Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

explorer,iexplorer,notepad infected


  • This topic is locked This topic is locked

#1
maani

maani

    New Member

  • Member
  • Pip
  • 6 posts
i will post in short to save ur time.it started like this
1:when i double clicked any drive in my computer,it opened in a new window although i configured my computer to open new process in same window.
2:TOAD for oracle would give access violation message every now and then.
3:notepad crashed.watever i open,access violation occurs.
4:i followed instruction mentioned in geektogo forum.executed,ATF-cleaner,malwarebytes antimalware,online panda scan and hijakcthis.
5:i wud like to mention that malware and hijackthis setup executed once i renamed them.otherwise,they did not execute.
im pasting the logs below. files are attached as well(may b they r more readable).waiting for a reply as well.

======================================================================
Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 2

11:24:16 AM 7/17/2008
mbam-log-7-17-2008 (11-24-16).txt

Scan type: Quick Scan
Objects scanned: 75727
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\amvo1.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{88abc5c0-4fcb-11bb-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amva (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f08a9bfb (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\m88coaim.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\ssa\Local Settings\Temp\tru17D.tmp (Trojan.Vaklik) -> Quarantined and deleted successfully.
C:\Documents and Settings\ssa\Local Settings\Temp\tru3.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckvo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xmnm2.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\6x8be16.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\amvo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo1.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\ssa\Local Settings\Temp\tru4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\ssa\Local Settings\Temp\tru5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

===================================ActiveScan report==============================
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-17 13:00:27
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Kaspersky Anti-Virus 6.0 6.0.2.621 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00199231 HackTool/EvID HackTools No 0 No No D:\my docs\articles\MISC\RCD\evid4226patch223d-en.rar[EvID4226Patch.exe]
01048152 Generic Malware Virus/Trojan No 0 Yes No D:\Installer\dev tools\DB Design\Case Studio\ac-casestud.exe
01048152 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP273\A0057713.exe
01048152 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP273\A0057731.exe
01048152 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP273\A0057677.exe
01048152 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\RKSoft\CASEStudio2\Bin\ac-casestud.exe
01170204 W32/Almanahe.C Virus No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057836.exe
01170204 W32/Almanahe.C Virus No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057837.exe
02513660 Adware/VideoAddon Adware No 0 No No D:\my docs\salman\fsd\softwares\setup.exe[²ÜÇ\larm.dll]
02893802 Adware/AntivirusPro Adware No 0 Yes No C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msupd51195.exe
02894247 Trj/Inject.AJ Virus/Trojan No 0 Yes No C:\Documents and Settings\ssa\Local Settings\Temp\tmp402.tmp
02894247 Trj/Inject.AJ Virus/Trojan No 0 Yes No C:\Documents and Settings\ssa\Local Settings\Temp\tmp2.tmp
02910694 W32/Lineage.HZB.worm Virus/Worm No 1 Yes No C:\Documents and Settings\ssa\Local Settings\Temp\5o.dll
02912157 W32/Spamta.gen.worm Virus/Worm No 0 Yes No D:\Installer\multimedia\mp3splitter\mp3splitter.exe
02936411 W32/Lineage.IGF Virus No 0 Yes No D:\oq.cmd
02936411 W32/Lineage.IGF Virus No 0 Yes No F:\oq.cmd
02936411 W32/Lineage.IGF Virus No 0 Yes No C:\oq.cmd
02936411 W32/Lineage.IGF Virus No 0 Yes No E:\oq.cmd
02936420 W32/Lineage.IGF.worm Virus/Worm No 0 Yes No C:\Documents and Settings\ssa\Local Settings\Temp\7bpapp.dll
03072941 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\ssa\Local Settings\Temp\do5.dll
03073196 W32/Lineage.ISV.worm Virus/Worm No 0 Yes No F:\m88coaim.exe
03073196 W32/Lineage.ISV.worm Virus/Worm No 0 Yes No C:\Documents and Settings\ssa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.72114
03073196 W32/Lineage.ISV.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057811.exe
03073196 W32/Lineage.ISV.worm Virus/Worm No 0 Yes No D:\m88coaim.exe
03073196 W32/Lineage.ISV.worm Virus/Worm No 0 Yes No E:\m88coaim.exe
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051176.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050963.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051086.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051033.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051037.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051082.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050967.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051172.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050919.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051190.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050868.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051204.cmd
03074361 W32/Lineage.ITK Virus No 粑 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050763.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051291.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050162.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051300.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0050111.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051411.exe
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051414.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050073.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0050113.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050915.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\6x8be16.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050158.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050075.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050164.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051194.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050864.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050765.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050870.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050921.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050969.cmd
03074361 W32/Lineage.ITK Virus N粑 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051039.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051088.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051416.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051420.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051304.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051293.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051206.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051192.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051309.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051174.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051084.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051035.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051297.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050965.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050917.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050866.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051210.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050761.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050160.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\粑P237\A0050109.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051196.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0050107.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050071.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051418.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051208.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051178.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050759.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051307.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057813.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051295.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No D:\6x8be16.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\Documents and Settings\ssa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.45264
03074361 W32/Lineage.ITK Virus No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050069.cmd
03074361 W32/Lineage.ITK Virus No 1 Yes No F:\6x8be16.cmd
03074367 W32/Lineage.ITK.worm Virus/Worm No 0 Yes No C:\Documents and Settings\ssa\Local Settings\Temp\qrwafza.dll
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050766.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050076.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051179.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050072.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051419.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 粑 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0050110.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051197.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050161.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050070.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050762.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051308.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050867.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0050108.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050918.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051211.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050966.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051296.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051036.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051298.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051085.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050159.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051175.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051209.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051193.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\粑0050760.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051207.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051310.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051294.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051195.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051305.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051421.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051417.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051089.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050865.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051177.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050916.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051040.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051087.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050964.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051038.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050970.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP242\A0051034.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP241\A0050968.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP243\A0051083.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No 粑 F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050922.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240\A0050920.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP244\A0051173.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050869.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\A0051191.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050764.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP239\A0050871.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP246\A0051205.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050163.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP247\A0051292.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\A0051415.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\A0050074.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0050112.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP248\A0051303.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP238\A0050165.inf
03074376 W32/Lineage.ITK.worm Virus/Worm No 1 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP237\A0050114.inf
03128440 Adware/AccesMembre Adware No 0 Yes No C:\Documents and Settings\ssa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.96201
03128440 Adware/AccesMembre Adware No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057812.exe
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP253\A0051657.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP252\A0051548.inf
03162774粑 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057795.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0051746.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0051471.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP253\A0051651.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP255\A0051758.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0051453.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0053798.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054954.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055131.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055104.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP252\A0051554.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054950.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0051740.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054937.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054806.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0051477.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0054794.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054941.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0053794.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume I粑formation\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP255\A0051754.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP255\A0051752.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0051742.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP253\A0051653.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0051459.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP252\A0051550.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0051473.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0053792.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0051455.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0054792.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054804.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055135.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054935.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054948.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054976.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055108.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055102.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055129.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0054798.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0051457.inf
03162774 W32/Lineage.IYF.worm 粑irus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054982.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0051475.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057799.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP252\A0051552.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057793.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP253\A0051655.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054810.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0051744.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054978.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP255\A0051756.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057797.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0053796.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055133.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0054796.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055106.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054808.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054980.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054939.inf
03162774 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054952.inf
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D粑-A9E9-64119261F211}\RP261\A0054951.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054979.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054938.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055105.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054807.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055132.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0054795.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057796.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0053795.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\xmnm2.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP255\A0051755.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0051743.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP253\A0051654.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP252\A0051551.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0051474.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0051456.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\xmnm2.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057794.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055130.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055103.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054977.cmd
03204770 W32/Lineage.IYF.worm 粑 Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054949.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054936.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054805.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0053793.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP255\A0051753.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0051741.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP253\A0051652.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP252\A0051549.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0051472.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0051454.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054981.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057752.exe
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055107.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055128.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP262\A0055101.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054975.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP263\A0055134.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP261\A0054947.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP260\A0054934.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-粑D39-44D2-A9E9-64119261F211}\RP260\A0054803.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0054791.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP275\A0057798.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP250\A0051458.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP259\A0053791.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0051476.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP255\A0051751.cmd
03204770 W32/Lineage.IYF.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-

