PC Infected with Malware/ Spyware

preetamsikdar · June 3, 2010

Hi,

I am using Windows XP SP2. Recently I clicked on a link accidentally which I think was the link of the malware or spyware..

After that, my Avira Antivirus Guard Status is : Unknown

Spybot is not running. After I double click on the icon..it is vanishing in a second.

I installed HijackThis, but again same problem..it just vanishes in a second.

Tried to boot in a safe mode...but looks like it has disabled the safe mode too...

Corrupted Mozilla Firefox and Google Chrome....

It has Disabled "Show Hidden Files and Folders"

Please help me...tell me what I can do ?

I do not want to format my computer..please help..

Maurice Naggar · June 3, 2010

Hello and welcome to MalwareBytes.

Somehow, you posted 3 duplicate topics. I deleted the other 2.

First, make sure you have saved all your work before you begin, and close your open apps.

Note: If using Firefox right-click on any download links and choose Save As

Do as much as possible of the following:

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

Double-click FixPolicies.exe.
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Keep going with the following, even if Fixpolicies does not run.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

Save both files to the same place ---- the Desktop.

Please download OTH and SAVE to the Desktop

Please download OTL and SAVE to the Desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

IF you are running Vista or Windows 7, then do a Right-click on OTH and select Run As Administrator to start.

Once OTH has started, click on Start OTL. OTL will now start.

Do the following in OTL:
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Back in OTH:
Click the Internet Explorer button. Go to this forum & login & return to this topic.
Copy & Paste these logs into your reply here.
After you are all done, press Reboot to start your system fresh.

preetamsikdar · June 4, 2010

Thanks for a quick reply..

But the problem still persists...

I am providing you the details of the above mentioned files below :

OTL File:

OTL logfile created on: 6/4/2010 9:50:45 AM - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = F:\Documents and Settings\Preetam\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 95.00% Paging File free

Paging file location(s): F:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Program Files

Drive C: | 80.00 Gb Total Space | 6.55 Gb Free Space | 8.19% Space Free | Partition Type: NTFS

Drive D: | 9.31 Gb Total Space | 0.84 Gb Free Space | 8.98% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

Drive F: | 50.00 Gb Total Space | 18.44 Gb Free Space | 36.88% Space Free | Partition Type: NTFS

Drive G: | 51.44 Gb Total Space | 3.62 Gb Free Space | 7.05% Space Free | Partition Type: NTFS

Drive H: | 51.44 Gb Total Space | 2.96 Gb Free Space | 5.76% Space Free | Partition Type: NTFS

I: Drive not present or media not loaded

Drive J: | 9.31 Gb Total Space | 0.55 Gb Free Space | 5.93% Space Free | Partition Type: FAT32

Drive K: | 9.31 Gb Total Space | 0.12 Gb Free Space | 1.33% Space Free | Partition Type: FAT32

Drive L: | 9.29 Gb Total Space | 0.09 Gb Free Space | 1.02% Space Free | Partition Type: FAT32

Computer Name: HOME-2C40211EAB

Current User Name: Preetam

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/04 09:02:18 | 000,571,904 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Preetam\Desktop\OTL.scr

PRC - [2010/06/04 09:01:24 | 000,258,560 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Preetam\Desktop\OTH.scr

PRC - [2009/08/06 18:47:18 | 000,404,737 | ---- | M] (Avira GmbH) -- F:\Program Files\Avira\AntiVir Desktop\update.exe

PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- F:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- F:\Program Files\Avira\AntiVir Desktop\avgnt.exe

========== Modules (SafeList) ==========

MOD - [2010/06/04 09:02:18 | 000,571,904 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Preetam\Desktop\OTL.scr

MOD - [2004/08/04 10:27:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- F:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

MOD - [2004/08/04 08:31:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- F:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2009/02/11 20:07:26 | 000,201,992 | ---- | M] (Kaspersky Lab) [On_Demand | Stopped] -- F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe -- (AVP)

SRV - [2007/07/03 12:32:16 | 000,131,072 | ---- | M] (NVIDIA) [Auto | Stopped] -- F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)

SRV - [2007/03/20 06:49:14 | 000,263,168 | ---- | M] (Ares Development Group) [On_Demand | Stopped] -- F:\Program Files\Ares\chatServer.exe -- (AresChatServer)

SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [unknown | Stopped] -- F:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

SRV - [2001/09/08 17:52:38 | 022,395,664 | ---- | M] (Oracle Corporation) [Disabled | Stopped] -- c:\orant\bin\ORACLE.EXE -- (OracleServicePREETAM)

SRV - [2001/08/28 17:07:46 | 000,052,224 | ---- | M] () [On_Demand | Stopped] -- C:\orant/bin/pagntsrv.exe -- (OracleDEFAULT_HOMEPagingServer)

SRV - [2001/08/21 17:47:24 | 000,303,104 | ---- | M] (Oracle Corporation) [On_Demand | Stopped] -- C:\orant\BIN\xsolap.exe -- (OLAPServer)

SRV - [2001/08/21 15:56:26 | 001,958,912 | ---- | M] () [On_Demand | Stopped] -- C:\orant\BIN\xsaagent.exe -- (Oracle OLAP Agent)

SRV - [2001/08/17 14:49:42 | 000,003,584 | ---- | M] () [Disabled | Stopped] -- C:\orant\Apache\Apache\Apache.exe -- (OracleDEFAULT_HOMEHTTPServer)

SRV - [2001/08/16 20:18:22 | 000,256,512 | ---- | M] () [On_Demand | Stopped] -- C:\orant\BIN\agntsvc.exe -- (OracleDEFAULT_HOMESNMPPeerMasterAgent)

SRV - [2001/08/16 20:18:22 | 000,189,952 | ---- | M] () [On_Demand | Stopped] -- C:\orant\BIN\encsvc.exe -- (OracleDEFAULT_HOMESNMPPeerEncapsulator)

SRV - [2001/08/16 20:18:22 | 000,016,656 | ---- | M] (Oracle Corporation) [Disabled | Stopped] -- C:\orant\BIN\agntsrvc.exe -- (OracleDEFAULT_HOMEAgent)

SRV - [2001/08/14 18:25:20 | 000,425,828 | ---- | M] () [On_Demand | Stopped] -- C:\orant\BIN\ONRSD.EXE -- (OracleDEFAULT_HOMEClientCache)

SRV - [2001/08/14 18:25:16 | 000,455,352 | ---- | M] () [Disabled | Stopped] -- C:\orant\BIN\TNSLSNR.exe -- (OracleDEFAULT_HOMETNSListener)

SRV - [2001/03/30 16:42:56 | 000,205,312 | ---- | M] () [On_Demand | Stopped] -- C:\orant\BIN\osagent.exe -- (xsSmartAgent)

