Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan vundo infection [RESOLVED]


  • This topic is locked This topic is locked

#1
nikhilchitnis

nikhilchitnis

    Member

  • Member
  • PipPip
  • 18 posts
Hi,
Recently I found that my system is infected with Vundo. I have McAfee, Avira Antivir Personal and SpyHunter running on my system. Avira keeps on popping up saying that TR/Vundo.Gen has infected the system.
I have not yet run any tools suggested or mentioned in the forum threads as I am new and don't know where and how to start.
Please help and suggest how do I start?
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Read the Sticky Threads and post the required logs
  • 0

#3
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks. Sorry for replying late.

Here is the Hijack This log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:05 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.xoriant.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xoriant.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://go.microsoft....k/?LinkId=50989
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
provided by Xoriant Solutions Pvt. Ltd.
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE"
/STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe"
/StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0
\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12
\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4
\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software
Group\SpyHunter\SpyHunter3.exe" -scan -minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe"
/min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program
Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop
Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program
Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} -
C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1
\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} -
C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2
\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi.../wuweb_site.cab?
1209400205556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = India.XoriantCorp.com
O17 - HKLM\Software\..\Telephony: DomainName = India.XoriantCorp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A7C5A2-0B4B-48B4-A843-C8FC80042343}: NameServer =
10.21.0.2,10.21.0.5,202.138.96.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = India.XoriantCorp.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A7C5A2-0B4B-48B4-A843-C8FC80042343}: NameServer =
10.21.0.2,10.21.0.5,202.138.96.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = India.XoriantCorp.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{17A7C5A2-0B4B-48B4-A843-C8FC80042343}: NameServer =
10.21.0.2,10.21.0.5,202.138.96.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program
Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira
GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH -
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program
Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan
Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program
Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program
Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8805 bytes



I tried saving the uninstall list. But once I click on Save list... button, nothing happens. HijackThis simply closes.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Rename HijackThis.exe to nik.exe


Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.





Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#5
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Rorschach112,

Following are the logs -

Combofix log -

ComboFix 08-06-03.1 - chitnis_n 2008-06-04 13:11:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1464 [GMT 5.5:30]
Running from: C:\Documents and Settings\chitnis_n\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMc325e1b3.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aWOhGaAq.dll
C:\WINDOWS\system32\bnememgn.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cbeohlqj.exe
C:\WINDOWS\system32\cmrwjxcc.dll
C:\WINDOWS\system32\cvvdpxct.dll
C:\WINDOWS\system32\dkoagefp.ini
C:\WINDOWS\system32\fnbfdtun.ini
C:\WINDOWS\system32\fvuewhjq.dll
C:\WINDOWS\system32\gjfdjlfg.exe
C:\WINDOWS\system32\hhjxcgwg.ini
C:\WINDOWS\system32\hnlvossf.dll
C:\WINDOWS\system32\hpaveeft.ini
C:\WINDOWS\system32\kptxlbbx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pjrcvbxl.exe
C:\WINDOWS\system32\pxdebedh.ini
C:\WINDOWS\system32\pydkwhhy.dll
C:\WINDOWS\system32\qAaGhOWa.ini
C:\WINDOWS\system32\qAaGhOWa.ini2
C:\WINDOWS\system32\qnffwyyr.dll
C:\WINDOWS\system32\qsvehnga.dll
C:\WINDOWS\system32\qtugmsnr.dll
C:\WINDOWS\system32\rbghhcus.dll
C:\WINDOWS\system32\sbiayril.ini
C:\WINDOWS\system32\tkerovks.dll
C:\WINDOWS\system32\ujwbyihh.dll
C:\WINDOWS\system32\vftballo.dll
C:\WINDOWS\system32\vpbotgtb.exe
C:\WINDOWS\system32\vrkdmdyn.ini
C:\WINDOWS\system32\wqgjicsc.dll
C:\WINDOWS\system32\xkdsjvdy.ini
C:\WINDOWS\system32\xoppxoin.dll
C:\WINDOWS\system32\xwagcxsb.exe
C:\WINDOWS\system32\xwrnsutb.exe
C:\WINDOWS\system32\ydvjsdkx.dll

----- BITS: Possible infected sites -----

hxxp://wsus
.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-03 19:52 . 2008-06-03 19:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-02 08:40 . 2008-06-02 08:40 295 --ahs---- C:\WINDOWS\system32\mnwahjod.ini
2008-05-31 11:03 . 2008-05-31 11:03 <DIR> d-------- C:\Program Files\Avira
2008-05-31 11:03 . 2008-05-31 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-21 09:30 . 2008-05-21 11:34 1,614 --ahs---- C:\WINDOWS\system32\uiayepya.ini
2008-05-20 12:57 . 2008-05-20 12:57 <DIR> d-------- C:\WINDOWS\Sun
2008-05-20 10:14 . 2008-05-20 10:14 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-20 09:29 . 2008-05-20 21:31 1,494 --ahs---- C:\WINDOWS\system32\fpfcnxak.ini
2008-05-19 11:00 . 2008-06-04 11:48 <DIR> d-------- C:\WINDOWS\hsperfdata_chitnis_n
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2008-05-19 08:25 . 2008-05-20 09:21 1,074 --ahs---- C:\WINDOWS\system32\jyhfvhui.ini
2008-05-16 12:35 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-16 12:07 . 2004-08-04 00:56 96,768 --a------ C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-05-16 12:06 . 2008-05-16 16:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-16 12:06 . 2008-05-16 16:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-16 12:06 . 2008-05-16 16:39 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-16 12:06 . 2008-05-16 16:39 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-16 11:59 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003422_.tmp
2008-05-16 11:56 . 2007-10-26 09:04 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-16 11:55 . 2007-02-28 14:38 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-05-16 09:30 . 2008-05-16 09:30 68,580 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-15 15:47 . 2008-05-15 15:47 <DIR> d-------- C:\Documents and Settings\chitnis_n\Application Data\MiniDm
2008-05-15 10:37 . 2008-05-15 10:37 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-05-14 19:39 . 2008-05-14 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-14 19:38 . 2008-05-14 19:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-14 19:38 . 2008-05-14 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-14 17:15 . 2008-05-14 17:15 <DIR> d-------- C:\Program Files\IEPro
2008-05-14 17:15 . 2008-05-14 17:16 <DIR> d-------- C:\Documents and Settings\chitnis_n\Application Data\IEPro
2008-05-14 16:51 . 2008-05-14 16:51 <DIR> d-------- C:\Program Files\RealVNC
2008-05-14 15:50 . 2008-05-14 19:40 <DIR> d-------- C:\Program Files\Safari
2008-05-14 15:50 . 2008-05-14 15:50 <DIR> d-------- C:\Documents and Settings\chitnis_n\Application Data\Apple Computer
2008-05-14 15:37 . 2008-05-14 15:37 <DIR> d-------- C:\Program Files\Microsoft
2008-05-14 15:36 . 2008-05-14 15:36 <DIR> d-------- C:\Program Files\IEDocMon
2008-05-13 12:51 . 2008-05-13 12:52 <DIR> d-------- C:\Program Files\Macromedia
2008-05-12 17:23 . 2008-05-12 17:24 <DIR> d-------- C:\Documents and Settings\Administrator.XOR-IND
2008-05-12 10:29 . 2008-06-02 08:31 <DIR> d-------- C:\QUARANTINE
2008-05-09 10:45 . 2008-05-09 10:46 <DIR> d-------- C:\Program Files\FileZilla
2008-05-09 10:28 . 2008-05-09 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-05-09 10:23 . 2008-05-13 12:51 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-05-09 10:23 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-05-09 10:23 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-05-09 10:23 . 2003-12-04 11:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 06:19 --------- d-----w C:\Program Files\Eclipse
2008-06-04 06:07 --------- d-----w C:\Program Files\EditPlus 3
2008-06-02 15:28 --------- d-----w C:\Documents and Settings\chitnis_n\Application Data\EditPlus 3
2008-05-13 07:21 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-13 07:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 06:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-02 09:51 --------- d-----w C:\Program Files\Real
2008-05-02 09:51 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-02 09:51 --------- d-----w C:\Program Files\Common Files\Real
2008-05-02 06:03 --------- d-----w C:\Program Files\Paint.NET
2008-04-29 10:18 --------- d-----w C:\Program Files\Java
2008-04-29 10:17 --------- d-----w C:\Documents and Settings\chitnis_n\Application Data\Teleca
2008-04-29 10:10 --------- d-----w C:\Program Files\Sony Ericsson
2008-04-29 10:10 --------- d-----w C:\Program Files\Intuwave
2008-04-29 10:10 --------- d-----w C:\Documents and Settings\chitnis_n\Application Data\Sony Ericsson
2008-04-29 10:09 --------- d-----w C:\Program Files\Symbian
2008-04-29 10:09 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-04-29 10:09 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2008-04-29 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2008-04-29 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-04-29 09:49 --------- d-----w C:\Documents and Settings\chitnis_n\Application Data\Windows Desktop Search
2008-04-29 09:44 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-29 09:26 --------- d-----w C:\Program Files\MSBuild
2008-04-29 09:26 --------- d-----w C:\Program Files\Microsoft Works
2008-04-29 09:25 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-29 09:23 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-29 08:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-29 08:48 --------- d-----w C:\Program Files\PuTTY
2008-04-29 08:46 --------- d-----w C:\Program Files\WordWeb
2008-04-29 08:46 --------- d-----w C:\Program Files\WallpaperToy
2008-04-29 08:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-29 08:29 --------- d-----w C:\Program Files\Yahoo!
2008-04-29 08:27 --------- d-----w C:\Program Files\Common Files\Java
2008-04-29 08:21 --------- d-----w C:\Program Files\Opera
2008-04-29 07:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 05:30 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-29 04:31 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-29 04:27 --------- d-----w C:\Program Files\McAfee
2008-04-29 04:27 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2008-04-29 04:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-29 04:26 --------- d-----w C:\Program Files\Common Files\McAfee
2008-04-28 17:27 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-28 17:16 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-28 16:05 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-11-06 19:51 3810544]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 11:54 290816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-08-30 15:06 136512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:05 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:02 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:06 114688]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 13:52 577536 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-11-08 14:06 528384]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 14:47 847872]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\chitnis_n\Start Menu\Programs\Startup\
Wallpaper Changer.lnk - C:\Program Files\WallpaperToy\Wallpapertoy.Exe [2008-04-29 14:16:39 110592]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-04-29 14:16:10 44384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2007-04-13 09:50]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 09:50]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2007-04-13 09:50]
S3 zebrmdm;Sony Ericsson Modem Driver;C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2007-04-13 09:50]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 09:50]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2007-04-13 09:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 14:08:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 13:16:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-06-04 13:20:08 - machine was rebooted [chitnis_n]
ComboFix-quarantined-files.txt 2008-06-04 07:50:04

Pre-Run: 29,180,170,240 bytes free
Post-Run: 29,086,957,568 bytes free

231 --- E O F --- 2008-05-15 03:54:28


HijackThis log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21, on 2008-06-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\nik.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xoriant.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=50989
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan -minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1209400205556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = India.XoriantCorp.com
O17 - HKLM\Software\..\Telephony: DomainName = India.XoriantCorp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A7C5A2-0B4B-48B4-A843-C8FC80042343}: NameServer = 10.21.0.2,10.21.0.5,202.138.96.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = India.XoriantCorp.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A7C5A2-0B4B-48B4-A843-C8FC80042343}: NameServer = 10.21.0.2,10.21.0.5,202.138.96.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = India.XoriantCorp.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{17A7C5A2-0B4B-48B4-A843-C8FC80042343}: NameServer = 10.21.0.2,10.21.0.5,202.138.96.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8119 bytes


Kaspersky log -

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-06-05 09:25
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 828742
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 122129
Number of viruses found: 36
Number of infected objects: 81
Number of suspicious objects: 0
Duration of the scan process: 03:43:13

Infected Object Name / Virus Name / Last Action
C:\2fbaf4e2852c50572d7c2fa818d3274c\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_NIKS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_NIKS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\EmailOnDeliveryLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010028.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010028.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010028.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy39.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_548.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Apple Computer\Safari\PubSub\Database\Database.sqlite3 Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Microsoft\Templates\NormalEmail.dotm Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\cert8.db Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\history.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\key3.db Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\parent.lock Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\search.sqlite Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificSCOM_log.txt Object is locked skipped
C:\Documents and Settings\chitnis_n\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\chitnis_n\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Apple Computer\Safari\Cache.db Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Mozilla\Firefox\Profiles\laywqpet.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\ExchangePerflog_8484fa31291a986ecfcccd43.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\hsperfdata_chitnis_n\2580 Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\lilo2 Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\lilo3 Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\NAILogs\UpdaterUI_NIKS.log Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\Perflib_Perfdata_ad4.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\~DF11A3.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temp\~DF11B5.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.Word\~WRF{5D45CDD2-576B-4A1A-B4E6-75DA6445DDB8}.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.Word\~WRS{200EA300-11C4-483A-8C68-5F3E6EA2D35B}.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.Word\~WRS{566C4BF3-A6C5-48D4-A9A8-470C0FAFA447}.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.Word\~WRS{B5BD47F6-0E28-4086-9726-E5D46B572E3B}.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.Word\~WRS{BFA18E0A-D9F2-4F40-9DA6-12544DB101C7}.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.Word\~WRS{ECE0F45A-9AF9-48AF-BD00-444309B3E7EC}.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\Local Settings\Temporary Internet Files\Content.Word\~WRS{F7697279-0C57-4FCD-8102-239B75C0BD26}.tmp Object is locked skipped
C:\Documents and Settings\chitnis_n\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\chitnis_n\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\chitnis_n\workspace\.metadata\.lock Object is locked skipped
C:\Documents and Settings\chitnis_n\workspace\.metadata\.plugins\com.aptana.rdt\gems\1211175043542\local_listing.txt Object is locked skipped
C:\Documents and Settings\chitnis_n\workspace\.metadata\.plugins\com.aptana.rdt\gems\1211175043542\version.txt Object is locked skipped
C:\Documents and Settings\chitnis_n\workspace\.metadata\.plugins\com.aptana.rdt\sources_list.txt Object is locked skipped
C:\Documents and Settings\chitnis_n\workspace\.metadata\.plugins\org.eclipse.rse.core\.log Object is locked skipped
C:\Documents and Settings\chitnis_n\workspace\.metadata\.plugins\org.eclipse.rse.logging\.log Object is locked skipped
C:\Documents and Settings\chitnis_n\workspace\.metadata\.plugins\org.eclipse.rse.ui\.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Desktop Search\Logs\UNCFATPHLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\db.lck Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\log\log1.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c10.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c121.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c20.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c290.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c2c1.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c2d0.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c2e1.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c300.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c51.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c60.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c71.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\c90.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\ca1.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\cc0.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\cd1.dat Object is locked skipped
C:\Program Files\Eclipse\aptanaDB\seg0\cf0.dat Object is locked skipped
C:\Program Files\Eclipse\configuration\org.eclipse.core.runtime\.manager\.tmp59953.instance Object is locked skipped
C:\Program Files\Eclipse\configuration\org.eclipse.equinox.app\.manager\.tmp59954.instance Object is locked skipped
C:\Program Files\Eclipse\configuration\org.eclipse.osgi\.manager\.tmp59952.instance Object is locked skipped
C:\Program Files\Eclipse\derby.log Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_chitnis_n.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_chitnis_n.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_chitnis_n.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\performance_build_907.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice_chitnis_n_0.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\ycp_chitnis_n.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cmrwjxcc.dll.vir Infected: Trojan.Win32.Monder.io skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cvvdpxct.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fvuewhjq.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hnlvossf.dll.vir Infected: Trojan.Win32.Monder.gz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kptxlbbx.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pydkwhhy.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qnffwyyr.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qsvehnga.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qtugmsnr.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rbghhcus.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tkerovks.dll.vir Infected: Trojan.Win32.KillAV.rf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ujwbyihh.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vftballo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.tsr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqgjicsc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bfj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xoppxoin.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ydvjsdkx.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-06-04_131335.14.zip/aWOhGaAq.dll Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-06-04_131335.14.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP58\A0015066.dll Infected: Trojan.Win32.Monder.fc skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP59\A0016189.dll Infected: Trojan.Win32.Monder.ha skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP61\A0017222.dll Infected: Trojan.Win32.Monder.il skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP61\A0017297.dll Infected: Trojan.Win32.Monder.ix skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP61\A0017298.dll Infected: Trojan.Win32.Monder.iw skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP61\A0017455.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsq skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP61\A0017456.dll Infected: Trojan.Win32.Monder.kg skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP62\A0017601.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsp skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP64\A0017825.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP64\A0017826.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP64\A0017858.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsg skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP64\A0017913.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsf skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP65\A0018091.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsw skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP65\A0018092.dll Infected: Trojan.Win32.Monder.kh skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP66\A0018315.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vln skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP66\A0018316.dll Infected: Trojan.Win32.Monder.la skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP66\A0018894.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vpc skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP66\A0018895.dll Infected: Trojan.Win32.Monder.lb skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP67\A0018999.dll Infected: Trojan.Win32.Monder.lh skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP68\A0020041.dll Infected: Trojan.Win32.Monder.ma skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP68\A0020042.dll Infected: Trojan.Win32.Monder.lo skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP69\A0020191.dll Infected: Trojan.Win32.Monder.mj skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP69\A0020192.dll Infected: Trojan.Win32.Monder.mg skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020537.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020539.dll Infected: Trojan.Win32.Monder.io skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020540.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020541.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020543.dll Infected: Trojan.Win32.Monder.gz skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020544.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020546.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020547.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020548.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020549.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020550.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020551.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020552.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsr skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020554.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bfj skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020555.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\A0020558.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{A97D9B12-9686-4A72-B905-8B3A395BAF5B}\RP72\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\W3SVC1\ex080604.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object
  • 0

#6
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I think the text is truncated ... I am attaching the log files.

Attached Files


  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Attach this log if too big



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mnwahjod.ini
C:\WINDOWS\system32\uiayepya.ini
C:\WINDOWS\system32\fpfcnxak.ini
C:\WINDOWS\system32\jyhfvhui.ini
D:\Niks\NiksArea\Utils\Other Utils\PDF\CutePDFWriter\CuteComp.exe
D:\Niks\NiksArea\Utils\Other Utils\PDF\SacnToPdf\Scan.to.PDF.v3.2.0.6.Incl.Keygen.Lz0.zip

Folder::
D:\Niks\NiksArea\Utils\Other Utils\PDF\SacnToPdf\Scan.to.PDF.v3.2.0.6.Incl.Keygen.Lz0.zip

DirLook::
D:\Niks\NiksArea\Utils\Other Utils

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#8
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Rorschach112

I have attached the combofix and MBAM logs.

Attached Files


  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You shouldn't download cracks or else you will get infected


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\003422_.tmp


Folder::
D:\Niks\NiksArea\Utils\Other Utils\O & O Defrag\8.0\Crack

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#10
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Rorschach112

Attached the combofix log.

Attached Files


  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#12
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Rorschach112,

Thanks for all your help and kind support.

You see, I work as a web developer and started just fresh. As you have seen the logs, the system which is allotted to me is of someone who has left :) As a precautionary thing, I backed up all the stuff in a directory thinking that these are 'might be' useful things.

Also being a web designer, I need to check the web pages on Internet Explorer version 6 and 7 minimum, Firefox, Safari for windows and for Mac and some times on Opera. Due to this reason, I have almost all browsers installed :)

Anyways, now I have downloaded the tools which you have recommended. I have some questions for you.

Should I uninstall Spyhunter and Antivir?
What do I do with HijackThis (The executable is renamed to nik.exe) installation? Should I keep it or remove it?
What do I do with MBAM? Should I keep it or remove it?

Also please let me know how to close this topic / thread?

Once again thank yuo very much for your kind support.
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts

Should I uninstall Spyhunter and Antivir?

Remove Spyhunter, keep AntiVir as it is very good

What do I do with HijackThis (The executable is renamed to nik.exe) installation? Should I keep it or remove it?

Remove it

What do I do with MBAM? Should I keep it or remove it?

Keep it is very good

Also please let me know how to close this topic / thread?

I do that, just tell me when we are done :)
  • 0

#14
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Rorschach112

I have removed HijackThis and kept AntiVir.

There are no popups from AntiVir regarding TR/Vundo.GEN :)

Let me run the system for a day or two and I will let you know about closing the topic.
  • 0

#15
nikhilchitnis

nikhilchitnis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Rorschach112

The moment I enabled AntiVir, it popped up a message about EXP/Office.Dropper/Gen. I have attached the print screen and HJT log. Please let me know what to do now? As you have suggested, I have uninstalled ComboFix and as of now I have disabled AntiVir as it keeps on popping up same message.

Attached Thumbnails

  • AntiVir_Msg001.JPG

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP