000 I
C:\WINDOWS\system32\igfxtray.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\kr931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\lg931256.dll Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\lg931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\mx931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\nc931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\ne931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\nv931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\pb931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\rm294609.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\rm931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\rt931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\sb931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\sm931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\stacsv.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\tf931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\uf931256.dll Win32/Sality.AD virus (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\uf931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\vj931256.dl_ Win32/Sality.AD virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\9C-67AF9.EXE Win32/FlyStudio.NTT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\cnvpe.fne probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\d83a70.exe Win32/TrojanDownloader.FlyStudio.R trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\eAPI.fne probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\J0-02C95.EXE Win32/FlyStudio.NUR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\shell.fne probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\spec.fne probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\TPULETE2.EXE Win32/FlyStudio.NUE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\V5-119B5.EXE Win32/FlyStudio.NTZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\winxp18.exe Win32/FlyStudio.NTT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\winxp68.exe Win32/FlyStudio.NTZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\WPULETE2.EXE Win32/FlyStudio.NUR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\XX-C7CFA.EXE Win32/TrojanDownloader.FlyStudio.R trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\BD8A2D\Z8-AEF39.EXE Win32/FlyStudio.NUE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\pgollm.sys Win32/KillAV.NE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Call Of Duty\CoDMP.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Call Of Duty\Uninstall\UNWISE.EXE Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\counter strike condition zero\install.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\DESERT STROM2\Copy (2) of CDS II.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\DESERT STROM2\Copy of CDS II.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\bleem1_6bBETA.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\dw.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\eula.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\UNINSTAL.EXE Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\cheat 05\base2005.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\gAMES\cheat 2006\setup.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\cheatbook2006\base2006.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\gAMES\harry potter 3\hppoa.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\gAMES\NFS7\SetupReg.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\gAMES\NFS7\trainer.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\gAMES\NFS7\setup\gendel32.ex_ Win32/HackTool.Gendel.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\gAMES\NFS7\setup\uninst.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\gAMES\SaveData\Bin\SeriousSam.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\VCop2\VCop2.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\gAMES\vicecity\GTA Vice City\ims_GTA3_1.1.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\gAMES\Virtua_Squad_1\INSTALL.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\GTA3\mythxpak.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\GTA3\audio\copybyte.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\Neighboours From Hell\BIN\trainer.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\NFS MOST WANTED\New Folder\safemode_inst.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\NFS MOST WANTED\New Folder\Support\Need for Speed Most Wanted_code.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\NFS MOST WANTED\Support\EasyInfo.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Nightfire\EA Support\James Bond 007 Nightfire_eReg.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Softwares\avg_free_stb_as_8_32.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Softwares\IE7-WindowsXP-x86-enu.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Softwares\Essential Softwares\cobian_backup_Setup8.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
D:\Softwares\Essential Softwares\HandBrake-0.9.3-Win_GUI.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Softwares\Essential Softwares\HJTInstall.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Softwares\Essential Softwares\Recuva_setup131.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Softwares\Essential Softwares\URLSnooperSetup.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Softwares\Essential Softwares\windirstat1_1_2_setup.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Valve\Condition Zero\steaminstall.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\Freedom Fighters\config.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\Freedom Fighters\uninstall.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\Freedom Fighters\UNWISE.EXE Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\Freedom Fighters\EReg\Freedom Fighters_Code.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\Freedom Fighters\EReg\Freedom Fighters_eReg.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\Freedom Fighters\EReg\Freedom Fighters_uninst.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\GTA San Andreas\gta_sa.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\max payne 2\BugReport.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
E:\Program Files\GameSpy Arcade\Aphex.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
E:\Program Files\GameSpy Arcade\GSAPak.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\NEED FOR SPEED U.2\SetupReg.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\NEED FOR SPEED U.2\Speed.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
F:\NEED FOR SPEED U.2\3DSetup\3DSetup.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
F:\NEED FOR SPEED U.2\setup\gendel32.ex_ Win32/HackTool.Gendel.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
F:\NEED FOR SPEED U.2\setup\uninst.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\Spoken English\EngHindiDict1.exe probably a variant of Win32/Spy.Banker trojan (deleted - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy (2) of FUN\COLORS.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy (2) of FUN\CURSOR_1.EXE Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy (2) of FUN\DANCING.SCR Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy (2) of FUN\Firework.scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy (2) of FUN\FishDemo.scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy of FUN\COLORS.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy of FUN\DANCING.SCR Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy of FUN\Firework.scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy of FUN\FishDemo.scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\Copy of FUN\HEAVEN.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\COLORS.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\DANCING.SCR Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\Double Desktop.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\Firework.scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\FishDemo.scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\HEAVEN.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\IQTEST.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\IQTestIII.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\love %age.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\lovecalc95.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\Match Maker.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\Neko98.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\PARTICLE.EXE Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\PIANO.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\Postit.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\SCParticleFire.scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\SNOWFALL.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\TK.EXE Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\WifeName.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\TIME PASS VIDEOS\FUN\Windows 98 (high color).scr Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
G:\Age Of Empire-II The Conquerors on 192.168.1.74\age2_x1.exe Win32/Sality.NAS virus (cleaned - quarantined) 00000000000000000000000000000000 C
G:\Age Of Empire-II The Conquerors on 192.168.1.74\empires2.exe Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
G:\Age Of Empire-II The Conquerors on 192.168.1.74\SETUPREG.EXE Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
G:\Prince of Persia - Warrier Within\Crack\POP2.EXE Win32/Agent.NAG virus (deleted - quarantined) 00000000000000000000000000000000 C
${Memory} multiple threats 00000000000000000000000000000000 C