========== Driver Services (SafeList) ==========

DRV - [2009/12/07 21:38:43 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- F:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- F:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- F:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)

DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- F:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)

DRV - [2009/02/11 20:07:27 | 000,213,520 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- F:\WINDOWS\system32\drivers\klif.sys -- (KLIF)

DRV - [2009/02/11 20:07:27 | 000,033,808 | ---- | M] (Kaspersky Lab) [File_System | Boot | Running] -- F:\WINDOWS\system32\drivers\klbg.sys -- (klbg)

DRV - [2008/04/16 14:23:44 | 000,112,144 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- F:\WINDOWS\system32\drivers\kl1.sys -- (kl1)

DRV - [2008/03/25 20:07:10 | 000,024,592 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\klim5.sys -- (klim5)

DRV - [2008/02/25 19:50:52 | 000,223,128 | ---- | M] () [Kernel | On_Demand | Running] -- F:\WINDOWS\System32\Drivers\dtscsi.sys -- (dtscsi)

DRV - [2007/12/25 11:10:21 | 000,715,248 | ---- | M] () [Kernel | Boot | Running] -- F:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

DRV - [2007/10/04 14:44:00 | 006,854,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2007/09/05 15:01:30 | 004,611,072 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2007/07/26 09:25:12 | 000,039,808 | R--- | M] () [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys -- (SRS_SSCFilter) SRS Labs Audio Sandbox (WDM)

DRV - [2007/07/16 09:08:08 | 000,026,272 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)

DRV - [2007/07/07 12:43:10 | 000,012,032 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)

DRV - [2007/07/03 12:33:04 | 000,006,912 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Running] -- F:\WINDOWS\nvoclock.sys -- (NVR0Dev)

DRV - [2006/11/02 16:51:58 | 000,013,560 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- F:\Program Files\CyberLink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4c74-92FE-5B863F82066B})

DRV - [2006/11/02 08:01:00 | 000,250,496 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)

DRV - [2005/09/29 22:31:51 | 000,066,048 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- F:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)

DRV - [2005/08/10 19:36:28 | 000,019,968 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- F:\WINDOWS\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)

DRV - [2005/08/10 18:14:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- F:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)

DRV - [2005/05/16 18:50:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- F:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)

DRV - [2005/01/07 17:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)

DRV - [2004/08/07 05:45:22 | 000,011,648 | ---- | M] () [Kernel | Disabled | Stopped] -- F:\WINDOWS\system32\drivers\acpiec.sys -- (ACPIEC)

DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2004/03/08 12:55:50 | 000,013,567 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- F:\WINDOWS\system32\drivers\CDRBSDRV.SYS -- (cdrbsdrv)

DRV - [2002/10/15 22:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\sonypvs1.sys -- (sonypvs1)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.in/"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {5c8bfb7c-9a54-11dc-8314-0800200c9a66}:3.0.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: F:\Program Files\Mozilla Firefox\components [2010/05/29 10:14:46 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: F:\Program Files\Mozilla Firefox\plugins [2010/05/29 10:14:46 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Thunderbird\Extensions\\bdThunderbird@bitdefender.com: F:\Program Files\BitDefender\BitDefender 2008\tbextension

[2008/06/17 23:08:08 | 000,000,000 | ---D | M] -- F:\Documents and Settings\Preetam\Application Data\Mozilla\Extensions

[2010/01/16 11:01:29 | 000,000,000 | ---D | M] -- F:\Documents and Settings\Preetam\Application Data\Mozilla\Firefox\Profiles\p4gcre2o.default\extensions

[2008/07/03 17:54:53 | 000,000,000 | ---D | M] (Aero Fox) -- F:\Documents and Settings\Preetam\Application Data\Mozilla\Firefox\Profiles\p4gcre2o.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}

[2008/07/03 17:55:17 | 000,000,000 | ---D | M] (NoScript) -- F:\Documents and Settings\Preetam\Application Data\Mozilla\Firefox\Profiles\p4gcre2o.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

[2008/07/03 17:55:16 | 000,000,000 | ---D | M] (Adblock Plus) -- F:\Documents and Settings\Preetam\Application Data\Mozilla\Firefox\Profiles\p4gcre2o.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010/04/04 11:22:53 | 000,000,000 | ---D | M] -- F:\Program Files\Mozilla Firefox\extensions

[2009/08/16 19:40:30 | 000,000,000 | ---D | M] (Java Console) -- F:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

O1 HOSTS File: ([2010/05/29 11:08:18 | 000,392,748 | R--- | M]) - F:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 13564 more lines...

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll File not found

O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll (Kaspersky Lab)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Alcmtr] F:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [avgnt] F:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [conime.exe] F:\WINDOWS\System32\conime.exe (Microsoft Corporation)

O4 - HKLM..\Run: [DAEMON Tools] F:\Program Files\DAEMON Tools\daemon.exe (DT Soft Ltd.)

O4 - HKLM..\Run: [googletalk] F:\Program Files\Google\Google Talk\googletalk.exe (Google)

O4 - HKLM..\Run: [LanguageShortcut] F:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()

O4 - HKLM..\Run: [NBKeyScan] F:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)

O4 - HKLM..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [NvCplDaemon] F:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] F:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] F:\WINDOWS\System32\nwiz.exe ()

O4 - HKLM..\Run: [PCSuiteTrayApplication] F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe (Nokia)

O4 - HKLM..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe ()

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] F:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKCU..\Run: [games] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe ()

O4 - HKCU..\Run: [NVIDIA nTune] F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)

O4 - HKCU..\Run: [spybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

O4 - HKCU..\Run: [sRS Audio Sandbox] F:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe File not found

O4 - HKCU..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk = F:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe (eLitecore Technologies Ltd.)

O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk = F:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe (Sony Corporation)

O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk = F:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe (Sony Corporation.)

O4 - Startup: F:\Documents and Settings\Preetam\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = F:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()

F3 - HKCU WinNT: Load - (F:\TCWIN45\PIPELINE\remind.exe) - F:\TCWIN45\PIPELINE\REMIND.EXE ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O8 - Extra context menu item: E&xport to Microsoft Excel - F:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll (Kaspersky Lab)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll File not found

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - F:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - F:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - AppInit_DLLs: (F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll) - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mzvkbd.dll (Kaspersky Lab)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - F:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe) - C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe ()

O20 - HKCU Winlogon: Shell - (explorer.exe) - F:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe) - C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe ()

O20 - Winlogon\Notify\klogon: DllName - F:\WINDOWS\system32\klogon.dll - F:\WINDOWS\system32\klogon.dll (Kaspersky Lab)

O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found

O24 - Desktop WallPaper: F:\Documents and Settings\Preetam\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: F:\Documents and Settings\Preetam\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O27 - HKLM IFEO\conime.exe: Debugger - wmpstvd.exe ()

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - F:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/01/01 10:45:45 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{1100c893-e240-11dd-bc7e-00e0610636e2}\Shell\AutoRun\command - "" = dgjcij.exe

O33 - MountPoints2\{1100c893-e240-11dd-bc7e-00e0610636e2}\Shell\explore\Command - "" = dgjcij.exe

O33 - MountPoints2\{1100c893-e240-11dd-bc7e-00e0610636e2}\Shell\open\Command - "" = dgjcij.exe

O33 - MountPoints2\{3939eb90-9569-11de-be08-00e0610636e2}\Shell\AutoRun\command - "" = RECYCLEMGR\autorun.exe

O33 - MountPoints2\{3939eb90-9569-11de-be08-00e0610636e2}\Shell\open\command - "" = RECYCLEMGR\autorun.exe

O33 - MountPoints2\{65b501d0-87e7-11de-bde7-00e0610636e2}\Shell\AutopLAy\command - "" = K:\jqyxip.pif -- File not found

O33 - MountPoints2\{65b501d0-87e7-11de-bde7-00e0610636e2}\Shell\AutoRun\command - "" = K:\jqyxip.pif -- File not found

O33 - MountPoints2\{65b501d0-87e7-11de-bde7-00e0610636e2}\Shell\explore\cOmmaND - "" = K:\jqyxip.pif -- File not found

O33 - MountPoints2\{65b501d0-87e7-11de-bde7-00e0610636e2}\Shell\OpeN\COmmand - "" = K:\jqyxip.pif -- File not found

O33 - MountPoints2\{a02d5474-3684-11df-b07d-00e061061709}\Shell\AutoRun\command - "" = M:\Seagate\Installer\InstallSeagateManager.exe -- File not found

O33 - MountPoints2\{b6b69ec8-5469-11df-b0d9-00e061061709}\Shell\AutoRun\command - "" = M:\MAGAZIN\jelenarozga.exe -- File not found

O33 - MountPoints2\{b6b69ec8-5469-11df-b0d9-00e061061709}\Shell\open\command - "" = M:\MAGAZIN\jelenarozga.exe -- File not found

O33 - MountPoints2\{fffee302-efe3-11dc-8b2b-00e061062019}\Shell - "" = AutoRun

O33 - MountPoints2\{fffee302-efe3-11dc-8b2b-00e061062019}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{fffee302-efe3-11dc-8b2b-00e061062019}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found

O33 - MountPoints2\{fffee303-efe3-11dc-8b2b-00e061062019}\Shell\AutoRun\command - "" = K:\h.cmd -- File not found

O33 - MountPoints2\{fffee303-efe3-11dc-8b2b-00e061062019}\Shell\explore\Command - "" = K:\h.cmd -- File not found

O33 - MountPoints2\{fffee303-efe3-11dc-8b2b-00e061062019}\Shell\open\Command - "" = K:\h.cmd -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/04 09:45:43 | 000,000,000 | ---D | C] -- F:\Documents and Settings\Preetam\Desktop\FixPolicies

[2010/06/04 09:45:26 | 000,571,904 | ---- | C] (OldTimer Tools) -- F:\Documents and Settings\Preetam\Desktop\OTL.scr

[2010/06/04 09:45:26 | 000,258,560 | ---- | C] (OldTimer Tools) -- F:\Documents and Settings\Preetam\Desktop\OTH.scr

[2010/06/03 12:54:12 | 000,000,000 | ---D | C] -- F:\Program Files\Trend Micro

[2010/06/03 12:21:02 | 000,670,072 | ---- | C] (Sysinternals - www.sysinternals.com) -- F:\Documents and Settings\Preetam\Desktop\autoruns.exe

[2010/06/03 12:21:02 | 000,559,992 | ---- | C] (Sysinternals - www.sysinternals.com) -- F:\Documents and Settings\Preetam\Desktop\autorunsc.exe

[2010/05/29 14:05:17 | 000,000,000 | ---D | C] -- F:\Program Files\MSXML 4.0

[2010/05/29 12:28:43 | 000,272,128 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\bthport.sys

[2010/05/29 12:16:50 | 002,181,376 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\ntoskrnl.exe

[2010/05/29 12:16:50 | 002,137,088 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\ntkrnlmp.exe

[2010/05/29 12:16:49 | 002,058,368 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\ntkrnlpa.exe

[2010/05/29 12:16:49 | 002,016,768 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\ntkrpamp.exe

[2010/05/29 12:06:47 | 000,454,016 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\mrxsmb.sys

[2010/05/29 11:09:57 | 000,000,000 | ---D | C] -- F:\WINDOWS\ServicePackFiles

[2010/05/29 10:42:23 | 000,352,768 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\xpsp3res.dll

[2010/05/29 10:33:36 | 000,000,000 | ---D | C] -- F:\WINDOWS\System32\PreInstall

[2010/05/29 10:33:35 | 000,000,000 | -H-D | C] -- F:\WINDOWS\$hf_mig$

[2010/05/29 10:25:05 | 000,017,272 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\spmsg.dll

[2010/05/29 10:20:01 | 000,000,000 | ---D | C] -- F:\WINDOWS\System32\SoftwareDistribution

[2010/05/29 10:12:59 | 000,000,000 | ---D | C] -- F:\Program Files\Common Files\DFX

[2010/05/28 13:19:49 | 000,000,000 | R--D | C] -- F:\Documents and Settings\Preetam\My Documents\My Videos

[2010/05/28 13:18:00 | 000,000,000 | ---D | C] -- F:\Program Files\Windows Media Connect 2

[2010/05/28 13:16:47 | 000,000,000 | ---D | C] -- F:\WINDOWS\System32\drivers\UMDF

[2010/05/28 13:16:47 | 000,000,000 | ---D | C] -- F:\WINDOWS\System32\LogFiles

[2010/05/28 12:25:45 | 000,000,000 | ---D | C] -- F:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

[2010/05/13 09:50:25 | 000,000,000 | ---D | C] -- F:\Program Files\uTorrent

[2010/05/13 09:49:54 | 000,000,000 | ---D | C] -- F:\Documents and Settings\Preetam\Application Data\uTorrent

[7 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> ]

[4 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/04 09:47:56 | 000,462,344 | ---- | M] () -- F:\WINDOWS\System32\PerfStringBackup.INI

[2010/06/04 09:47:56 | 000,395,200 | ---- | M] () -- F:\WINDOWS\System32\perfh009.dat

[2010/06/04 09:47:56 | 000,059,440 | ---- | M] () -- F:\WINDOWS\System32\perfc009.dat

[2010/06/04 09:43:44 | 000,000,006 | -H-- | M] () -- F:\WINDOWS\tasks\SA.DAT

[2010/06/04 09:43:41 | 000,002,048 | --S- | M] () -- F:\WINDOWS\bootstat.dat

[2010/06/04 09:43:40 | 2077,741,056 | -HS- | M] () -- F:\hiberfil.sys

[2010/06/04 09:02:18 | 000,571,904 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Preetam\Desktop\OTL.scr

[2010/06/04 09:01:24 | 000,258,560 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Preetam\Desktop\OTH.scr

[2010/06/03 20:29:56 | 000,363,520 | ---- | M] () -- F:\Documents and Settings\Preetam\Desktop\rkill.scr

[2010/06/03 20:29:18 | 000,185,065 | ---- | M] () -- F:\Documents and Settings\Preetam\Desktop\FixPolicies.exe

[2010/06/03 13:57:18 | 014,680,064 | -H-- | M] () -- F:\Documents and Settings\Preetam\NTUSER.DAT

[2010/06/03 13:57:18 | 003,903,008 | -HS- | M] () -- F:\WINDOWS\System32\drivers\fidbox.dat

[2010/06/03 13:57:18 | 000,770,080 | -HS- | M] () -- F:\WINDOWS\System32\drivers\fidbox2.dat

[2010/06/03 13:57:18 | 000,034,716 | -HS- | M] () -- F:\WINDOWS\System32\drivers\fidbox.idx

[2010/06/03 13:57:18 | 000,006,856 | -HS- | M] () -- F:\WINDOWS\System32\drivers\fidbox2.idx

[2010/06/03 13:30:36 | 000,002,309 | ---- | M] () -- F:\Documents and Settings\Preetam\Desktop\Google Chrome.lnk

[2010/06/03 13:29:08 | 000,000,986 | ---- | M] () -- F:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1417001333-682003330-1003UA.job

[2010/06/03 13:20:17 | 000,000,038 | ---- | M] () -- F:\WINDOWS\avisplitter.INI

[2010/06/03 13:20:02 | 000,161,792 | ---- | M] () -- F:\Documents and Settings\Preetam\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/03 13:19:53 | 000,000,069 | ---- | M] () -- F:\WINDOWS\NeroDigital.ini

[2010/06/03 12:55:55 | 000,002,451 | ---- | M] () -- F:\Documents and Settings\Preetam\Desktop\HiJackThis.lnk

[2010/06/03 11:29:00 | 000,000,934 | ---- | M] () -- F:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1417001333-682003330-1003Core.job

[2010/06/02 22:26:39 | 000,001,643 | ---- | M] () -- F:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/05/31 15:04:37 | 000,001,374 | ---- | M] () -- F:\WINDOWS\imsins.BAK

[2010/05/30 15:48:27 | 000,000,942 | ---- | M] () -- F:\Documents and Settings\Preetam\Desktop\Spybot.lnk

[2010/05/29 17:05:22 | 001,573,080 | ---- | M] () -- F:\WINDOWS\System32\FNTCACHE.DAT

[2010/05/29 11:08:18 | 000,392,748 | R--- | M] () -- F:\WINDOWS\System32\drivers\etc\hosts

[2010/05/29 10:24:55 | 000,023,392 | ---- | M] () -- F:\WINDOWS\System32\nscompat.tlb

[2010/05/29 10:24:55 | 000,016,832 | ---- | M] () -- F:\WINDOWS\System32\amcompat.tlb

[2010/05/29 10:23:09 | 000,002,206 | ---- | M] () -- F:\WINDOWS\System32\wpa.dbl

[2010/05/29 01:53:42 | 000,215,040 | -HS- | M] () -- F:\WINDOWS\System32\wmpstvd.exe

[2010/05/28 19:58:09 | 000,054,156 | -H-- | M] () -- F:\WINDOWS\QTFont.qfn

[2010/05/28 13:18:09 | 000,000,784 | ---- | M] () -- F:\WINDOWS\win.ini

[2010/05/28 13:17:25 | 000,316,640 | ---- | M] () -- F:\WINDOWS\WMSysPr9.prx

[2010/05/28 13:16:49 | 000,000,000 | -H-- | M] () -- F:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf

[2010/05/28 12:43:52 | 000,000,780 | RHS- | M] () -- F:\WINDOWS\System32\drivers\etc\hosts.20100529-110818.backup

[2010/05/21 18:12:24 | 000,046,779 | ---- | M] () -- F:\Documents and Settings\Preetam\My Documents\21077_1336972697133_1015564846_31008624_69305_n.jpg

[2010/05/20 12:55:26 | 000,106,411 | ---- | M] () -- F:\Documents and Settings\Preetam\My Documents\Chelsea records and statistics.docx

[2010/05/20 11:10:46 | 000,000,806 | ---- | M] () -- F:\Documents and Settings\Preetam\Desktop\YouTube Downloader.lnk

[2010/05/20 11:10:08 | 003,170,832 | ---- | M] () -- F:\Documents and Settings\Preetam\My Documents\YouTubeDownloaderSetup255.exe

[2010/05/13 09:50:25 | 000,000,639 | ---- | M] () -- F:\Documents and Settings\All Users\Desktop\

Maurice Naggar · June 4, 2010

Un-install any torrent or filesharing peer-to-peer programs and confirm having done so.

Un-install Bittorrent and uTorrent.

Your logs showed some peer-to-peer filesharing apps. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Step 2

Do NOT do any websurfing, NO online games, etc. Just only go to this forum and the sites I guide you to.

Right click the Spybot Icon (blue icon with lock teatimer-systemtray-en.1.png ) in the system tray (notification area).

If you have the new version, click once on Resident Protection and make sure it is Unchecked.
If you have Version 1.4, Click on Exit Spybot S&D Resident
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done and reboot the system so the changes are in effect.

Step 3

Please double-click OTL.scr to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
*****************************************************************
:processes
killallprocesses
:files
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"games"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1100c893-e240-11dd-bc7e-00e0610636e2}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6b69ec8-5469-11df-b0d9-00e061061709}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fffee303-efe3-11dc-8b2b-00e061062019}]
:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
*****************************************************************
Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
Close any browser(s) windows that may be open.
Using your mouse, click on the red-lettered button Run Fix.
Once you see a message box "Fix complete! Click OK to open the fix log."
Click the OK button
The log will open in Notepad (your default text editor).
Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 4

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the OTL MovedFiles log

and C:\Combofix.txt

preetamsikdar · June 4, 2010

Followed the steps as suggested...

But as soon as I double clicked on ComboFix...it showed something..gave a slight beep..and restarted...

On restart..Windows gave an error report and told that " Your Computer recovered from a serious problem"

Nothing else happened...

As advised by you..I did not run the ComboFix second time..

Below is the log file of _OTL\MovedFiles

All processes killed

========== PROCESSES ==========

========== FILES ==========

C:\RECYCLER\S-1-5-21-448539723-1417001333-682003330-1003 folder moved successfully.

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451 folder moved successfully.

C:\RECYCLER folder moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

f:\RECYCLER\S-1-5-21-448539723-1417001333-682003330-1003 folder moved successfully.

f:\RECYCLER folder moved successfully.

g:\RECYCLER\S-1-5-21-448539723-1417001333-682003330-1003 folder moved successfully.

g:\RECYCLER folder moved successfully.

h:\RECYCLER\S-1-5-21-448539723-1417001333-682003330-1003 folder moved successfully.

h:\RECYCLER folder moved successfully.

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\games not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1100c893-e240-11dd-bc7e-00e0610636e2}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1100c893-e240-11dd-bc7e-00e0610636e2}\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6b69ec8-5469-11df-b0d9-00e061061709}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b6b69ec8-5469-11df-b0d9-00e061061709}\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fffee303-efe3-11dc-8b2b-00e061062019}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fffee303-efe3-11dc-8b2b-00e061062019}\ not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LAN Account

->Temp folder emptied: 598643 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 134 bytes

User: LocalService

->Temp folder emptied: 65984 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Others

->Temp folder emptied: 916214 bytes

->Temporary Internet Files folder emptied: 33654 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 134 bytes

User: Preetam

->Temp folder emptied: 8734244 bytes

->Temporary Internet Files folder emptied: 95377051 bytes

->Java cache emptied: 11653066 bytes

->FireFox cache emptied: 69012825 bytes

->Google Chrome cache emptied: 11524763 bytes

->Flash cache emptied: 65431 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 16673757 bytes

%systemroot%\System32 .tmp files removed: 3989009 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 16384 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 209.00 mb

Error starting restore point: System Restore is disabled.

Error closing restore point: System Restore is disabled.

OTL by OldTimer - Version 3.2.5.3 log created on 06042010_204004

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

The problem still persists...

Maurice Naggar · June 5, 2010

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Accept the Terms of Use and press Start button;
Approve the install of the required ActiveX Control, then follow on-screen instructions;
Enable (check) the Remove found threats option, and run the scan.
After the scan completes, the Details tab in the Results window will display what was found and removed.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.
The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
- From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
  Otherwise the scan will take twice as long to do:
  everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
- If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

Step 2

RE-Enable your AntiVirus and AntiSpyware applications.

Now, de-install the version you have of Hijackthis.

Download and SAVE HijackThis

Save the HJT to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.

Do a "Scan and Save log".

Step 3

Reply with copy of contents of Eset scan log

and the HijackThis log

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

preetamsikdar · June 5, 2010

Hi...

I tried to follow all the processes..but I could not scan my PC with ESET Online Scanner because of internet problems.

Instead I run a scan with my Avira Antivirus and got the following detections :

C:\System Vol..\A0075684.exe -- Is the TR/Buzus.efrp Trojan

C:\System Vol..\A0075467.exe -- Is the TR/Agent.apse.1 Trojan

C:\System Vol..\A0075485.exe -- Is the TR/Buzus.efrp Trojan

D:\WINDOWS\..\wmpstvd.exe -- Contains a recognition pattern of the (harmful) BDS/Eggdrop.bmg back-door program

And here is the HijackThis log :

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:51:47 PM, on 6/5/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\Program Files\Avira\AntiVir Desktop\sched.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\ntvdm.exe

F:\Program Files\Winamp\winampa.exe

F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

F:\Program Files\Java\jre6\bin\jqs.exe

F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

F:\Program Files\HP\HP Software Update\HPWuSchd2.exe

F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

F:\Program Files\Google\Google Talk\googletalk.exe

F:\Program Files\DAEMON Tools\daemon.exe

F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

F:\Program Files\Avira\AntiVir Desktop\avgnt.exe

F:\WINDOWS\system32\RUNDLL32.EXE

F:\WINDOWS\RTHDCPL.EXE

F:\Program Files\Common Files\Java\Java Update\jusched.exe

F:\WINDOWS\system32\ctfmon.exe

F:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\Program Files\CyberLink\Shared files\RichVideo.exe

F:\WINDOWS\system32\svchost.exe

F:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

F:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

F:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

F:\Program Files\OpenOffice.org 2.4\program\soffice.exe

F:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

F:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

F:\Program Files\Internet Explorer\IEXPLORE.EXE

F:\WINDOWS\system32\wuauclt.exe

F:\WINDOWS\system32\msiexec.exe

F:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F3 - REG:win.ini: load= F:\TCWIN45\PIPELINE\remind.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "F:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "F:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [GrooveMonitor] "F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [googletalk] F:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "F:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [conime.exe] conime.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [sRS Audio Sandbox] "F:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme

O4 - HKCU\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [Google Update] "F:\Documents and Settings\Preetam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [games] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-21-448539723-1417001333-682003330-1004\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe (User 'Others')

O4 - S-1-5-21-448539723-1417001333-682003330-1004 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = F:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Others')

O4 - Startup: OpenOffice.org 2.4.lnk = F:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

O4 - Global Startup: 24Online Client.lnk = F:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &Search - ?p=ZNfox000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{00760D3A-C2B9-4134-AA57-B8753E82C80B}: NameServer = 192.168.100.1,202.54.29.5

O17 - HKLM\System\CS1\Services\Tcpip\..\{00760D3A-C2B9-4134-AA57-B8753E82C80B}: NameServer = 192.168.100.1,202.54.29.5

O17 - HKLM\System\CS2\Services\Tcpip\..\{00760D3A-C2B9-4134-AA57-B8753E82C80B}: NameServer = 192.168.100.1,202.54.29.5

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - F:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation - C:\orant\bin\xsolap.exe

O23 - Service: Oracle OLAP Agent - Unknown owner - C:\orant\bin\xsaagent.exe

O23 - Service: OracleDEFAULT_HOMEClientCache - Unknown owner - C:\orant\BIN\ONRSD.EXE

O23 - Service: OracleDEFAULT_HOMEPagingServer - Unknown owner - C:\orant/bin/pagntsrv.exe

O23 - Service: OracleDEFAULT_HOMESNMPPeerEncapsulator - Unknown owner - C:\orant\BIN\ENCSVC.EXE

O23 - Service: OracleDEFAULT_HOMESNMPPeerMasterAgent - Unknown owner - C:\orant\BIN\AGNTSVC.EXE

O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - C:\orant\bin\osagent.exe

--

End of file - 10687 bytes

The few problems I used to face like the Spybot vanishing and all are gone...and I can view the hidden objects too now..

Does that mean my PC is clean ?

Maurice Naggar · June 5, 2010

No, do not jump to conclusions. The system cannot be said to be "clean". We are not done yet. There's more to do.

Step 1

First, disable Tea Timer and keep it that way while we are removing malware(s).

Especially if you are not familiar with all implications of it's usage, do NOT re-activate it.

Start Spybot-S&D, switch to the Advanced mode via the menu bar item Mode

then select Advanced Mode

On the left hand side, slect Tools

Then click on the Resident icon in the list

Uncheck Resident TeaTimer and OK any prompts.

Now Logoff & Restart your computer fresh.

Step 2

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [games] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe
O4 - HKCU\..\Run: [spybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Step 3

Disable the options "Automatically detect settings" and "Use automatic configuration script."

To do this:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

Step 4

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Delete the copy you have of Combofix.exe (red-lion icon) and get the latest version.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

preetamsikdar · June 6, 2010

Okk..I will follow the above mentioned steps..

But I might be late in replying as I've exams going on..

So I might be late a few days...

Please don't think I ignored your suggestions..

I will reply within 5 days ..ok ?

Maurice Naggar · June 6, 2010

OK. In the meantime, be extra careful with this system. No online games, no free-wheeling websurfing.

preetamsikdar · June 10, 2010

Followed all the above mentioned steps...

Here is the log file....

ComboFix 10-06-09.02 - Preetam 06/10/2010 16:58:36.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1981.1456 [GMT 5.5:30]

Running from: f:\documents and settings\Preetam\Desktop\Combo-Fix.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

f:\windows\winhelp.ini

Infected copy of f:\windows\pchealth\helpctr\binaries\msconfig.exe was found and disinfected

Restored copy from - f:\windows\system32\dllcache\msconfig.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 11:11 . 2010-06-10 11:15 -------- d-----w- F:\Combo-Fix

2010-06-07 07:37 . 2010-06-07 07:37 -------- d-----w- f:\documents and settings\Preetam\Application Data\Avira

2010-06-07 03:45 . 2010-06-07 03:45 -------- d-----w- F:\FIFA 09 Image

2010-06-04 15:10 . 2010-06-04 15:10 -------- d-----w- F:\_OTL

2010-06-03 07:24 . 2010-06-05 12:21 388096 ----a-r- f:\documents and settings\Preetam\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-03 07:24 . 2010-06-03 07:24 -------- d-----w- f:\program files\Trend Micro

2010-05-29 08:35 . 2010-05-29 08:35 -------- d-----w- f:\program files\MSXML 4.0

2010-05-29 06:58 . 2008-06-13 13:10 272128 -c----w- f:\windows\system32\dllcache\bthport.sys

2010-05-29 06:58 . 2008-06-13 13:10 272128 ------w- f:\windows\system32\drivers\bthport.sys

2010-05-29 06:46 . 2010-02-16 13:19 2181376 -c----w- f:\windows\system32\dllcache\ntoskrnl.exe

2010-05-29 06:46 . 2010-02-16 13:17 2137088 -c----w- f:\windows\system32\dllcache\ntkrnlmp.exe

2010-05-29 06:46 . 2010-02-16 12:39 2058368 -c----w- f:\windows\system32\dllcache\ntkrnlpa.exe

2010-05-29 06:46 . 2010-02-16 12:39 2016768 -c----w- f:\windows\system32\dllcache\ntkrpamp.exe

2010-05-29 06:36 . 2010-02-24 12:31 454016 -c----w- f:\windows\system32\dllcache\mrxsmb.sys

2010-05-29 05:39 . 2010-05-29 05:39 -------- d-----w- f:\windows\ServicePackFiles

2010-05-29 05:03 . 2010-05-31 09:28 -------- d--h--w- f:\windows\$hf_mig$

2010-05-29 04:42 . 2010-05-29 04:42 -------- d-----w- f:\program files\Common Files\DFX

2010-05-28 07:49 . 2004-08-04 04:56 25600 ----a-w- f:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-05-28 07:48 . 2010-05-29 04:54 -------- d-----w- f:\program files\Windows Media Connect 2

2010-05-28 07:46 . 2010-05-28 07:47 -------- d-----w- f:\windows\system32\drivers\UMDF

2010-05-28 07:46 . 2010-05-28 07:46 -------- d-----w- f:\windows\system32\LogFiles

2010-05-24 05:10 . 2010-05-24 05:10 503808 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62661055-n\msvcp71.dll

2010-05-24 05:10 . 2010-05-24 05:10 499712 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62661055-n\jmc.dll

2010-05-24 05:10 . 2010-05-24 05:10 348160 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62661055-n\msvcr71.dll

2010-05-24 05:08 . 2010-05-24 05:08 61440 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4dc2cd8b-n\decora-sse.dll

2010-05-24 05:08 . 2010-05-24 05:08 12800 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4dc2cd8b-n\decora-d3d.dll

2010-05-13 04:19 . 2010-06-04 14:57 -------- d-----w- f:\documents and settings\Preetam\Application Data\uTorrent

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 11:34 . 2008-08-05 11:38 -------- d-----w- f:\documents and settings\Preetam\Application Data\OpenOffice.org2

2010-06-10 11:32 . 2008-06-22 16:18 770080 --sha-w- f:\windows\system32\drivers\fidbox2.dat

2010-06-10 11:32 . 2008-06-22 16:18 6856 --sha-w- f:\windows\system32\drivers\fidbox2.idx

2010-06-10 11:32 . 2008-06-22 16:18 3903008 --sha-w- f:\windows\system32\drivers\fidbox.dat

2010-06-10 11:32 . 2008-06-22 16:18 34716 --sha-w- f:\windows\system32\drivers\fidbox.idx

2010-06-07 03:54 . 2008-06-02 08:11 -------- d-----w- f:\program files\EA SPORTS

2010-06-05 12:17 . 2010-03-27 06:26 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-30 12:40 . 2010-03-27 06:26 -------- d-----w- f:\program files\Spybot - Search & Destroy

2010-05-29 05:38 . 2008-05-28 08:22 -------- d-----w- f:\program files\Opera

2010-05-29 04:43 . 2007-12-22 06:37 -------- d-----w- f:\program files\DFX

2010-05-29 04:42 . 2008-02-18 06:38 -------- d-----w- f:\program files\Common Files\Wise Installation Wizard

2010-05-03 14:53 . 2008-05-28 08:20 -------- d-----w- f:\program files\Common Files\Adobe

2010-04-29 12:37 . 2010-04-14 03:55 -------- d-----w- f:\program files\Ubi Soft

2010-04-25 12:50 . 2010-04-25 12:50 503808 ----a-w- f:\documents and settings\Others\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6580c53f-n\msvcp71.dll

2010-04-25 12:50 . 2010-04-25 12:50 499712 ----a-w- f:\documents and settings\Others\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6580c53f-n\jmc.dll

2010-04-25 12:50 . 2010-04-25 12:50 348160 ----a-w- f:\documents and settings\Others\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6580c53f-n\msvcr71.dll

2010-04-25 12:49 . 2010-04-25 12:49 61440 ----a-w- f:\documents and settings\Others\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68d23aad-n\decora-sse.dll

2010-04-25 12:49 . 2010-04-25 12:49 12800 ----a-w- f:\documents and settings\Others\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68d23aad-n\decora-d3d.dll

2010-04-25 12:44 . 2010-04-25 12:44 -------- d-----w- f:\documents and settings\Others\Application Data\Nero

2010-04-25 12:44 . 2010-04-25 12:44 -------- d-----w- f:\documents and settings\Others\Application Data\PC Suite

2010-04-20 17:20 . 2007-12-20 14:52 73808 ----a-w- f:\documents and settings\Preetam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-20 17:19 . 2010-04-20 17:19 -------- d-----w- f:\documents and settings\All Users\Application Data\FLEXnet

2010-04-14 04:06 . 2004-07-17 15:36 12400 ----a-w- f:\windows\system32\drivers\secdrv.sys

2010-04-14 03:55 . 2007-12-20 14:50 -------- d--h--w- f:\program files\InstallShield Installation Information

2010-04-04 05:54 . 2010-04-04 05:54 503808 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4b2be586-n\msvcp71.dll

2010-04-04 05:54 . 2010-04-04 05:54 499712 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4b2be586-n\jmc.dll

2010-04-04 05:54 . 2010-04-04 05:54 348160 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4b2be586-n\msvcr71.dll

2010-04-04 05:53 . 2010-04-04 05:53 61440 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3058ccc5-n\decora-sse.dll

2010-04-04 05:53 . 2010-04-04 05:53 12800 ----a-w- f:\documents and settings\Preetam\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3058ccc5-n\decora-d3d.dll

2010-03-17 04:43 . 2010-03-17 04:43 2678 -c--a-w- f:\windows\java\Packages\Data\K435JJL7.DAT

2010-03-17 04:43 . 2010-03-17 04:43 2678 -c--a-w- f:\windows\java\Packages\Data\W3HZRVH3.DAT

2010-03-17 04:43 . 2010-03-17 04:43 2678 -c--a-w- f:\windows\java\Packages\Data\TBL7L37N.DAT

2010-03-17 04:43 . 2010-03-17 04:43 2678 -c--a-w- f:\windows\java\Packages\Data\7TJV97VR.DAT

.

------- Sigcheck -------

[7] 2004-08-07 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . f:\windows\system32\dllcache\acpiec.sys

[-] 2004-08-07 00:15 . DD0211D21967012A6590F5E3FCB9299A . 11648 . . [------] . . f:\windows\system32\drivers\acpiec.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="f:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 3810544]

"NVIDIA nTune"="f:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

"Google Update"="f:\documents and settings\Preetam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="f:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinampAgent"="f:\program files\Winamp\winampa.exe" [2006-10-25 35328]

"RemoteControl"="f:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]

"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]

"nwiz"="nwiz.exe" [2007-10-04 1626112]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2007-10-04 8491008]

"NeroFilterCheck"="f:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="f:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]

"LanguageShortcut"="f:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]

"HP Software Update"="f:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 49152]

"GrooveMonitor"="f:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"googletalk"="f:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"DAEMON Tools"="f:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]

"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]

"avgnt"="f:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2007-10-04 81920]

"RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]

"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"conime.exe"="conime.exe" [2004-08-04 27648]

f:\documents and settings\Others\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - f:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

f:\documents and settings\Preetam\Start Menu\Programs\Startup\

OpenOffice.org 2.4.lnk - f:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

f:\documents and settings\All Users\Start Menu\Programs\Startup\

24Online Client.lnk - f:\program files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2003-12-17 245760]

HP Digital Imaging Monitor.lnk - f:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Picture Package Menu.lnk - f:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-1-1 151552]

Picture Package VCD Maker.lnk - f:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-1-1 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"f:\\Program Files\\NetMeeting\\conf.exe"=

"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"f:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"f:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"g:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"f:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\orant\\BIN\\xsaagent.exe"=

"f:\\Program Files\\Counter-Strike\\hl.exe"=

"f:\\Program Files\\Play+Smile\\Texas Hold'em Poker 3D - Deluxe Edition\\Poker3d.exe"=

"f:\\Program Files\\Counter-Strike\\hlds.exe"=

"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

"f:\\Program Files\\MotoGP2\\motogp2.exe"=

"f:\\Documents and Settings\\Preetam\\My Documents\\TMS2003\\Tennis Masters Series 2003.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:Red Swoosh

"5000:UDP"= 5000:UDP:Red Swoosh

R0 klbg;Kaspersky Lab Boot Guard Driver;f:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;f:\program files\Avira\AntiVir Desktop\sched.exe [7/10/2009 11:18 AM 135336]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;f:\windows\system32\drivers\klim5.sys [3/25/2008 8:07 PM 24592]

R3 NVHDA;Service for NVIDIA HDMI Audio Driver;f:\windows\system32\drivers\nvhda32.sys [12/20/2007 8:23 PM 26272]

S3 OracleDEFAULT_HOMEClientCache;OracleDEFAULT_HOMEClientCache;c:\orant\BIN\ONRSD.EXE [8/14/2001 6:25 PM 425828]

S3 OracleDEFAULT_HOMEPagingServer;OracleDEFAULT_HOMEPagingServer;c:\orant\BIN\pagntsrv.exe [8/28/2001 5:07 PM 52224]

S3 OracleDEFAULT_HOMESNMPPeerEncapsulator;OracleDEFAULT_HOMESNMPPeerEncapsulator;c:\orant\BIN\encsvc.exe [8/16/2001 8:18 PM 189952]

S3 OracleDEFAULT_HOMESNMPPeerMasterAgent;OracleDEFAULT_HOMESNMPPeerMasterAgent;c:\orant\BIN\agntsvc.exe [8/16/2001 8:18 PM 256512]

S3 xsSmartAgent;Visibroker Smart Agent;c:\orant\BIN\osagent.exe [3/30/2001 4:42 PM 205312]

S4 OracleDEFAULT_HOMEAgent;OracleDEFAULT_HOMEAgent;c:\orant\BIN\agntsrvc.exe [8/16/2001 8:18 PM 16656]

S4 OracleDEFAULT_HOMEHTTPServer;OracleDEFAULT_HOMEHTTPServer;c:\orant\Apache\Apache\Apache.exe [8/17/2001 2:49 PM 3584]

S4 OracleDEFAULT_HOMETNSListener;OracleDEFAULT_HOMETNSListener;c:\orant\BIN\TNSLSNR --> c:\orant\BIN\TNSLSNR [?]

S4 OracleServicePREETAM;OracleServicePREETAM;c:\orant\bin\ORACLE.EXE PREETAM --> c:\orant\bin\ORACLE.EXE PREETAM [?]

S4 sptd;sptd;f:\windows\system32\drivers\sptd.sys [12/25/2007 11:10 AM 715248]

.

Contents of the 'Scheduled Tasks' folder

2010-06-03 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1417001333-682003330-1003Core.job

- f:\documents and settings\Preetam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 14:27]

2010-06-10 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1417001333-682003330-1003UA.job

- f:\documents and settings\Preetam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 14:27]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {00760D3A-C2B9-4134-AA57-B8753E82C80B} = 192.168.100.1,202.54.29.5

FF - ProfilePath - f:\documents and settings\Preetam\Application Data\Mozilla\Firefox\Profiles\p4gcre2o.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/

FF - plugin: f:\documents and settings\Preetam\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: f:\documents and settings\Preetam\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----

f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

f:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-SRS Audio Sandbox - f:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe

Notify-WgaLogon - (no file)

AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - m:\spybot - search & destroy\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 17:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleDEFAULT_HOMEPagingServer]

"ImagePath"="C:\orant/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleDEFAULT_HOMETNSListener]

"ImagePath"="c:\orant\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\f:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1417001333-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)

f:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(1216)

f:\windows\system32\msi.dll

f:\windows\system32\WPDShServiceObj.dll

f:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

f:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

f:\windows\system32\ConnAPI.DLL

f:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

f:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

f:\program files\Java\jre6\bin\jqs.exe

f:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

f:\program files\NVIDIA Corporation\nTune\nTuneService.exe

f:\windows\system32\nvsvc32.exe

f:\program files\CyberLink\Shared files\RichVideo.exe

f:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

f:\progra~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

f:\windows\system32\RUNDLL32.EXE

f:\windows\RTHDCPL.EXE

f:\documents and settings\Preetam\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe

f:\windows\system32\wscntfy.exe

f:\program files\Common Files\Nero\Lib\NMIndexingService.exe

f:\program files\OpenOffice.org 2.4\program\soffice.exe

f:\program files\OpenOffice.org 2.4\program\soffice.BIN

f:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

f:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

f:\program files\Yahoo!\Messenger\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-06-10 17:08:44 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-10 11:38

Pre-Run: 7,516,581,888 bytes free

Post-Run: 7,252,234,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

;

;Warning: Boot.ini is used on Windows XP and earlier operating systems.

;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.

;

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

- - End Of File - - FBE3C3169C3DC433F5C8A272C2D6715F

Awaiting new instructions....

Maurice Naggar · June 10, 2010

Please get & Save this version of Malwarebytes (MBAM): Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar to this:

Double-click on it to start it. It will extract the files and will start Malwarebytes automatically.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards.

Next, Download Security Check by screen317 and save it to your Desktop: here or here

Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Copy and Paste the contents of MBAM log into next reply

and copy of Checkup.txt

preetamsikdar · June 14, 2010

Hi...

Sorry for replying late.

As I told you earlier I am having exams.

Anyways,

Tried to follow the steps as mentioned by you.

After downloading Malwarebytes' Anti-Malware and extracting it..it is giving me the following problems :

The database could not be found. Would you like to download a new copy ?

On clicking "Yes" ....

An error has occured. Please report this error code to our support team.

MBAM_ERROR_UPDATING (0, 0, SHRegGetPath)

On clicking "OK"

An error has occured. Please report this error code to our support team.

MBAM_ERROR_LOAD_DATABASE (2, 0)

The system cannot find the file specified.

Please tell me what should I do next ?

Maurice Naggar · June 14, 2010

Please folow this sequence for MBAM removal & re-install:

1) Go to Control Panel and Add-or-Remove programs.

uninstall Malwarebytes' Anti-Malware if present

Exit Control Panel

Delete the MBAM exe downloaded from before.

2) Logoff and restart your computer

Get, save, and then run the utility at the following link

http://www.malwarebytes.org/mbam-clean.exe

3)Logoff and restart your computer again.

4)Now, reinstall Malwarebytes' Anti-Malware.

You may download a fresh copy for the reinstall from the following link:

http://malwarebytes.org/mbam.php

If you purchased MBAM (have a license) you will need to reenter your ID and Key afterwards to get the Protection module enabled.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

preetamsikdar · June 16, 2010

Here is the log file :

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4202

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

6/16/2010 10:20:54 AM

mbam-log-2010-06-16 (10-20-54).txt

Scan type: Quick scan

Objects scanned: 143980

Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I was not asked to restart the computer after the scan completed

Maurice Naggar · June 16, 2010

Good run of MBAM ! It will not ask for restart when nothing is tagged.

Download Security Check by screen317 and save it to your Desktop: here or here

Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Start HijackThis. Do a Scan and Save log.

Reply with copy of Checkup.txt

the new HijackThis log

and tell me, How is your system now ??

preetamsikdar · June 17, 2010

Following are the log files :

Checkup

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 6 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

Kaspersky Anti-Virus 2009

Antivirus out of date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Microsoft VM for Java

Java 6 Update 19

Java SE Runtime Environment 6

Java 6 Update 3

Java 6 Update 4

Java 6 Update 5

Java 6 Update 7

Java SE Development Kit 6

Java SE Development Kit 6 Update 7

Java 2 SDK, SE v1.4.2_04

Java DB 10.3.1.4

Out of date Java installed!

Adobe Flash Player 10.0.45.2

Adobe Reader 8.1.5

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.3)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

eLitecore Cyberoam Client for 24Online CyberoamClient.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

HijackThis

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:48:25 AM, on 6/17/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\Program Files\Avira\AntiVir Desktop\sched.exe

F:\Program Files\Java\jre6\bin\jqs.exe

F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\Program Files\CyberLink\Shared files\RichVideo.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\svchost.exe

F:\Program Files\Winamp\winampa.exe

F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

F:\Program Files\HP\HP Software Update\HPWuSchd2.exe

F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

F:\Program Files\Google\Google Talk\googletalk.exe

F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

F:\Program Files\Avira\AntiVir Desktop\avgnt.exe

F:\WINDOWS\system32\RUNDLL32.EXE

F:\WINDOWS\RTHDCPL.EXE

F:\WINDOWS\system32\wscntfy.exe

F:\Program Files\Common Files\Java\Java Update\jusched.exe

F:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

F:\WINDOWS\system32\ctfmon.exe

F:\Documents and Settings\Preetam\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe

F:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

F:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

F:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe

F:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe

F:\Program Files\OpenOffice.org 2.4\program\soffice.exe

F:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

F:\Program Files\Mozilla Firefox\firefox.exe

F:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896