Attached Files


  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Please don't use any flash drives or USB drives - you have a worm that could possibly spread through them.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.

Edited by Mike, 17 July 2008 - 07:00 AM.

  • 0

#3
maani

maani

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanx Mike for ur prompt reply.
thanx for ur advice but my office lan is full of viruses. and all of our flashes get infected with a virus which starts crearting folder_name.exe,plus tampering of context menu and showing some chinese or something there,removing folder options etc etc. I hope u will advice some remedy for this as well.
here i am posting the logs.
**********************************************************MAIN . LOG ************************************
Deckard's System Scanner v20071014.68
Run by ssa on 2008-07-18 08:29:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
41: 2008-07-18 03:30:03 UTC - RP276 - Deckard's System Scanner Restore Point
40: 2008-07-17 04:40:54 UTC - RP275 - Installed SUPERAntiSpyware Free Edition
39: 2008-07-17 04:06:37 UTC - RP274 - before removing removing malware
38: 2008-07-16 09:17:06 UTC - RP273 - System Checkpoint
37: 2008-07-15 09:01:53 UTC - RP272 - Removed DVD Panther


-- First Restore Point --
1: 2008-07-14 08:49:03 UTC - RP236 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as ssa.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:33 AM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
E:\ora92\bin\omtsreco.exe
E:\ora92\bin\agntsrvc.exe
E:\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
E:\ora92\BIN\TNSLSNR.exe
E:\ora92\bin\dbsnmp.exe
e:\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\ora92\Apache\Apache\apache.exe
E:\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
E:\ora92\jdk\bin\java.exe
E:\ora92\jdk\bin\java.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Documents and Settings\ssa\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ssa.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ffc.net.pk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell....s...;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell....s...;l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:80
O1 - Hosts: 132.147.160.2 smtp.ffcsona.net.pk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop-3D Notes] "C:\Program Files\Desktop-3D Notes\Desktop-3D Notes.exe"
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: msupd51195.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://oas/forms/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ffclhr.com.pk
O17 - HKLM\Software\..\Telephony: DomainName = ffclhr.com.pk
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A613EC0-D2A3-4587-B6F1-03A4E54E7C92}: NameServer = 132.147.160.1,132.147.160.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ffclhr.com.pk
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - E:\ora92\bin\omtsreco.exe
O23 - Service: OracleOra92Agent - Oracle Corporation - E:\ora92\bin\agntsrvc.exe
O23 - Service: OracleOra92ClientCache - Unknown owner - E:\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOra92HTTPServer - Unknown owner - E:\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOra92PagingServer - Unknown owner - E:\ora92/bin/pagntsrv.exe
O23 - Service: OracleOra92SNMPPeerEncapsulator - Unknown owner - E:\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOra92SNMPPeerMasterAgent - Unknown owner - E:\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOra92TNSListener - Unknown owner - E:\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOradevClientCache80 - Unknown owner - E:\oradev\BIN\ONRSD80.EXE
O23 - Service: OracleServicemaani - Unknown owner - e:\maani\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceWCS - Oracle Corporation - e:\ora92\bin\ORACLE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 10118 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>

S3 GearAspiWDM - c:\windows\system32\drivers\gearaspiwdm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Iap - "c:\program files\dell\openmanage\client\iap.exe" <Not Verified; Dell Inc; OpenManage Client Instrumentation>
R2 OracleMTSRecoveryService - e:\ora92\bin\omtsreco.exe "oraclemtsrecoveryservice" <Not Verified; Oracle Corporation; Oracle MTS Recovery Service>
R2 OracleOra92Agent - e:\ora92\bin\agntsrvc.exe <Not Verified; Oracle Corporation; >
R2 OracleOra92HTTPServer - "e:\ora92\apache\apache\apache.exe" --ntservice
R2 OracleOra92TNSListener - e:\ora92\bin\tnslsnr (file missing)
R2 OracleServiceWCS - e:\ora92\bin\oracle.exe wcs <Not Verified; Oracle Corporation; >