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:21 PM

Posted 06 October 2009 - 07:32 AM

What a mess.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.

Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 06 October 2009 - 10:29 AM

Hello sam !
again I did whatever u have told me....
During scan from DrWeb,, it asked me if I want to download trial version.... I ignored.
Then It detected combofix itself as virus and moved it to somewhere ... so I had to download again combofix to get new log.
there was some monalisa file which was not curable by dr web which I asked to move. Hope I did right.

so here I am posting that csv log from dr web and also new combofix log.

Kindly have a look at it and guide me further.

thanks for ur valuable help !

-Ad!



wplugin.dll;c:\windows;Trojan.PWS.MSNPass.75;Deleted.;
Wplugin.dll;C:\Documents and Settings\amu\Application Data;Trojan.PWS.MSNPass.75;Deleted.;
~11db9be.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1285275.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~128fe80.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~12ab59a.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~12bd9d2.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~12ebfc8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1311667.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~13477e0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~14d30c0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~15f2f3e.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~15ffcc0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~16132f2.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~162b596.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~162b606.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~18f09c8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1921de0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~192e420.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1946b40.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1946c38.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~19b4890.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~19b4a08.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~19e2e11.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~19ed7b5.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1c1c7db.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1c53e6d.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1da1c88.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1dae150.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1f0e2bc.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1f1d6e0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1f798e6.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1f9891c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~1fab7d8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2021bea.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2024b98.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2024dc6.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2024ee6.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~20ffbb0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~21483d8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2207891.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2218879.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~223a2ea.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~224ae23.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~22527cc.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~225bc06.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~225bcb6.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~229f652.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~22b058a.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~24faf86.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~251986e.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~256902c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~25ea3c8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~27495f8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2837404.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~28550b5.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~28cf3c9.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~28d6fc9.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~28eb121.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2906fb.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~29c55ea.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~29f2ff4.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2b7a586.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2bcff48.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2bd046c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2be5b18.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2bfb528.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2bffc74.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2c110ea.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2c56b2c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2d1f31f.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2e6789e.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2eac511.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2ed9fac.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2ee658.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2f1f9d5.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2f4dd94.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2f4de84.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~2f81595.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3026ffd.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~30328fe.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~303abbf.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~303b085.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~319397c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~31b027.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~31b0850.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~31f9d2.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~32123c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~32126b.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3212aa0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~322ae50.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~322b04.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~32439d0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~325c26.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~32753c0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3369020.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~33c5b50.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~33c5d02.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3410304.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~34c17c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~34c293.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~34e55bf.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~354da34.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~354db44.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3567b5e.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3581e86.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~359ca0c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3aaa6e.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3b2b08.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3cb7995.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3d045c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3e5525e.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~3ef7fc0.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~4075fa.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~407a04.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~63a97b.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~642498.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~648798.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~651b4c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~6f111a.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~755422.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~768742.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~95a40b.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~963771.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~980421.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~a6991a.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~a69aee.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ab6f15.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ab6f42.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~c5fe08.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~c7e788.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~c7e804.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~c84a28.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~c84ae4.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~c8accc.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~c972cc.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~cab06c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~cab128.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~e494d8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~eaa97c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~eaa9b8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ed0d8c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ed0dc8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ed0e44.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ed0f40.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ed70a8.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~ed7128.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f41130.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f77c9f.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f77d3a.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f77e75.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f7f79c.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f871f9.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f872e4.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f9661d.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~f9e255.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~fa5d02.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
~fad7af.tmp;C:\Documents and Settings\amu\Local Settings\temp;Win32.Sector.4;Deleted.;
msnsusii.exe;C:\Program Files\MSN\MSNCoreFiles\Install;Win32.Sector.4;Cured.;
grep.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
NIRCMD.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
PEV.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
sed.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
SWREG.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
SWSC.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
SWXCACLS.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
Wplugin.dll;C:\WINDOWS;Trojan.PWS.MSNPass.75;Deleted.;
zip.exe;C:\WINDOWS;Win32.Sector.4;Cured.;
ctfmon.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
explorer.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
lsass.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
ntkrnlpa.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
ntoskrnl.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
services.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
spoolsv.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
svchost.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
userinit.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
winlogon.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
wscntfy.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
wuauclt.exe;C:\WINDOWS\ERDNT\cache;Win32.Sector.4;Cured.;
ERDNT.EXE;C:\WINDOWS\ERDNT\Hiv-backup;Win32.Sector.4;Cured.;
mx931256.dl_;C:\WINDOWS\system32;Win32.Sector.4;Deleted.;
ne931256.dl_;C:\WINDOWS\system32;Win32.Sector.4;Deleted.;
rm931256.dl_;C:\WINDOWS\system32;Win32.Sector.4;Deleted.;
rt931256.dl_;C:\WINDOWS\system32;Win32.Sector.4;Deleted.;
sb931256.dl_;C:\WINDOWS\system32;Win32.Sector.4;Deleted.;
sm931256.dl_;C:\WINDOWS\system32;Win32.Sector.4;Deleted.;
uf931256.dl_;C:\WINDOWS\system32;Win32.Sector.4;Deleted.;
trainer.exe;D:\gAMES\NFS7;Win32.Sector.4;Cured.;
trainer.exe;D:\gAMES\NFS7;Trojan.PWS.Gamania.6747;Deleted.;
ComboFix.exe\32788R22FWJFW\c.bat;D:\Softwares\Essential Softwares\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe;D:\Softwares\Essential Softwares;Archive contains infected objects;Moved.;
Monalisa.exe;F:\TIME PASS VIDEOS\FUN;Joke.Mona;;










ComboFix 09-10-05.01 - amu 10/06/2009 20:48.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.404 [GMT 5.5:30]
Running from: d:\softwares\Essential Softwares\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 15:12 . 2009-10-06 15:03 110592 ----a-w- c:\windows\Wplugin.dll
2009-10-06 13:07 . 2009-10-06 14:12 -------- d-----w- c:\documents and settings\amu\DoctorWeb
2009-10-06 05:49 . 2009-10-06 05:49 -------- d-----w- c:\program files\ESET
2009-10-05 09:53 . 2009-10-05 09:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-05 09:53 . 2009-10-05 10:33 -------- d-----w- c:\documents and settings\amu\Application Data\skypePM
2009-10-05 09:52 . 2009-10-05 12:23 -------- d-----w- c:\documents and settings\amu\Application Data\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----r- c:\program files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\amu\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-04 08:34 . 2009-10-04 08:34 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Apple Computer
2009-10-04 07:30 . 2009-10-04 07:30 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\amu\Application Data\DonationCoder
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\program files\WinPcap
2009-10-04 07:30 . 2009-10-06 05:58 -------- d-----w- c:\program files\URLSnooper2
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-10-04 06:34 . 2009-10-04 07:42 -------- d-----w- c:\documents and settings\amu\Application Data\Software Informer
2009-10-04 06:34 . 2009-10-06 05:58 -------- d-----w- c:\program files\Software Informer
2009-10-04 06:34 . 2009-10-04 09:29 -------- d-----w- c:\documents and settings\amu\Application Data\Free Download Manager
2009-10-04 06:33 . 2009-10-06 05:56 -------- d-----w- c:\program files\Free Download Manager
2009-10-04 06:33 . 2009-10-04 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-10-02 04:40 . 2009-10-02 04:41 -------- d-----w- c:\documents and settings\bestameya\Application Data\Orbit
2009-10-01 13:50 . 2009-10-04 08:31 -------- d-----w- C:\downloads
2009-10-01 13:50 . 2009-10-01 13:50 -------- d-----w- c:\documents and settings\amu\Application Data\GrabPro
2009-10-01 13:50 . 2009-10-06 15:13 -------- d-----w- c:\documents and settings\amu\Application Data\Orbit
2009-10-01 13:50 . 2009-10-06 13:21 -------- d-----w- c:\program files\Orbitdownloader
2009-10-01 10:40 . 2009-10-06 05:56 -------- d-----w- c:\program files\Cobian Backup 8
2009-10-01 09:33 . 2009-10-01 09:33 12720 ----a-w- c:\documents and settings\amu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 11:37 . 2009-09-30 11:37 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\WMTools Downloaded Files
2009-09-21 06:04 . 2009-09-21 06:04 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\Opera
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\documents and settings\amu\Application Data\AVG8
2009-09-18 15:42 . 2009-09-18 15:42 -------- d-----w- c:\windows\McAfee.com
2009-09-18 13:58 . 2009-09-18 14:00 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Temp
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Opera
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\program files\Opera
2009-09-13 17:08 . 2009-09-13 17:09 -------- d-----w- C:\s
2009-09-13 16:44 . 2009-09-13 16:58 -------- d-----w- C:\images for shraddha

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 15:21 . 2009-10-06 15:21 110592 ----a-w- c:\documents and settings\amu\Application Data\Wplugin.dll
2009-10-06 05:58 . 2009-06-17 16:10 -------- d-----w- c:\program files\Total Video Converter
2009-10-05 12:29 . 2009-08-26 05:41 13029857 ----a-w- C:\Wndows media player10.exe
2009-10-05 08:53 . 1997-09-18 00:42 7680 ----a-w- c:\windows\sporder.exe
2009-10-04 09:29 . 2009-06-18 08:03 -------- d-----w- c:\program files\Google
2009-10-01 09:50 . 2009-08-23 12:44 -------- d-----w- c:\program files\Trend Micro
2009-09-25 06:30 . 2009-07-02 05:35 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-09-23 07:01 . 2009-07-16 14:09 2985984 ----a-w- C:\googletalk-setup.exe
2009-09-18 14:00 . 2009-09-03 07:14 4907822 ----a-w- C:\XCC_TFD_Shortcut_Installer.exe
2009-09-08 08:26 . 2004-09-24 10:29 25088 ----a-w- c:\windows\inst_tsp.exe
2009-09-08 08:20 . 2009-08-17 13:24 14559845 ----a-w- C:\RealPlayer11GOLD.exe
2009-08-26 05:44 . 2009-06-17 15:55 94208 ----a-w- c:\windows\system32\igfxtray.exe
2009-08-23 12:41 . 2009-08-23 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Net Protector
2009-08-22 14:52 . 2009-08-22 14:52 16786 ----a-w- c:\windows\winsbak.reg
2009-08-22 14:52 . 2009-08-22 14:52 117900 ----a-w- c:\windows\winsbak2.reg
2009-08-22 07:44 . 2009-08-09 12:19 2318880 ----a-w- C:\install_flash_player.exe
2009-08-21 07:47 . 2009-08-21 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\POPWWPROFILES
2009-08-21 07:43 . 2009-08-17 13:16 1111729 ----a-w- C:\Jet Audio.EXE
2009-08-21 07:38 . 2009-06-17 15:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 06:33 . 2009-08-21 06:33 -------- d-----w- c:\program files\Common Files\Stardock
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\Real
2009-08-17 13:25 . 2009-06-17 16:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-17 13:25 . 2009-08-17 13:25 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Real
2009-08-16 06:50 . 2009-07-02 05:35 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-07-25 08:23 . 2009-06-17 15:55 479232 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-19 12:19 . 2009-06-17 15:52 397312 ----a-w- c:\windows\sttray.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_14.11.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 15:52 . 2006-07-27 06:23 86016 c:\windows\system32\stacsv.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 73728 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmplayer.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 28672 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpenc.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 96768 c:\windows\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\logagent.exe
+ 2009-07-04 08:53 . 2009-10-05 08:52 38912 c:\windows\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfmgr.exe
+ 2009-07-04 08:53 . 2009-10-05 08:52 47104 c:\windows\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\uwdf.exe
+ 2007-07-13 06:24 . 2009-09-25 06:39 24576 c:\windows\McAfee.com\FreeScan\avdat.exe
+ 2004-10-31 12:35 . 2004-10-31 12:35 30720 c:\windows\killproc.exe
+ 2009-07-04 09:12 . 2009-08-12 10:43 49152 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814236.exe
+ 2009-06-17 15:39 . 2009-08-12 10:43 32768 c:\windows\Installer\{716E0306-8318-4364-8B8F-0CC4E9376BAC}\icon.exe
+ 2009-06-17 15:49 . 2009-09-08 08:25 40960 c:\windows\Installer\{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}\ARPPRODUCTICON.exe
+ 2009-06-18 07:48 . 2009-09-08 08:24 66048 c:\windows\ie7\spuninst\ieResetIcons.exe
+ 2009-06-18 07:47 . 2009-10-05 08:47 29184 c:\windows\ie7\mshta.exe
+ 2009-06-18 07:47 . 2004-08-04 01:07 93184 c:\windows\ie7\iexplore.exe
+ 2009-06-18 07:47 . 2009-09-08 08:23 18432 c:\windows\ie7\iedw.exe
+ 2009-06-18 07:47 . 2009-08-12 10:40 34304 c:\windows\ie7\ie4uinit.exe
+ 2009-07-04 09:12 . 2009-09-08 08:26 5120 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814234.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 122880 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmlaunch.exe
+ 2009-07-04 08:53 . 2009-10-05 08:52 192512 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\unregmp2.exe
+ 2009-07-04 08:53 . 2009-09-25 06:41 991232 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\migrate.exe
+ 2009-06-17 15:25 . 2009-09-08 08:25 166400 c:\windows\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-05 584952]
"Google Update"="c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-05 5292513]
"Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2009-10-05 673280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-07-25 479232]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 176128]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3796992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-05 9039872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-21 816680]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-10-05 7622656]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2009-07-19 397312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-6-18 13946880]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-10-1 1830912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 06:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Valve\\Condition Zero\\czero.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1715:TCP"= 1715:TCP:mdakgdc

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2009 12:12 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2009 12:12 PM 108552]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 9:05 PM 50704]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003Core.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003UA.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {3436D55F-105F-442E-B870-441B555651CB} = 218.248.255.177 218.248.240.134
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 20:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2336)
c:\windows\Wplugin.dll
.
Completion time: 2009-10-06 20:52
ComboFix-quarantined-files.txt 2009-10-06 15:22
ComboFix2.txt 2009-10-06 05:45
ComboFix3.txt 2009-10-05 14:15

Pre-Run: 4,260,184,064 bytes free
Post-Run: 4,254,212,096 bytes free

199

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:21 PM

Posted 06 October 2009 - 06:56 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\documents and settings\amu\Application Data\Wplugin.dll
c:\windows\Wplugin.dll

RegLock::
[HKEY_USERS\S-1-5-21-789336058-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 07 October 2009 - 05:58 AM

hey sam !! Something happened to my beloved computer ! After my recent scan with combo fix im not able to connect to internet !! All my network connections in my network places gone. Also i cant make new network connection !the shortcut which i had on my deskttop is not opening also its icon gone ! Ufff please help me pls help me ! Before that i tell you what i did. I made that cfscript and dragged in combo fix. It started and asked that new version of combo fix so i said ok update. It updated and scanned. This time it generated log without restarting. I said ok. And when i tried to connect to internet i was double clicking on network shortcut but nothing happened ! So i restarted still same. I RESTORED system to combofix restore point but still same !! Now im really worried ! Pls tell me what to do ! Now i am here using mobile gprs but its not good speed pls pls help me connecting to internet! Waiting for reply

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:21 PM

Posted 07 October 2009 - 07:45 AM

Download this tool and run it on the infected computer.
http://majorgeeks.com/WinSock_XP_Fix_d4372.html

It should restore your connection.
Please post the log from Combofix as soon as you're able.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 07 October 2009 - 11:31 AM

hello sam i used my gprs to download that winsock thing and transferred to pc. Clicked fix after opening it.it said all repairs done but still i cant make network connection.once it came also i entered username and password. Clicked connect. It showed like normal veryfying password registering on network and all that. But suddenly closed. Nothing poped up from system tray when usually it says connected with speed some 100kbps. Now nothing happening.also my bluetooth dial up network gone :( bytheway i transferred that combofix log to mobile and i am attaching it here. But please note i have restored system after getting this log cos my internet stopped working after scanning this time.still you pls inspect and help me restore my internet connectivity as early as possible. Thanks alot !

#15 im_adi

im_adi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 07 October 2009 - 12:22 PM

link to log www4.zippyshare.com/v/17360723/file.html as im using opera mobile now couldnt upload log on this site. My apologies

ComboFix 09-10-06.03 - amu 10/07/2009 12:42.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.410 [GMT 5.5:30]
Running from: d:\softwares\Essential Softwares\ComboFix.exe
Command switches used :: d:\softwares\Essential Softwares\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\documents and settings\amu\Application Data\Wplugin.dll"
"c:\windows\Wplugin.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Wplugin.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 07:15 . 2009-10-07 07:15 110592 ----a-w- c:\windows\Wplugin.dll
2009-10-06 13:07 . 2009-10-06 14:12 -------- d-----w- c:\documents and settings\amu\DoctorWeb
2009-10-06 05:49 . 2009-10-06 05:49 -------- d-----w- c:\program files\ESET
2009-10-05 09:53 . 2009-10-05 09:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-05 09:53 . 2009-10-05 10:33 -------- d-----w- c:\documents and settings\amu\Application Data\skypePM
2009-10-05 09:52 . 2009-10-05 12:23 -------- d-----w- c:\documents and settings\amu\Application Data\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----r- c:\program files\Skype
2009-10-05 09:51 . 2009-10-05 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\amu\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-04 08:48 . 2009-10-04 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-04 08:48 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-04 08:34 . 2009-10-04 08:34 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Apple Computer
2009-10-04 07:30 . 2009-10-04 07:30 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\amu\Application Data\DonationCoder
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\program files\WinPcap
2009-10-04 07:30 . 2009-10-06 05:58 -------- d-----w- c:\program files\URLSnooper2
2009-10-04 07:30 . 2009-10-04 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-10-04 06:34 . 2009-10-04 07:42 -------- d-----w- c:\documents and settings\amu\Application Data\Software Informer
2009-10-04 06:34 . 2009-10-06 05:58 -------- d-----w- c:\program files\Software Informer
2009-10-04 06:34 . 2009-10-04 09:29 -------- d-----w- c:\documents and settings\amu\Application Data\Free Download Manager
2009-10-04 06:33 . 2009-10-06 05:56 -------- d-----w- c:\program files\Free Download Manager
2009-10-04 06:33 . 2009-10-04 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-10-02 04:40 . 2009-10-02 04:41 -------- d-----w- c:\documents and settings\bestameya\Application Data\Orbit
2009-10-01 13:50 . 2009-10-04 08:31 -------- d-----w- C:\downloads
2009-10-01 13:50 . 2009-10-01 13:50 -------- d-----w- c:\documents and settings\amu\Application Data\GrabPro
2009-10-01 13:50 . 2009-10-06 15:13 -------- d-----w- c:\documents and settings\amu\Application Data\Orbit
2009-10-01 13:50 . 2009-10-06 13:21 -------- d-----w- c:\program files\Orbitdownloader
2009-10-01 10:40 . 2009-10-06 05:56 -------- d-----w- c:\program files\Cobian Backup 8
2009-10-01 09:33 . 2009-10-01 09:33 12720 ----a-w- c:\documents and settings\amu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 11:37 . 2009-09-30 11:37 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\WMTools Downloaded Files
2009-09-21 06:04 . 2009-09-21 06:04 -------- d-----w- c:\documents and settings\bestameya\Local Settings\Application Data\Opera
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\documents and settings\amu\Application Data\AVG8
2009-09-18 15:42 . 2009-09-18 15:42 -------- d-----w- c:\windows\McAfee.com
2009-09-18 13:58 . 2009-10-07 07:06 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Temp
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\documents and settings\amu\Local Settings\Application Data\Opera
2009-09-18 13:55 . 2009-09-18 13:55 -------- d-----w- c:\program files\Opera
2009-09-13 17:08 . 2009-09-13 17:09 -------- d-----w- C:\s
2009-09-13 16:44 . 2009-09-13 16:58 -------- d-----w- C:\images for shraddha

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 07:15 . 2009-10-07 07:15 110592 ----a-w- c:\documents and settings\amu\Application Data\Wplugin.dll
2009-10-06 05:58 . 2009-06-17 16:10 -------- d-----w- c:\program files\Total Video Converter
2009-10-05 12:29 . 2009-08-26 05:41 13029857 ----a-w- C:\Wndows media player10.exe
2009-10-05 08:53 . 1997-09-18 00:42 7680 ----a-w- c:\windows\sporder.exe
2009-10-04 09:29 . 2009-06-18 08:03 -------- d-----w- c:\program files\Google
2009-10-01 09:50 . 2009-08-23 12:44 -------- d-----w- c:\program files\Trend Micro
2009-09-25 06:30 . 2009-07-02 05:35 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-09-23 07:01 . 2009-07-16 14:09 2985984 ----a-w- C:\googletalk-setup.exe
2009-09-18 14:00 . 2009-09-03 07:14 4907822 ----a-w- C:\XCC_TFD_Shortcut_Installer.exe
2009-09-08 08:26 . 2004-09-24 10:29 25088 ----a-w- c:\windows\inst_tsp.exe
2009-09-08 08:20 . 2009-08-17 13:24 14559845 ----a-w- C:\RealPlayer11GOLD.exe
2009-08-26 05:44 . 2009-06-17 15:55 94208 ----a-w- c:\windows\system32\igfxtray.exe
2009-08-23 12:41 . 2009-08-23 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Net Protector
2009-08-22 14:52 . 2009-08-22 14:52 16786 ----a-w- c:\windows\winsbak.reg
2009-08-22 14:52 . 2009-08-22 14:52 117900 ----a-w- c:\windows\winsbak2.reg
2009-08-22 07:44 . 2009-08-09 12:19 2318880 ----a-w- C:\install_flash_player.exe
2009-08-21 07:47 . 2009-08-21 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\POPWWPROFILES
2009-08-21 07:43 . 2009-08-17 13:16 1111729 ----a-w- C:\Jet Audio.EXE
2009-08-21 07:38 . 2009-06-17 15:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 06:33 . 2009-08-21 06:33 -------- d-----w- c:\program files\Common Files\Stardock
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Common Files\Real
2009-08-17 13:25 . 2009-06-17 16:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-17 13:25 . 2009-08-17 13:25 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-17 13:25 . 2009-08-17 13:25 -------- d-----w- c:\program files\Real
2009-08-16 06:50 . 2009-07-02 05:35 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-07-25 08:23 . 2009-06-17 15:55 479232 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-19 12:19 . 2009-06-17 15:52 397312 ----a-w- c:\windows\sttray.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_14.11.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 15:52 . 2006-07-27 06:23 86016 c:\windows\system32\stacsv.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 73728 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmplayer.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 28672 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpenc.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 96768 c:\windows\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\logagent.exe
+ 2009-07-04 08:53 . 2009-10-05 08:52 38912 c:\windows\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfmgr.exe
+ 2009-07-04 08:53 . 2009-10-05 08:52 47104 c:\windows\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\uwdf.exe
+ 2007-07-13 06:24 . 2009-09-25 06:39 24576 c:\windows\McAfee.com\FreeScan\avdat.exe
+ 2004-10-31 12:35 . 2004-10-31 12:35 30720 c:\windows\killproc.exe
+ 2009-07-04 09:12 . 2009-08-12 10:43 49152 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814236.exe
+ 2009-06-17 15:39 . 2009-08-12 10:43 32768 c:\windows\Installer\{716E0306-8318-4364-8B8F-0CC4E9376BAC}\icon.exe
+ 2009-06-17 15:49 . 2009-09-08 08:25 40960 c:\windows\Installer\{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}\ARPPRODUCTICON.exe
+ 2009-06-18 07:48 . 2009-09-08 08:24 66048 c:\windows\ie7\spuninst\ieResetIcons.exe
+ 2009-06-18 07:47 . 2009-10-05 08:47 29184 c:\windows\ie7\mshta.exe
+ 2009-06-18 07:47 . 2004-08-04 01:07 93184 c:\windows\ie7\iexplore.exe
+ 2009-06-18 07:47 . 2009-09-08 08:23 18432 c:\windows\ie7\iedw.exe
+ 2009-06-18 07:47 . 2009-08-12 10:40 34304 c:\windows\ie7\ie4uinit.exe
+ 2009-07-04 09:12 . 2009-09-08 08:26 5120 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814234.exe
+ 2009-07-04 08:53 . 2009-09-08 08:29 122880 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmlaunch.exe
+ 2009-07-04 08:53 . 2009-10-05 08:52 192512 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\unregmp2.exe
+ 2009-07-04 08:53 . 2009-09-25 06:41 991232 c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\migrate.exe
+ 2009-06-17 15:25 . 2009-09-08 08:25 166400 c:\windows\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-05 584952]
"Google Update"="c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-05 5292513]
"Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2009-10-05 673280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-07-25 479232]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 176128]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3796992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-05 9039872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-21 816680]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-10-05 7622656]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2009-07-19 397312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-6-18 13946880]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-10-1 1830912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 06:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Valve\\Condition Zero\\czero.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1715:TCP"= 1715:TCP:mdakgdc

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2009 12:12 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2009 12:12 PM 108552]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 9:05 PM 50704]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003Core.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]

2009-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1390067357-839522115-1003UA.job
- c:\documents and settings\amu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 12:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {3436D55F-105F-442E-B870-441B555651CB} = 218.248.255.177 218.248.240.134
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 12:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-07 12:46
ComboFix-quarantined-files.txt 2009-10-07 07:16
ComboFix2.txt 2009-10-06 15:22
ComboFix3.txt 2009-10-06 05:45
ComboFix4.txt 2009-10-05 14:15

Pre-Run: 4,174,524,416 bytes free
Post-Run: 4,164,272,128 bytes free

205

Edited by Buckeye_Sam, 07 October 2009 - 02:07 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users