S3 OracleOra92ClientCache - e:\ora92\bin\onrsd.exe
S3 OracleOra92PagingServer - e:\ora92/bin/pagntsrv.exe
S3 OracleOra92SNMPPeerEncapsulator - e:\ora92\bin\encsvc.exe
S3 OracleOra92SNMPPeerMasterAgent - e:\ora92\bin\agntsvc.exe
S3 OracleOradevClientCache80 - e:\oradev\bin\onrsd80.exe
S3 OracleServicemaani - e:\maani\bin\oracle.exe maani (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-18 and 2008-07-18 -----------------------------

2008-07-17 13:10:04 0 d-------- C:\Program Files\Trend Micro
2008-07-17 11:22:11 77312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-17 11:22:00 115233 -r-hs---- C:\p83gjy.exe
2008-07-17 11:21:34 77312 -----n--- C:\WINDOWS\system32\ckvo0.dll
2008-07-17 11:12:57 0 d-------- C:\Documents and Settings\ssa\Application Data\Malwarebytes
2008-07-17 10:58:28 0 d-------- C:\Program Files\Panda Security
2008-07-17 10:51:44 117419 -r-hs---- C:\81d9.exe
2008-07-17 10:33:00 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-17 10:33:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-17 09:41:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-17 09:40:54 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-17 09:40:54 0 d-------- C:\Documents and Settings\ssa\Application Data\SUPERAntiSpyware.com
2008-07-17 09:28:21 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 09:28:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 09:59:37 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 09:59:28 0 d-------- C:\Program Files\SpywareBlaster
2008-07-16 09:58:18 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-07-16 09:58:18 0 d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2008-07-16 09:58:07 0 d-------- C:\Program Files\SiteAdvisor
2008-07-16 09:57:42 0 d-------- C:\Documents and Settings\ssa\Application Data\SiteAdvisor
2008-07-16 09:57:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-16 09:57:42 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-15 18:53:52 0 d-------- C:\Program Files\Audacity
2008-07-15 18:52:01 0 d-------- C:\Program Files\Mp3 My Mp3 2.0
2008-07-15 11:10:44 0 d-------- C:\Program Files\Common Files\Quest Shared
2008-07-14 17:36:58 0 d-------- C:\My Recordings
2008-07-14 16:26:51 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-14 16:26:51 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-14 16:26:19 11808 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-14 16:26:19 12461600 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-14 15:31:39 0 d-------- C:\Program Files\DTM Data Modeler
2008-07-14 14:43:56 0 d-------- C:\Documents and Settings\ssa\Application Data\DBDesigner4
2008-07-14 14:43:43 0 d-------- C:\Program Files\Common Files\fabFORCE
2008-07-14 14:43:41 0 d-------- C:\Program Files\fabFORCE
2008-07-14 13:55:47 0 d-------- C:\Documents and Settings\ssa\Application Data\happyfish3
2008-07-14 13:48:53 143486 --ahs---- C:\WINDOWS\system32\XGPAIkkj.ini2
2008-07-09 19:07:42 0 d-------- C:\Program Files\Microsoft Firewall Client
2008-07-09 10:17:43 0 d-------- C:\Program Files\Powersoft
2008-07-08 16:33:31 0 d-------- C:\Program Files\RKSoft
2008-07-02 16:03:15 0 d-------- C:\Program Files\Any FLV Player
2008-07-02 13:37:55 0 d-------- C:\Program Files\Common Files\Macromedia
2008-07-02 13:37:52 0 d-------- C:\Program Files\Macromedia
2008-07-02 10:07:32 0 d-------- C:\Documents and Settings\ssa\Application Data\SorensonMedia
2008-07-02 10:06:04 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2008-07-02 10:06:04 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-07-02 10:06:03 0 d-------- C:\Program Files\ffdshow
2008-07-02 10:03:30 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-02 09:43:50 97280 --a------ C:\WINDOWS\system32\xl_x263dec.dll <Not Verified; Xirlink, Inc.; Visionlink>
2008-07-01 23:29:18 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-07-01 23:29:18 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-07-01 22:30:13 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-07-01 22:30:13 408576 --a------ C:\WINDOWS\system32\Smab.dll
2008-07-01 22:30:13 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-07-01 22:30:13 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-07-01 22:30:13 66560 --a------ C:\WINDOWS\MOTA113.exe
2008-07-01 22:30:13 217073 --a------ C:\WINDOWS\meta4.exe
2008-07-01 22:30:12 0 d-------- C:\Program Files\AviSynth 2.5
2008-07-01 22:29:53 0 d-------- C:\Program Files\eRightSoft
2008-07-01 21:51:56 0 d-------- C:\Program Files\OJOsoft
2008-07-01 21:40:25 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-07-01 21:40:23 0 d-------- C:\Program Files\Riva
2008-07-01 21:20:52 0 d-------- C:\Documents and Settings\ssa\Application Data\SWiSHvideo
2008-07-01 21:17:43 90112 -----n--- C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-07-01 21:17:27 0 d-------- C:\Program Files\SWiSHvideo2
2008-07-01 21:14:45 268048 --a------ C:\WINDOWS\system32\dxtmeta2.dll <Not Verified; MetaCreations Corporation; DirectTransform>
2008-07-01 21:10:38 8 --a------ C:\WINDOWS\system32\so0910.bin
2008-07-01 21:09:10 8 --a------ C:\WINDOWS\system32\sofud0910.bin
2008-07-01 21:05:03 0 d-------- C:\Program Files\Ultra Video To Flash Converter
2008-07-01 21:00:29 34 --ah----- C:\WINDOWS\system32\VideoConverter_sysquict.dat
2008-07-01 21:00:26 0 d-------- C:\Program Files\GoodOk Flash Video FLV Converter
2008-06-20 08:40:25 0 d-------- C:\Program Files\Microsoft Visual SourceSafe
2008-06-18 11:21:19 0 d-------- C:\Program Files\Multiple File Search and Replace
2008-06-18 11:15:17 0 d-------- C:\Tools
2008-06-18 10:35:14 0 d-------- C:\Program Files\Advanced Find and Replace 3


-- Find3M Report ---------------------------------------------------------------

2008-07-17 11:29:06 0 d-------- C:\Documents and Settings\ssa\Application Data\OpenOffice.org2
2008-07-17 09:40:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 14:01:55 0 d-------- C:\Program Files\3MB Tech
2008-07-15 14:01:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-15 13:57:23 0 d-------- C:\Program Files\ATnotes
2008-07-15 13:56:32 0 d-------- C:\Program Files\DivX
2008-07-15 13:49:36 0 d-------- C:\Program Files\Microsoft.NET
2008-07-15 13:48:42 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-15 13:43:44 0 d-------- C:\Program Files\Oracle
2008-07-15 11:11:03 0 d-------- C:\Documents and Settings\ssa\Application Data\Quest Software
2008-07-15 11:10:44 0 d-------- C:\Program Files\Common Files
2008-07-15 11:10:02 0 d-------- C:\Program Files\Quest Software
2008-06-02 12:21:35 47496 --a------ C:\Documents and Settings\ssa\Application Data\GDIPFONTCACHEV1.DAT
2008-06-02 10:04:45 0 d-------- C:\Documents and Settings\ssa\Application Data\Software
2008-06-02 10:04:33 0 d-------- C:\Program Files\MSXML 4.0
2008-04-27 07:38:12 105128 -r-hs---- C:\oq.cmd


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [07/21/2006 01:48 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [07/21/2006 01:50 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [07/21/2006 01:47 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 02:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 02:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 02:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 02:00 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [05/01/2006 05:07 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [12/09/2005 05:29 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 01:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 01:50 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/29/2007 07:46 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/21/2007 09:52 AM]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [02/27/2004 10:29 PM]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [05/20/2004 09:40 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [01/07/2004 01:02 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [04/12/2003 12:18 AM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [03/09/2007 07:50 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [05/16/2008 09:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 AM]
"Desktop-3D Notes"="C:\Program Files\Desktop-3D Notes\Desktop-3D Notes.exe" [04/06/2006 09:46 AM]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\ssa\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [8/17/2007 9:57:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - E:\Acrobat 6.0\Distillr\acrotray.exe [10/24/2003 9:37:56 AM]
Firewall Client Connectivity Monitor.LNK - C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE [7/9/2008 7:07:43 PM]
Microsoft Office.lnk - E:\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
msupd51195.exe [1/23/2008 11:13:13 AM]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [11/26/2007 8:37:53 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkIAPGX

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2399777507-2908586406-3841025292-1285\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2399777507-2908586406-3841025292-1292\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2399777507-2908586406-3841025292-500\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1343024091-839522115-1426\Scripts\Logon\0\0]
"Script"=SetNet.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

*Newly Created Service* - PAVBOOT



-- Hosts -----------------------------------------------------------------------

132.147.160.2 smtp.ffcsona.net.pk


-- End of Deckard's System Scanner: finished at 2008-07-18 08:33:40 ------------


**************************************************EXTRA.LOG*********************
**********************
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6600 @ 2.40GHz
CPU 1: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 1013.54 MiB / 345.25 MiB
Pagefile Memory (total/avail): 2440.45 MiB / 1354.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.61 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 20 GiB total, 6.68 GiB free.
D: is Fixed (NTFS) - 39.06 GiB total, 24.97 GiB free.
E: is Fixed (NTFS) - 39.06 GiB total, 30.95 GiB free.
F: is Fixed (NTFS) - 50.85 GiB total, 50.37 GiB free.
G: is CDROM (No Media)
P: is Network (NTFS)
R: is Network (NTFS)
T: is Network (NTFS)
U: is Network (NTFS)
V: is Network (NTFS)
W: is Network (NTFS)
X: is Network (NTFS)
Y: is Network (NTFS)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST3160812AS - 149.01 GiB - 5 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 20 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 128.97 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: Kaspersky Anti-Virus v6.0.2.621 () Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\salmanasghar\\Local Settings\\Temp\\OraInstall2007-05-29_03-54-54PM\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\salmanasghar\\Local Settings\\Temp\\OraInstall2007-05-29_03-54-54PM\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"E:\\ora92\\Apache\\Apache\\Apache.exe"="E:\\ora92\\Apache\\Apache\\Apache.exe:*:Enabled:Apache"
"E:\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="E:\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Enabled:Microsoft ® Visual Studio VSA RPC Event Creator"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\OraInstall2007-05-29_12-26-55PM\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\OraInstall2007-05-29_12-26-55PM\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"E:\\ora92\\Apache\\Apache\\Apache.exe"="E:\\ora92\\Apache\\Apache\\Apache.exe:*:Enabled:Apache"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ssa\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SALMANSHAH
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ssa
JSERV=E:\ora92/Apache/Jserv/conf
LOGONSERVER=\\DC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Oracle\jre\1.1.8\bin;E:\ora92\bin;E:\oradev\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;E:\oradev\jdk\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ssa\LOCALS~1\Temp
TMP=C:\DOCUME~1\ssa\LOCALS~1\Temp
USERDNSDOMAIN=FFCLHR.COM.PK
USERDOMAIN=FFCLHR
USERNAME=ssa
USERPROFILE=C:\Documents and Settings\ssa
VS80COMNTOOLS=E:\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS
WV_GATEWAY_CFG=E:\ora92\Apache\modplsql\cfg\wdbsvr.app


-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)
Kashif.FFCLHR (new local, net ready)
aamiranjum (new local, net ready)
zahid.FFCLHR (new local, net ready)
ssa (admin)
administrator.FFCLHR (admin)
Kashif (admin)
itstaff
salmanasghar (admin)
zahid (new local, net ready)
administrator.FFCSONA0 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Able2Extract v3.0 --> C:\Program Files\Investintech.com Inc\Able2Extract 3.0\Uninstal.exe
Absolute Futurity Desktop-3D Notes Ver 3.0.4 --> "C:\Program Files\Desktop-3D Notes\Setup.exe" /Uninstall
Adobe Acrobat 6.0.1 Professional - English, Franзais, Deutsch --> MsiExec.exe /I{AC76BA86-1033-F400-7760-000000000001}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Advanced Find and Replace v3.0 --> "C:\Program Files\Advanced Find and Replace 3\unins000.exe"
Any FLV Player 2.0.1 --> C:\Program Files\Any FLV Player\uninst.exe
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
CuteFTP 6 Home --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E6B1F8A7-2EF2-47DC-B7D4-BA7E0C885D56}
Dell ETS Factory Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}\setup.exe" -l0x9
ezConverter for Video 1.1 --> "e:\ezConverter for video\unins000.exe"
ffdshow [rev 1763] [2007-01-08] --> "C:\Program Files\ffdshow\unins000.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hadith Viewer --> "C:\Program Files\DivineIslam\Hadith Viewer\unins000.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp LaserJet 1160/1320 series --> MsiExec.exe /x {7F04B272-E0DD-47E7-8B55-D97483DB0EBD}
hp officejet 6100 series --> rundll32 hpzcon07.dll,VendorJettison hp officejet 6100 series
HP Software Update --> MsiExec.exe /X{90B5E602-1867-449D-86FD-FC9DEA4434BF}
Indeo® Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"e:\Indeo\Indeo System Files\indounin.dll"
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Knowledge Xpert for PLSQL V8.6 --> C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\UNWISE.EXE C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\INSTALL.LOG
Lame ACM MP3 Codec --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_LameMP3 132 C:\WINDOWS\INF\LameACM.inf
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SiteAdvisor --> C:\Program Files\SiteAdvisor\6261\uninstall.exe
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Firewall Client --> MsiExec.exe /I{8C7A59A8-9ABE-459A-9A93-08C281A4A264}
Microsoft MSDN 2005 Express Edition - ENU --> E:\Microsoft Visual Studio 8\Microsoft MSDN 2005 Express Edition - ENU\install.exe
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2000 Sample Database Scripts --> MsiExec.exe /I{ABB6AC00-F1D8-4EBF-8128-830D090B76C0}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server Native Client --> MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C# 2005 Express Edition - ENU --> E:\Microsoft Visual Studio 8\Microsoft Visual C# 2005 Express Edition - ENU\setup.exe
Microsoft Visual C# 2005 Express Edition - ENU --> MsiExec.exe /X{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}
Microsoft Visual SourceSafe 2005 - ENU --> "C:\Program Files\Microsoft Visual SourceSafe\Microsoft Visual SourceSafe 2005 - ENU\setup.exe"
Microsoft Visual Studio 2005 Professional Edition - ENU --> E:\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft Visual Studio 6.0 Enterprise Edition --> "E:\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft VM for Java --> RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSDN Library for Visual Studio 2005 --> msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005 --> MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
Multiple File Search and Replace --> C:\Program Files\Multiple File Search and Replace\uninstall.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
OMCI --> MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
Oracle JInitiator 1.3.1.22 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CAFECAFE-0013-0001-0122-ABCDEFABCDEF}\Setup.exe" -l0x9 -uninst
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PowerDVD 5.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Quest Software Toad Data Modeler --> MsiExec.exe /I{142CF082-AD5C-4B6B-A5FB-C2A5A7FC9E87}
Quest Software Toad for Oracle Version 8.6.1 --> C:\PROGRA~1\QUESTS~1\TOADFO~1\UNINST~1.EXE
Quest SQL Tuning for Oracle --> C:\PROGRA~1\QUESTS~1\TOADFO~1\TUNING~1\UNWISE.EXE C:\PROGRA~1\QUESTS~1\TOADFO~1\TUNING~1\INSTALL.LOG
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Qur'an Viewer 2.9 --> "e:\Qur'an Viewer 2\unins000.exe"
RAM --> MsiExec.exe /I{0719CB64-4032-4E37-929F-FA1D00070147}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Search and Replace --> C:\Tools\SR\UNWISE.EXE C:\Tools\SR\INSTALL.LOG
SnagIt 6 --> e:\SnagIt 6\SIUNINST.EXE
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Urdu Phonetic Keyboard Layout --> MsiExec.exe /I{3CEFBABE-61CC-4612-AE76-CB70C34B7D45}
VNC Free Edition 4.1.1 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> e:\WinRAR\uninstall.exe
WordWeb --> C:\Program Files\WordWeb\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9725 / Error
Event Submitted/Written: 07/17/2008 11:27:29 AM
Event ID/Source: 3299 / Apache Service
Event Description:
The Apache service named E:\ora92\Apache\Apache\apache.exe reported the following error:
>>> [Thu Jul 17 11:27:29 2008] [warn] _default_ VirtualHost overlap on port 3339, the first has precedence <<<
before the error.log file could be opened.
More information may be available in the error.log file. .

Event Record #/Type9720 / Error
Event Submitted/Written: 07/17/2008 10:34:34 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a). The specified server cannot perform the requested operation.
Enrollment will not be performed.

Event Record #/Type9708 / Error
Event Submitted/Written: 07/17/2008 10:33:08 AM
Event ID/Source: 3299 / Apache Service
Event Description:
The Apache service named E:\ora92\Apache\Apache\apache.exe reported the following error:
>>> [Thu Jul 17 10:33:08 2008] [warn] _default_ VirtualHost overlap on port 3339, the first has precedence <<<
before the error.log file could be opened.
More information may be available in the error.log file. .

Event Record #/Type9703 / Error
Event Submitted/Written: 07/17/2008 09:49:23 AM / 07/17/2008 09:49:24 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a). The specified server cannot perform the requested operation.
Enrollment will not be performed.

Event Record #/Type9697 / Error
Event Submitted/Written: 07/17/2008 08:18:05 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a). The specified server cannot perform the requested operation.
Enrollment will not be performed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22137 / Warning
Event Submitted/Written: 07/17/2008 02:31:12 PM
Event ID/Source: 36 / W3SVC
Event Description:
The server failed to load application '/LM/W3SVC'. The error was 'The specified metadata was not found.
'.

For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft...entredirect.asp.

Event Record #/Type22135 / Warning
Event Submitted/Written: 07/17/2008 00:14:51 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type22134 / Warning
Event Submitted/Written: 07/17/2008 00:14:51 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type22108 / Warning
Event Submitted/Written: 07/17/2008 11:13:30 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type22107 / Warning
Event Submitted/Written: 07/17/2008 11:13:26 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.



-- End of Deckard's System Scanner: finished at 2008-07-18 08:33:40 ------------

=============================================THE END ================================
thanx again for ur concern.
  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Is this your personal office? Do you have an IT department in your office?

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#5
maani

maani

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hi
i have downloaded combo-fix.exe as well as winxp-recovery-console executable but im a bit confused. how shud i install recovery console?thru combo-fix or by double clicking the setup downloaded from microsoft's site?
im with holding till ur further reply. hope u wont mind my confusion.
thanx.
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
No worries,

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to Combo-Fix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto Combo-Fix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

Then click YES when it asks you to continue with scanning your computer, allow combofix to run and post the log here.

Edited by Mike, 21 July 2008 - 05:29 AM.

  • 0

#7
maani

maani

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hi
thanx again for ur quick response. i must appreciate ur patience.
i think i have made a mistake by follwoing ur instruction whith kaspersky protection enabled. however, i dont know what my posts will say. here im posting the log (during combo-fix execution,twice appeared mesge saying memory access voilation. just for ur info)

=========================================log.txt================================
===============
ComboFix 08-07-20.6 - ssa 2008-07-22 9:26:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.380.1033.18.326 [GMT 5:00]
Running from: C:\Documents and Settings\ssa\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\ssa\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\ajrcmbuq.ini
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\cnjdjqlt.ini
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\oelimesw.ini
C:\WINDOWS\system32\ujevdyun.ini
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\XGPAIkkj.ini
C:\WINDOWS\system32\XGPAIkkj.ini2
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-18 09:22 . 2008-07-18 09:22 120,251 -r-hs---- C:\ivcvknr.bat
2008-07-18 08:53 . 2008-07-18 08:53 117,399 -r-hs---- C:\f0.cmd
2008-07-18 08:29 . 2008-07-18 08:29 <DIR> d-------- C:\Deckard
2008-07-17 13:10 . 2008-07-17 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 11:22 . 2008-07-17 11:22 115,233 -r-hs---- C:\p83gjy.exe
2008-07-17 11:22 . 2008-07-18 09:22 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-17 11:12 . 2008-07-17 11:12 <DIR> d-------- C:\Documents and Settings\ssa\Application Data\Malwarebytes
2008-07-17 11:12 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-17 11:12 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 10:58 . 2008-07-17 10:58 <DIR> d-------- C:\Program Files\Panda Security
2008-07-17 10:58 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-17 10:51 . 2008-07-17 10:51 117,419 -r-hs---- C:\81d9.exe
2008-07-17 10:33 . 2008-07-17 10:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-17 09:41 . 2008-07-17 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-17 09:40 . 2008-07-17 09:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-17 09:40 . 2008-07-17 09:40 <DIR> d-------- C:\Documents and Settings\ssa\Application Data\SUPERAntiSpyware.com
2008-07-17 09:28 . 2008-07-17 11:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 09:28 . 2008-07-17 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 10:12 . 2001-08-17 13:28 794,399 --a------ C:\WINDOWS\system32\dllcache\usr1806v.sys
2008-07-16 10:11 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-16 10:10 . 2001-08-17 14:01 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-07-16 10:09 . 2004-08-04 02:00 358,400 --a------ C:\WINDOWS\system32\dllcache\snmpincl.dll
2008-07-16 10:08 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-07-16 10:07 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-16 10:06 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-07-16 10:05 . 2004-08-04 00:56 259,328 --a------ C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-07-16 10:04 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-07-16 10:03 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-07-16 10:02 . 2001-08-17 13:28 802,683 --a------ C:\WINDOWS\system32\dllcache\ltsm.sys
2008-07-16 10:01 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\dllcache\irftp.exe
2008-07-16 10:00 . 2004-08-03 22:41 1,041,536 --a------ C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-07-16 09:59 . 2008-07-17 09:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-16 09:59 . 2008-07-21 16:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 09:59 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-16 09:58 . 2008-07-16 09:58 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-16 09:58 . 2008-07-16 09:58 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2008-07-16 09:58 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2008-07-16 09:57 . 2008-07-17 10:36 <DIR> d-------- C:\Documents and Settings\ssa\Application Data\SiteAdvisor
2008-07-16 09:57 . 2008-07-22 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-16 09:57 . 2008-07-16 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-16 09:57 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-07-16 09:56 . 2001-08-17 12:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-16 09:55 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-07-16 09:54 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-07-15 18:53 . 2008-07-15 18:53 <DIR> d-------- C:\Program Files\Audacity
2008-07-15 18:52 . 2008-07-15 18:52 <DIR> d-------- C:\Program Files\Mp3 My Mp3 2.0
2008-07-15 11:25 . 2004-08-04 02:00 1,032,192 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2008-07-15 11:25 . 2004-08-04 02:00 1,032,192 --a------ C:\WINDOWS\explorer.exe
2008-07-14 16:26 . 2008-07-22 09:30 12,837,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-14 16:26 . 2008-07-22 09:29 182,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-14 16:26 . 2008-07-14 16:26 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-14 16:26 . 2008-07-14 16:26 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-14 16:26 . 2008-07-22 09:32 13,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-14 16:26 . 2008-07-22 09:29 6,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-14 15:31 . 2008-07-14 15:42 <DIR> d-------- C:\Program Files\DTM Data Modeler
2008-07-14 14:43 . 2008-07-14 14:43 <DIR> d-------- C:\Program Files\fabFORCE
2008-07-14 14:43 . 2008-07-14 14:43 <DIR> d-------- C:\Program Files\Common Files\fabFORCE
2008-07-14 14:43 . 2008-07-14 15:31 <DIR> d-------- C:\Documents and Settings\ssa\Application Data\DBDesigner4
2008-07-14 13:55 . 2008-07-14 13:55 <DIR> d-------- C:\Documents and Settings\ssa\Application Data\happyfish3
2008-07-14 13:43 . 2004-08-04 02:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 19:07 . 2008-07-09 19:07 <DIR> d-------- C:\Program Files\Microsoft Firewall Client
2008-07-09 10:17 . 2008-07-09 10:17 <DIR> d-------- C:\Program Files\Powersoft
2008-07-09 10:17 . 2008-07-15 13:52 31 --a------ C:\WINDOWS\PD6.ini
2008-07-08 16:33 . 2008-07-08 16:33 <DIR> d-------- C:\Program Files\RKSoft
2008-07-02 16:03 . 2008-07-02 16:03 <DIR> d-------- C:\Program Files\Any FLV Player
2008-07-02 13:37 . 2008-07-15 13:46 <DIR> d-------- C:\Program Files\Macromedia
2008-07-02 13:37 . 2008-07-15 13:45 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-07-02 10:07 . 2008-07-02 10:07 <DIR> d-------- C:\Documents and Settings\ssa\Application Data\SorensonMedia
2008-07-02 10:06 . 2008-07-02 10:06 <DIR> d-------- C:\Program Files\ffdshow
2008-07-02 10:06 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-07-02 10:06 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-07-02 10:06 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-07-02 10:03 . 2008-07-02 10:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-02 09:54 . 2007-08-08 13:30 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-02 09:43 . 2008-07-02 09:43 97,280 --a------ C:\WINDOWS\system32\xl_x263dec.dll
2008-07-02 09:10 . 2008-04-23 11:15 107,880 --a------ C:\WINDOWS\system32\DSKernel2.dll
2008-07-01 23:29 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-07-01 23:29 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-07-01 22:30 . 2008-07-01 22:30 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-01 22:30 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-07-01 22:30 . 2008-02-07 16:15 408,576 --a------ C:\WINDOWS\system32\Smab.dll
2008-07-01 22:30 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-07-01 22:30 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-07-01 22:30 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-07-01 22:30 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-07-01 22:30 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-07-01 22:30 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-07-01 22:29 . 2008-07-01 22:29 <DIR> d-------- C:\Program Files\eRightSoft
2008-07-01 22:29 . 2005-02-13 03:00 186,880 -r-hs---- C:\WINDOWS\system32\RLOgg.ax
2008-07-01 22:29 . 2005-01-18 03:26 179,200 -r-hs---- C:\WINDOWS\system32\DiracSplitter.ax
2008-07-01 22:29 . 2005-02-06 03:00 92,672 -r-hs---- C:\WINDOWS\system32\RLVorbisDec.ax
2008-07-01 22:29 . 2005-02-22 20:55 81,920 -r-hs---- C:\WINDOWS\system32\aac_parser.ax
2008-07-01 22:29 . 2005-02-13 03:00 67,584 -r-hs---- C:\WINDOWS\system32\RLTheoraDec.ax
2008-07-01 22:29 . 2005-02-13 03:00 51,712 -r-hs---- C:\WINDOWS\system32\RLSpeexDec.ax
2008-07-01 21:51 . 2008-07-01 21:51 <DIR> d-------- C:\Program Files\OJOsoft
2008-07-01 21:40 . 2008-07-01 21:40 <DIR> d-------- C:\Program Files\Riva
2008-07-01 21:40 . 2008-07-01 21:40 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-07-01 21:20 . 2008-07-01 21:26 <DIR> d-------- C:\Documents and Settings\ssa\Application Data\SWiSHvideo
2008-07-01 21:17 . 2008-07-01 21:27 <DIR> d-------- C:\Program Files\SWiSHvideo2
2008-07-01 21:17 . 2004-03-29 16:23 90,112 --------- C:\WINDOWS\unvise32.exe
2008-07-01 21:14 . 2000-08-20 01:29 268,048 --a------ C:\WINDOWS\system32\dxtmeta2.dll
2008-07-01 21:10 . 2008-07-01 21:10 8 --a------ C:\WINDOWS\system32\so0910.bin
2008-07-01 21:09 . 2008-07-01 21:09 8 --a------ C:\WINDOWS\system32\sofud0910.bin
2008-07-01 21:05 . 2008-07-01 21:26 <DIR> d-------- C:\Program Files\Ultra Video To Flash Converter
2008-07-01 21:00 . 2008-07-01 21:04 <DIR> d-------- C:\Program Files\GoodOk Flash Video FLV Converter
2008-07-01 21:00 . 2008-07-01 21:00 34 --ah----- C:\WINDOWS\system32\VideoConverter_sysquict.dat
2008-06-27 12:19 . 2008-06-27 12:19 529 --a------ C:\pas_tb_forms_000_data.sql
2008-06-23 17:53 . 2008-07-18 09:56 4,168 --a------ C:\INFCACHE.1
2008-06-23 17:53 . 2008-07-18 09:56 2,584 --a------ C:\autorun.PNF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 04:32 --------- d-----w C:\Documents and Settings\ssa\Application Data\OpenOffice.org2
2008-07-22 04:23 --------- d-----w C:\Program Files\Quest Software
2008-07-17 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-17 04:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 09:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-15 09:01 --------- d-----w C:\Program Files\3MB Tech
2008-07-15 08:57 --------- d-----w C:\Program Files\ATnotes
2008-07-15 08:56 --------- d-----w C:\Program Files\DivX
2008-07-15 08:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-15 08:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-15 08:48 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-15 08:43 --------- d-----w C:\Program Files\Oracle
2008-07-15 06:11 --------- d-----w C:\Documents and Settings\ssa\Application Data\Quest Software
2008-06-20 03:40 --------- d-----w C:\Program Files\Microsoft Visual SourceSafe
2008-06-18 06:46 --------- d-----w C:\Program Files\Advanced Find and Replace 3
2008-06-18 06:21 --------- d-----w C:\Program Files\Multiple File Search and Replace
2008-06-05 04:30 14,434,827 ----a-w C:\pas_2007_initial.zip
2008-06-02 07:21 47,496 ----a-w C:\Documents and Settings\ssa\Application Data\GDIPFONTCACHEV1.DAT
2008-06-02 05:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Quest Software
2008-06-02 05:04 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-02 05:04 --------- d-----w C:\Documents and Settings\ssa\Application Data\Software
2008-04-27 02:38 105,128 --sh--r C:\oq.cmd
2007-08-29 05:45 28,680 ----a-w C:\Documents and Settings\salmanasghar\Application Data\GDIPFONTCACHEV1.DAT
2007-06-11 04:11 56 --sha-r C:\WINDOWS\system32\88EA1460F2.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"Desktop-3D Notes"="C:\Program Files\Desktop-3D Notes\Desktop-3D Notes.exe" [2006-04-06 09:46 1081344]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 13:48 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 13:50 86016]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 13:47 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 02:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 02:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 02:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 02:00 455168]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 05:07 843776]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 13:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 13:50 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-29 19:46 151597]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-21 09:52 286720]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 22:29 61440]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 21:40 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 13:02 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-04-12 00:18 188416]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2008-05-16 21:50 36640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\salmanasghar\Start Menu\Programs\Startup\
WordWeb.lnk - E:\WordWeb\wweb32.exe [2007-05-29 20:07:36 18944]

C:\Documents and Settings\ssa\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - E:\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 09:37:56 217194]
Firewall Client Connectivity Monitor.LNK - C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE [2008-07-09 19:07:43 52496]
Microsoft Office.lnk - E:\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
msupd51195.exe [2008-01-23 11:13:13 21504]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-11-26 08:37:53 18944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"vidc.yv12"= yv12vfw.dll
"VIDC.D263"= xl_x263dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2399777507-2908586406-3841025292-1285\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2399777507-2908586406-3841025292-1292\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2399777507-2908586406-3841025292-500\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1343024091-839522115-1426\Scripts\Logon\0\0]
"Script"=SetNet.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\ora92\\Apache\\Apache\\Apache.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 OracleOra92Agent;OracleOra92Agent;E:\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
R2 OracleOra92HTTPServer;OracleOra92HTTPServer;E:\ora92\Apache\Apache\apache.exe [2002-04-18 22:02]
R2 OracleOra92TNSListener;OracleOra92TNSListener;E:\ora92\BIN\TNSLSNR []
R2 OracleServiceWCS;OracleServiceWCS;e:\ora92\bin\ORACLE.EXE WCS []
S3 OracleOra92ClientCache;OracleOra92ClientCache;E:\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOra92PagingServer;OracleOra92PagingServer;E:\ora92/bin/pagntsrv.exe [2006-11-16 17:37]
S3 OracleOra92SNMPPeerEncapsulator;OracleOra92SNMPPeerEncapsulator;E:\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOra92SNMPPeerMasterAgent;OracleOra92SNMPPeerMasterAgent;E:\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 OracleOradevClientCache80;OracleOradevClientCache80;E:\oradev\BIN\ONRSD80.EXE [2000-10-28 00:45]
S3 OracleServicemaani;OracleServicemaani;e:\maani\bin\ORACLE.EXE maani []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;E:\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sticky Pad - C:\Program Files\StickyPad\StickyPad.exe
HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe
HKLM-Run-Media Codec Update Service - C:\Program Files\Essentials Codec Pack\update.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.ffc.net.pk/
R0 -: HKLM-Main,Start Page = hxxp://www1.ap.dell.com/content/default.aspx?c=ap&l=en&s=gen
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: Backward &Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cac&hed Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: E&xport to Microsoft Excel - E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 -: Si&milar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O17 -: HKLM\CCS\Interface\{6A613EC0-D2A3-4587-B6F1-03A4E54E7C92}: NameServer = 132.147.160.1,132.147.160.3

O16 -: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://oas/forms/jinitiator/jinit.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 09:31:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra92PagingServer]
"ImagePath"="E:\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra92TNSListener]
"ImagePath"="E:\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\ora92\bin\omtsreco.exe
E:\ora92\bin\dbsnmp.exe
E:\ora92\bin\TNSLSNR.EXE
E:\ora92\bin\oracle.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
E:\ora92\jdk\bin\java.exe
E:\ora92\jdk\bin\java.exe
.
**************************************************************************
.
Completion time: 2008-07-22 9:34:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-22 04:34:48

Pre-Run: 7,190,560,768 bytes free
Post-Run: 7,342,702,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

325
  • 0

#8
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Once again I need to ask, does your company have an IT deparment that should be handling this?
I'm asking because they will need to know if one of their computers is compromised.

So please answer this in your next post.


Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
FileLook::
C:\ivcvknr.bat

File::
C:\f0.cmd
C:\p83gjy.exe
C:\WINDOWS\system32\ckvo1.dll
C:\81d9.exe
C:\oq.cmd
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Then,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#9
maani

maani

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hiwe do have IT department, but non of our administrators know this kind of log-analysis capability, they know that network is full of viruses, so they have firewall, kasper sky installed. they are looking for another av called e-scan. if u have any word for them, tell me, i will pass it on.
i followed ur steps u mentioned last time but the CFScript did not run successfully. combo-fix stuck at stage 31 and didnt move ahead. i had to pull the power off.
also, i have installed and run mbam earlier as well.
so now my question is: shud i run CFScript again?
shud i run mbam again?
i dont know will it help or not, heres the last combo-fix log:

================================
ComboFix 08-07-20.6 - ssa 2008-07-22 18:38:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.380.1033.18.304 [GMT 5:00]
Running from: C:\Documents and Settings\ssa\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\ssa\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\81d9.exe
C:\f0.cmd
C:\oq.cmd
C:\p83gjy.exe
C:\WINDOWS\system32\ckvo1.dll
.


hope 2 c ur reply soon
  • 0

#10
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

The problem I'm having at the moment is that it is against our Terms of use to help you.

# We offer free computer help and tech support for home and personal use. We are not here to support others that work for profit, or to support/replace your company's IT department.


If they don't have the necessary skills it's unfortunate - but in a corporate environment these issues need to be solved internally.

I hope that I helped you far enough so that they can at least pick up from where we left off as the hardest part is over with.

Sorry and thanks for understanding,

Mike
  • 0

#11
maani

maani

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
HI
THANX MIKE FOR UR SUPPORT SO FAR.
SORRY FOR REQUESTING U FOR HELP. REASON WAS THAT I DID NOT PROBABLY READ THE TERMS AND CONDITIONS PROPERLY.
REGARDS.
aLOS, LETS CONSIDER THIS POST AS "CLOSED"

Edited by maani, 24 July 2008 - 06:07 AM.

  • 0

#12
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Thanks for understanding,

I hope your problems will be resolved without too much hassle.

Mike
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP