TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Arpan on December 17, 2008, 03:34:39 PM
-
PC has become slow. Windows explorer close itself down abruptly.
Apart from this mozilla gets opened automatically with google homepage which is not my default webpage.
This are few things i have noticed. It seems to me that i have some kind of virus in my computer.
Any help to make me understand this situation will be appreciated.
I am attaching hijackthis log file herewith.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:36 AM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Softwares\avg75free_524a1293.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX2\avgsetup.exe
D:\Softwares\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs: ipktzv.dll
--
End of file - 4189 bytes
-
There is no need to start a new topic
Here is the last topic you started>>>http://www.thetechguide.com/forum/index.php?showtopic=79144 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=79144\")
I'll lock the other topic and please keep all replies back here in this topic
Are you in the process of installing AVG?
Can you reboot the computer
Afterwards, come back here
Insert your pen drive that's infected to this computer
Download ComboFix from one of these locations:
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 3[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
Save it ONLY to your Desktop
--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus, AntiSpyware and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool[/color]- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will run again on startup, it will prompt that it's creating a log
This process could take up to 15 minutes, let it run uninterrupted please
-
In future, i will not repeat this mistake.
Thank you for replying my post.
I am now restarting my computer and will install ur saod software but i am not sure which pen drive has infected my computer. so is it fine if i dont have it?
I had installed avg but since it was a older version i removed it.
then i installed avast but even that was of older version. so i removed that also.
-
Do you have the pen drives with you?
-
no, i dont.
Is that pen drive really very imp?
-
Is that pen drive really very imp?
Not at the moment
But if it is infected, any computer it's been inserted too
Could also be infected
For now, can you just carry on with the instructions from ComboFix
-
Hey am back with the combofix log file. here it is.
ComboFix 08-12-16.03 - Owner 2008-12-18 3:21:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.790 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
[color=\"RED\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\abk.bat
C:\autorun.inf
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
C:\h3.bat
C:\p1y2.cmd
c:\windows\system32\cbXOEwXR.dll
c:\windows\system32\evqlhfle.ini
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gmurftjy.dll
c:\windows\system32\h@tkeysh@@k.dll
c:\windows\system32\hgGaxwvt.dll
c:\windows\system32\hgGyvuRk.dll
c:\windows\system32\ipktzv.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\lbjiyx.dll
c:\windows\system32\ljJYOhHx.dll
c:\windows\system32\MnmmlUvw.ini
c:\windows\system32\MnmmlUvw.ini2
c:\windows\system32\pmnmkjiI.dll
c:\windows\system32\rnhrxpoy.ini
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twext.exe
c:\windows\system32\uduymubw.dll
c:\windows\system32\wvUlmmnM.dll
c:\windows\system32\xxyxXRkL.dll
c:\windows\system32\yopxrhnr.dll
D:\abk.bat
D:\Autorun.inf
D:\h3.bat
D:\nq0cq.cmd
D:\p1y2.cmd
D:\resycled
d:\resycled\boot.com
E:\abk.bat
E:\Autorun.inf
E:\h3.bat
E:\nq0cq.cmd
E:\p1y2.cmd
E:\resycled
e:\resycled\boot.com
.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.
2008-12-18 00:13 . 2008-12-18 00:13 <DIR> d-------- c:\program files\Alwil Software
2008-12-18 00:05 . 2008-12-18 00:05 <DIR> d-------- C:\KitTorrent
2008-12-18 00:02 . 2008-12-18 00:18 <DIR> d-------- C:\(Any Video Convertor) (Many Formats..)
2008-12-17 23:13 . 2008-12-17 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-16 23:54 . 2008-12-16 23:54 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2008-12-16 23:01 . 2008-12-17 23:21 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.2
2008-12-16 23:00 . 2008-12-16 23:00 <DIR> d-------- c:\program files\GIMP-2.0
2008-12-16 22:59 . 2008-12-16 22:59 <DIR> d-------- c:\program files\Common Files\GTK
2008-12-16 18:31 . 2008-12-16 18:31 260 --a------ c:\windows\_delis32.ini
2008-12-16 17:33 . 2008-12-16 17:33 <DIR> d-------- c:\program files\Microsoft Office 2003 - Word-Excel-Powerpoint-Outlook
2008-12-16 03:20 . 2008-12-16 03:20 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-16 03:20 . 2008-12-16 03:20 1,409 --a------ c:\windows\QTFont.for
2008-12-16 00:52 . 2008-12-16 00:52 <DIR> d-------- c:\program files\Microsoft Works
2008-12-16 00:51 . 2008-12-16 00:51 <DIR> d-------- c:\program files\MSBuild
2008-12-16 00:50 . 2008-12-16 00:50 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-16 00:44 . 2008-12-16 00:45 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-16 00:43 . 2008-12-17 18:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 00:42 . 2008-12-16 00:42 <DIR> dr-h----- C:\MSOCache
2008-12-16 00:24 . 2008-12-16 00:38 <DIR> d-------- c:\program files\MsOffice2007
2008-12-15 23:43 . 2008-12-15 23:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-15 23:19 . 2008-12-15 23:19 26,944 --a------ c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-12-15 09:29 . 2008-12-15 09:29 <DIR> d-------- c:\program files\McAfee Total Protection 2008 (Retail)-HeartBug
2008-12-14 22:43 . 2008-12-14 22:45 <DIR> d-------- c:\program files\Gimp+Brushes
2008-12-14 01:17 . 2008-12-17 23:12 <DIR> d-------- c:\program files\Winamp
2008-12-14 01:17 . 2008-12-16 06:19 <DIR> d-------- c:\documents and settings\Owner\Application Data\Winamp
2008-12-14 01:13 . 2008-12-14 01:13 <DIR> d-------- c:\program files\Combined Community Codec Pack
2008-12-13 15:40 . 2008-12-13 15:40 <DIR> d-------- c:\program files\Gabest
2008-12-13 12:07 . 2008-12-18 00:14 478 --a------ c:\windows\ODBC.INI
2008-12-13 12:01 . 2008-12-16 00:58 <DIR> d-------- c:\windows\ShellNew
2008-12-13 11:52 . 2008-12-13 11:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-13 11:52 . 2005-12-08 13:56 65,536 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-12-13 11:52 . 2005-12-08 13:56 49,152 --a------ c:\windows\system32\QuickTime.qts
2008-12-13 11:50 . 2008-12-13 11:50 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-13 11:48 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-13 11:41 . 2008-12-13 11:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-13 11:40 . 2008-12-13 11:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\bsplayer
2008-12-13 11:39 . 2008-12-13 11:53 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-13 11:36 . 2008-12-13 11:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\Ahead
2008-12-13 11:26 . 2008-12-13 11:26 <DIR> d-------- c:\program files\Power Video Converter
2008-12-13 11:25 . 2008-12-14 22:23 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-13 11:21 . 2008-12-13 11:21 85,504 -rahs---- c:\windows\system32\vbsdfe1.dll
2008-12-13 11:18 . 2008-12-13 11:18 <DIR> d-------- c:\windows\Cache
2008-12-13 11:11 . 2008-12-13 11:51 <DIR> d-------- c:\program files\QuickTime
2008-12-13 11:11 . 1999-11-10 11:05 86,016 --a------ c:\windows\unvise32qt.exe
2008-12-12 04:03 . 2008-12-12 04:03 <DIR> d-------- c:\program files\SmartSound Software Inc
2008-12-12 00:22 . 2004-06-10 08:31 135,168 -ra------ c:\windows\UNDPX2A.exe
2008-12-12 00:22 . 2004-06-10 08:34 53,693 -ra------ c:\windows\UNDPX2A.sys
2008-12-12 00:22 . 2004-06-09 17:42 15,429 -ra------ c:\windows\system32\drivers\Sacm2A.sys
2008-12-12 00:19 . 2008-12-12 00:19 0 --a------ c:\windows\nsreg.dat
2008-12-12 00:08 . 2002-03-11 07:18 151,552 -ra------ c:\windows\system32\igfxres.dll
2008-12-12 00:05 . 2000-10-20 04:28 765,952 -ra------ c:\windows\system\crlds3d.dll
2008-12-12 00:05 . 2001-11-22 22:08 712,704 -ra------ c:\windows\system32\Audio3D.dll
2008-12-12 00:05 . 2001-11-22 22:08 712,704 -ra------ c:\windows\system32\a3d.dll
2008-12-12 00:05 . 2002-04-15 03:53 421,888 -ra------ c:\windows\system\cmicnfg.cpl
2008-12-12 00:05 . 2002-04-21 22:36 407,439 -ra------ c:\windows\system32\drivers\cmuda.sys
2008-12-12 00:05 . 2002-02-27 00:08 28,672 -ra------ c:\windows\system32\udaprop.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 09:25 85,504 --sh--r c:\windows\system32\vbsdfe0.dll
2008-12-18 09:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 09:04 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-16 23:35 113,878 --sha-r c:\windows\system32\vamsoft.exe
2008-12-12 05:46 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-12 05:46 --------- d-----w c:\program files\NotePad++
2008-12-12 05:46 --------- d-----w c:\program files\Foxit
2008-12-11 21:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 21:45 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-11 21:42 --------- d-----w c:\program files\Pinnacle Systems
2008-12-11 21:34 --------- d-----w c:\program files\DAP
2008-12-11 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-11 20:01 --------- d-----w c:\program files\Pinnacle
2008-12-11 19:39 --------- d-----w c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-11 19:29 --------- d-----w c:\program files\TC
2008-12-11 19:19 --------- d-----w c:\program files\uTorrent
2008-12-11 19:19 --------- d-----w c:\program files\Google
2008-12-11 19:17 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-12-11 19:10 --------- d-----w c:\program files\MiraScan
2008-12-11 19:00 --------- d-----w c:\program files\Ahead
2008-12-11 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-11 18:59 --------- d-----w c:\program files\Common Files\Nero
2008-12-11 18:57 --------- d-----w c:\program files\Common Files\Ahead
2008-11-20 02:03 106,383 --sh--r C:\6fnlpetp.exe
2006-12-13 10:12 66,648 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 10:12 54,352 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 10:12 34,928 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 10:12 46,696 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 10:12 172,120 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
------- Sigcheck -------
2007-02-20 00:44 665088 3ffa1573fc274e5aa7467d03941c45ee c:\windows\ie7\wininet.dll
2007-01-12 09:27 822784 be43d00d802c92f01c8cc952c6f483f8 c:\windows\system32\wininet.dll
2007-01-12 09:27 822784 be43d00d802c92f01c8cc952c6f483f8 c:\windows\system32\dllcache\wininet.dll
2007-02-20 00:45 360704 253e84b9c0f0d9cd42e0892413d69daa c:\windows\system32\drivers\tcpip.sys
2007-02-05 09:37 2197760 c0a57196e32e2a04724b3fc52a85ad6a c:\windows\system32\ntoskrnl.exe
2007-02-16 14:25 1403392 cd755f94692db3fb4c6642b075bdd683 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vamsoft"="c:\windows\system32\vamsoft.exe" [2008-12-16 113878]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 68856]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-12-11 3114496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-03-11 106496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-01-08 c:\windows\system32\advpack.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ipktzv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.VP31"= vp31vfw.dll
"VIDC.FFDS"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2008-12-11 180480]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a59e0d0-ca46-11dd-b251-c79340ca48d0}]
\Shell\AutoRun\command - G:\abk.bat
\Shell\explore\Command - G:\abk.bat
\Shell\open\Command - G:\abk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34ff4730-ca5b-11dd-b252-001ac35bf8a1}]
\Shell\AutoRun\command - G:\abk.bat
\Shell\explore\Command - G:\abk.bat
\Shell\open\Command - G:\abk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65407264-cc63-11dd-b257-001ac35bf8a1}]
\Shell\AutoRun\command - G:\p1y2.cmd
\Shell\explore\Command - G:\p1y2.cmd
\Shell\open\Command - G:\p1y2.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15a9bc0-cb45-11dd-b254-001ac35bf8a1}]
\Shell\AutoRun\command - G:\h3.bat
\Shell\explore\Command - G:\h3.bat
\Shell\open\Command - G:\h3.bat
.
- - - - ORPHANS REMOVED - - - -
BHO-{5A786FCA-0B26-43B1-B59F-749F6996C345} - c:\windows\system32\wvUlmmnM.dll
BHO-{66f065b6-4833-4a45-951c-a45079def343} - c:\windows\system32\ipktzv.dll
BHO-{8EA86503-476F-476A-A55A-7225082DF3EB} - c:\windows\system32\ljJYOhHx.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
ShellExecuteHooks-{8EA86503-476F-476A-A55A-7225082DF3EB} - c:\windows\system32\ljJYOhHx.dll
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-12-18 03:25:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-18 3:26:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 09:26:46
Pre-Run: 7,171,162,112 bytes free
Post-Run: 7,480,913,920 bytes free
263
-
Is my computer safe now? Do i still need to do anything?
Please reply...
-
Can you do the following still
Download > [color=\"red\"]OTMoveIt3[/color] (http://\"http://oldtimer.geekstogo.com/OTMoveIt3.exe\") <[/url] by OldTimer.
- Save it to your desktop.
- Double-click OTMoveIt3.exe to run it.
- Copy the entries below in Blue to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
[color=\"#0000FF\"]
:Processes
explorer.exe
VistaDrive.exe
:Services
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vamsoft"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a59e0d0-ca46-11dd-b251-c79340ca48d0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34ff4730-ca5b-11dd-b252-001ac35bf8a1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65407264-cc63-11dd-b257-001ac35bf8a1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15a9bc0-cb45-11dd-b254-001ac35bf8a1}]
:Files
c:\windows\VistaDrive
c:\windows\system32\vamsoft.exe
c:\windows\system32\vbsdfe0.dll
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
[/color]
======================================================
- Return to OTMoveIt3, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt when it has completed.
[color=\"red\"]Note[/color]: If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
If prompted on startup to Run OTMoveit again, allow it please
A Log should open, I'll need to see it later
If no log opens
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log
NEXT: Do the following
If you haven't installed any Anti-Virus software yet
Don't do it yet, if you have, temporarily disable it
Then,
Download the latest version of [color=\"#800080\"]Kaspersky Virus Removal Tool[/color] (http://\"ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool/index.html\")
- Close all other applications and double-click and run the installer.
- When AVPTool starts, select All the scanable items except for CD-ROM drives and click the Scan button.
- If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active) if prompted
- After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
- In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
- In the Scan window click the Reports button and select Save to file.
- Name the report AVPT.txt, and save it to the Desktop.
- Close AVPTool.
- You will be prompted if you want to uninstall the program; click Yes.
- You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
- Copy and paste the Only the first part of the report ([color=\"#0000FF\"]Detected[/color]) that you saved in your next reply. Do not include the longer list marked Events.
With the AVPT.txt file
Can you also include the log from OTMoveit3 and a fresh Hijackthis log
EDIT>>If you are transferring tools to this computer
Please ensure you place them on the infected computer's desktop before running
-
I am sorry to be so late in completing the task u had given. Hope you are still around!
first i have put up report from kaspersky antivirus tool.
Scan
----
Scanned: 433446
Detected: 20
Untreated: 0
Start time: 12/18/2008 1:46:00 PM
Duration: 06:11:01
Finish time: 12/18/2008 7:57:01 PM
Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh File: E:\6fnlpetp.exe
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh File: C:\6fnlpetp.exe
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh File: D:\6fnlpetp.exe
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh File: C:\Qoobox\Quarantine\C\abk.bat.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh File: C:\Qoobox\Quarantine\C\WINDOWS\system32\kamsoft.exe.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh File: C:\Qoobox\Quarantine\C\h3.bat.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh File: C:\Qoobox\Quarantine\C\p1y2.cmd.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akva File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasretyw0.dll.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.anvg File: C:\_OTMoveIt\MovedFiles\12182008_131830\windows\system32\vbsdfe0.dll
deleted: Trojan program Trojan-GameThief.Win32.Magania.anvg File: C:\WINDOWS\system32\vbsdfe1.dll
deleted: Trojan program Trojan-GameThief.Win32.OnLineGames.tywl File: C:\_OTMoveIt\MovedFiles\12182008_131830\windows\system32\vamsoft.exe
deleted: Trojan program Trojan.Win32.Agent.avwp File: C:\Qoobox\Quarantine\C\WINDOWS\system32\lbjiyx.dll.vir
deleted: Trojan program Trojan.Win32.Agent.avwp File: C:\Qoobox\Quarantine\C\WINDOWS\system32\uduymubw.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnmkjiI.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGaxwvt.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGyvuRk.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXOEwXR.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyxXRkL.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJYOhHx.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen File: D:\Softwares\Microsoft Office 2003 - Word-Excel-Powerpoint-Outlook\Microsoft Office 2003 - Word-Excel-Powerpoint-Outlook.EXE//data0000.cab/is154858.exe
Now, it is otmoveit log.
========== PROCESSES ==========
Process explorer.exe killed successfully.
Process VistaDrive.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vamsoft deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VistaDrive deleted successfully.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a59e0d0-ca46-11dd-b251-c79340ca48d0}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34ff4730-ca5b-11dd-b252-001ac35bf8a1}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65407264-cc63-11dd-b257-001ac35bf8a1}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15a9bc0-cb45-11dd-b254-001ac35bf8a1}\\ deleted successfully.
========== FILES ==========
c:\windows\VistaDrive moved successfully.
c:\windows\system32\vamsoft.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\vbsdfe0.dll
c:\windows\system32\vbsdfe0.dll NOT unregistered.
c:\windows\system32\vbsdfe0.dll moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12182008_131830
Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\XUL.mfl moved successfully.
Finally fresh hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:28 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Softwares\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
--
End of file - 3733 bytes
-
That's looking better
Can you do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Kaspersky's Virus Removal tool is no replacement for a Resident up to date Virus Scanner installed on your computer
And you should of already removed Kaspersky's
Can you do the following please
Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935 (http://\"http://www.download.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlpid=10322935\")
Save the installer to desktop
Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time
NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it
A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"
Quarantine or delete everything it finds
When the scan is finished
Reboot the computer
Back in Windows
Can you post all the following back please:
1. Post a fresh hijackthis log
2. Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"
Let me also know how things are now running
-
In your other posts you have ranked avira antivirus as third after avast and avg. If that is the case, then why are you asking me to install avira?
-
other posts you have ranked avira antivirus as third after avast and avg. If that is the case, then why are you asking me to install avira?
I never ranked it 3rd, but you don't need to install it, I really like Avira
Try Avast if you like
Avast is another great AntiVirus
I've been hesitant with AVG, as it has slowed some computers down
I put Avira and Avast as my favorite free AV's
AVG right below them, it got a bit bloated
They all have a free version, as I indicated here
http://www.thetechguide.com/forum/index.php?showtopic=15894 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
NOTE: I have Avira, 3rd on that list>>Alphabetical
Decide which you want to try, ONLY install one, the AVG 7.5 version you were going to install earlier will not be supported early in the New Year
The newest is AVG8
After you are sure your product is updated, run a complete scan
Reboot afterwards
Come back and post a fresh Hijackthis log and keep me informed how things are running
-
Certainly i will keep you posted. As of now it is looking better than before. No more windows are getting opened automatically eg firefox.
But not quite sure about win explorer problem. I have opened it right now. I will wait for the result. If it closes down itself abruptly, I wil let u know.
Hey thanx for helping me through. I really appreciate it. Please dont mind my last post. Actually i have had many suggestions about no of AV programs from numerous people around me and i was quite bugged with that. When i read ur other posts, somewhere u had written this thing but that could be in context with some other problem. I can understand that you are helping so many people here and i shouldnt have said u this way. I m sorry.
-
I forgot to ask earlier
Your custom install of XP
Did you purposely set the following
In the START menu, did you purposely set it so the "Set Program Access and Defaults" link is missing?
In the Windows Control Panel
Did you purposely set it to force a Classic View of the Control Panel?
Run your virus scanner first, then give me the info above with a fresh Hijackthis log please
-
I got this copy of windows from my friend. I have not customized anything in this except for the control panel's classic view. I did this because i was unable to find add/remove programs in the other view.
See, i havent changed anything in start menu as fer as i can understand. I didnt get ur question abt start menu customization. so if anything u want to know further, can u ask me in little detail. so that i can answer u better.
Now here is avira's log file:
Avira AntiVir Personal
Report file date: Sunday, December 21, 2008 01:05
Scanning for 1106377 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: COMPUTER2007
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 06:55:46
ANTIVIR2.VDF : 7.1.0.250 342528 Bytes 12/18/2008 06:57:32
ANTIVIR3.VDF : 7.1.1.14 95232 Bytes 12/19/2008 06:57:58
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 12/21/2008 07:02:19
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/21/2008 07:01:58
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 12/21/2008 07:00:55
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/21/2008 06:58:40
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/21/2008 06:58:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/21/2008 06:58:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Sunday, December 21, 2008 01:05
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'uTorrent.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'googletalk.exe' - '1' Module(s) have been scanned
Scan process 'YahooMessenger.exe' - '1' Module(s) have been scanned
Scan process 'DataLayer.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'LaunchApplication.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'DAP.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '48' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\New Folder\McAfee Total Protection 2008 (Retail)-HeartBug\en-AU\Acroread\AcroRead.exe
- Archive type: CAB SFX (self extracting)
--> \Data1.cab
[1] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> \instmsiw.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '49c6ec9e.qua'!
C:\Program Files\Adobe\Adobe Photoshop CS2\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '49c6ed06.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\gmurftjy.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '49c2f0ae.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ipktzv.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '49b8f0b4.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUlmmnM.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.17 Trojan
[NOTE] The file was moved to '49a2f0be.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\yopxrhnr.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.25 Trojan
[NOTE] The file was moved to '49bdf0ba.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001165.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df091.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001171.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df099.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001360.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df09f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001366.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc6d8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001478.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0a3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001484.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeafc.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001580.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0a9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001586.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0aa.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002148.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0b8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002149.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae1.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002150.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0b9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002151.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae2.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002162.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0ba.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002166.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002228.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0be.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002235.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002395.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0c5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002396.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea9e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002397.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002398.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea90.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002419.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c6.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002420.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea9f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002421.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002423.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea92.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002439.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002445.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea91.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002485.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0ca.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002486.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea93.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002493.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0cc.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002496.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0cb.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002502.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '48fdea94.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002518.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea95.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002524.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0ce.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002566.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea97.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002572.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0cf.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002600.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0d0.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002601.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea89.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002602.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d2.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d1.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003598.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea8a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003599.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003600.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003601.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000758.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000764.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003613.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003619.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d4.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003632.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea8d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003633.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea80.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003634.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003635.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea82.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003645.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d6.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003652.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003668.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0db.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003669.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea84.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003670.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0dd.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003671.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003688.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea81.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003734.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '48fdea86.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003737.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0dc.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003738.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea85.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003739.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0df.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0003760.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeab8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004421.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df100.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004422.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb59.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004424.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df102.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004425.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df101.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004444.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004445.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '497df104.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004446.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df103.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004452.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004457.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004463.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df106.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004467.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df105.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004473.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005419.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df138.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005420.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df107.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005422.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb50.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005425.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df109.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005439.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df108.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006419.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdeb52.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006420.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006422.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb54.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006423.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006446.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df10d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006447.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb56.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006453.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006459.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb55.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006466.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006467.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb48.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006485.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df111.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006494.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df110.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006496.dll
[DETECTION] Is the TR/Vundo.Gen.6.20 Trojan
[NOTE] The file was moved to '48fdeb4a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006501.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df112.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006502.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc76b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006504.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df114.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006510.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df113.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0007500.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fcc76c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0007501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df115.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0007509.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc76d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008501.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fcc76e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008502.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df117.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008504.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc760.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008510.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df116.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP28\A0008590.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df11b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP28\A0008596.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc764.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0008603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df11f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0008609.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc758.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0008635.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '497df122.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009523.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '497df127.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009536.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df128.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009537.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc751.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009539.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df129.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009540.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc752.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010503.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df12b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010504.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df12a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010505.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc753.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010511.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df12c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc754.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011502.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df12d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011504.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc756.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011510.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc755.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df12e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012502.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df12f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012505.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc748.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012511.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc757.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df120.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013502.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df131.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013504.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc74a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013593.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df137.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013594.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc740.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013597.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc741.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP3\A0000767.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP3\A0000775.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc745.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013640.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013644.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013671.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df140.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013673.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df141.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013678.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc73a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013680.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df142.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013681.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc73b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013692.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '497df144.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013694.dll
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '497df143.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013695.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '48fcc73c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013696.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '48fcc73d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013697.dll
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '497df146.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013698.dll
[DETECTION] Is the TR/Vundo.Gen.6.18 Trojan
[NOTE] The file was moved to '48fcc73f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013699.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '497df145.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013700.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '48fcc73e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013702.dll
[DETECTION] Is the TR/Vundo.Gen.6.18 Trojan
[NOTE] The file was moved to '48fcc743.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013703.dll
[DETECTION] Is the TR/Vundo.Gen.6.17 Trojan
[NOTE] The file was moved to '48fcc747.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013704.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '497df130.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013705.dll
[DETECTION] Is the TR/Vundo.Gen.6.25 Trojan
[NOTE] The file was moved to '497df147.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013718.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df148.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013776.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013777.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc735.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013778.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0014776.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0014785.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb17.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0015785.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0016785.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df151.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018054.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df186.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018074.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df188.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018075.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebd1.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018076.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df18a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP34\A0018209.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '497df192.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP34\A0018210.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '48fdebcb.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP4\A0000790.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df195.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP4\A0000796.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebce.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000800.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df196.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000806.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df197.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000862.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df19b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000864.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc4.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000919.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df19c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000920.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000937.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df19d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000938.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc6.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000939.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df19f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000940.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df19e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0000955.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0000956.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df190.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001046.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1a4.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001047.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdebfd.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001048.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1a5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001049.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebfe.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP8\A0001106.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1a9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP8\A0001112.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1aa.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP9\A0001116.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebf3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP9\A0001122.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1ab.qua'!
Begin scan in 'D:\'
D:\Softwares\fire-movie.v.3.137.exe
--> ProgramFilesDir/jah31371.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49bff397.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP1\A0000751.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df448.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001167.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee11.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001172.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df449.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001362.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee12.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001367.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001480.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001485.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee13.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001582.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44c.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001587.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee14.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002153.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002154.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee16.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002164.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee15.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002168.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44e.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002231.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee17.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002236.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df440.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002400.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002401.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee08.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002424.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee19.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002425.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df442.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002441.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee1b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002446.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df451.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002495.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002498.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df453.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002520.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df450.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002525.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee09.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002568.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df452.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002573.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002605.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0c.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002606.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df455.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0e.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003604.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df454.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000760.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000765.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df456.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003615.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df457.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003620.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee00.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003637.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df459.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003638.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003675.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df444.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003676.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee1d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003741.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee02.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0003762.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004427.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee04.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004428.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df446.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004448.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee1f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004453.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df478.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004459.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004464.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee06.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004469.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004474.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df458.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005424.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee01.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005427.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006425.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee03.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006426.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee38.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006455.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df461.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006460.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee3a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006469.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45c.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006474.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee05.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006487.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45e.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006488.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE]
-
I forgot to tell u, i installed adobe photoshop today. Just thought u should be aware of this. Apart from that, i wanted ask u that should i also install firewall in my computer?
-
I forgot to tell u, i installed adobe photoshop today. Just thought u should be aware of this. Apart from that, i wanted ask u that should i also install firewall in my computer?
Be very careful, many viruses, trojan, other malware come packaged in Cracks and keygenerators
As noted here
C:\Program Files\Adobe\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '49c6ec9e.qua'!
C:\Program Files\Adobe\Adobe Photoshop CS2\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
Can you do the following
Hold onto Avira, but you can open it's Quarantine section and Use the Trash icon to delete all objects
Check out it's scheduler and schedule a weekly scan
Ensure to Activate it
Go to START>>RUN>>copy and paste the following then click OK
ComboFix /u
This will uninstall ComboFix and it's components
Can you Download CCleaner from the following link
http://www.ccleaner.com/download/builds (http://\"http://www.ccleaner.com/download/builds\")
Choose the bottom download
CCleaner v2.14.763 - Slim
Save it then double click to Install
When installing, untick all options except for the Desktop Shortcut
After installation, delete the installer
In an open CCleaner window click on OPTIONS>>COOKIES
Move the ones you want to keep to the KEEP side
Then click on ADVANCED>>Untick "Only delete Temp files older than 48 hours"
Click on CLEANER on the left then click on "RUN CLEANER" on the bottom right
OK the prompt
Let it finish then Exit
You can manually check for updates on the bottom right hand side
of the main screen every couple months or so
If there is an update, I suggest that you untick the option to install the Toolbar
You can install over top of an older version, keeping your settings intact
I would hold onto this tool and run it every week
I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\") *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection
OTMoveIt3.exe- Double-click OTMoveIt3.exe to run it.
- Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list
- Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall
- Select Yes to reboot Now
NOTE: This procedure will also delete OTMoveit.exe from desktop
A software Firewall is not a bad idea
the one built into XP will only filter incoming traffic
Others, such as the ones I have in this link
http://www.thetechguide.com/forum/index.php?showtopic=15894 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
Will filter incoming/outgoing traffic
Zone Alarm is fairly easy to use, ONLY install one Firewall software
If you go with ZA, ensure to untick any Toolbars it wants to install by default
This goes with any Firewall I have at those links, if they come bundled with a Toolbar of some sort
Untick the option
Take a look at miekiemoes site with other ideas on How to prevent Malware: (http://\"http://users.telenet.be/bluepatchy/miekiemoes/prevention.html\")
-
my system is hanged everytime i start my comp as soon as i see desktop.
please help!
-
Let's see if anything new has been added
Can you post a fresh Hijackthis log
In addition>>
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTScanIt2.exe\")[/url]
by OldTimer
Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES
Also, under Additional Scans, put a tick next to
Evnt - EventViewer Logs (Last 10 Errors)
Then click on [color=\"#0000FF\"]Run Scan [/color]
When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
It may be best to attach that log
-
luckily system is started second time now. and i am able to write a post here.
I dont what went wring with the system. It has just started getting frozrn everytime i started my system. Even in safe mode it was getting hanged. in fact i never succeded in my attempt to start system in safe mode. what should i do?
please help me!
-
hikackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:44 AM, on 12/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
D:\Softwares\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 5023 bytes
-
I posted additional instructions earlier
I'm going to change them a bit, with the new information you added
In addition>>
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTScanIt2.exe\")[/url]
by OldTimer
Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES
Also, under Additional Scans, put a tick next to
Reg - SafeBoot Minimal
Reg - SafeBoot Network
Evnt - EventViewer Logs (Last 10 Errors)
Then click on [color=\"#0000FF\"]Run Scan [/color]
When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
It may be best to attach that log
-
i was trying hard but i was unable to post anything here.
error: 505
method not implemented
whats wrong?
-
Nothing suspicious
Can you update Avira, run a new scan and post the new report from it
-
then what could be the reason for repeated system hanging around 50 times?
can u understand anything?
-
see as far as avira's report is concerned. i had started scanning when first time system started. At that time it had found few viruses ehose details are as under. Later scanning got stopped bcoa system got hanged.
Avira AntiVir Personal
Report file date: Tuesday, December 23, 2008 02:31
Scanning for 1107347 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: Owner
Computer name: COMPUTER2007
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 06:55:46
ANTIVIR2.VDF : 7.1.0.250 342528 Bytes 12/18/2008 06:57:32
ANTIVIR3.VDF : 7.1.1.15 107520 Bytes 12/21/2008 06:41:50
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 12/21/2008 07:02:19
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/21/2008 07:01:58
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 12/21/2008 07:00:55
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/21/2008 06:58:40
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/21/2008 06:58:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/21/2008 06:58:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37
Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Owner\LOCALS~1\Temp\d307754e.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: G:,
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Tuesday, December 23, 2008 02:31
Starting the file scan:
Begin scan in 'G:\' <MANISHA>
G:\New Folder .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was deleted!
G:\regsvr.exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49b7a274.qua'!
G:\lky.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49c9a27d.qua'!
G:\RESTORE\RESTORE .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49a3a25a.qua'!
G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\S-1-5-21-1482476501-1644491937-682003330-1013 .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '4981a248.qua'!
G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.117248 worm
[NOTE] The file was moved to '49c1a282.qua'!
G:\OM\OM .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '4970a287.qua'!
G:\Shaadi\Shaadi .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49b1a2a5.qua'!
G:\Shaadi\card-4\card-4 .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49c2a2a3.qua'!
G:\Shaadi\CARD-3\CARD-3 .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49a2a297.qua'!
End of the scan: Tuesday, December 23, 2008 02:33
Used time: 01:53 Minute(s)
The scan has been canceled!
7 Scanning directories
367 Files were scanned
10 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
1 files were deleted
0 files were repaired
9 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
357 Files not concerned
0 Archives were scanned
0 Warnings
10 Notes
-
After that when system started working i did another scan, This time the process was completed without any interruption.
Avira AntiVir Personal
Report file date: Wednesday, December 24, 2008 00:52
Scanning for 1110459 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: COMPUTER2007
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 06:55:46
ANTIVIR2.VDF : 7.1.0.250 342528 Bytes 12/18/2008 06:57:32
ANTIVIR3.VDF : 7.1.1.21 151040 Bytes 12/22/2008 06:51:36
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 12/21/2008 07:02:19
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/21/2008 07:01:58
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 12/21/2008 07:00:55
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/21/2008 06:58:40
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/21/2008 06:58:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/21/2008 06:58:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Wednesday, December 24, 2008 00:52
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avnotify.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'DAP.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'LAUNCH~1.EXE' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '48' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\New Folder\McAfee Total Protection 2008 (Retail)-HeartBug\en-AU\Acroread\AcroRead.exe
- Archive type: CAB SFX (self extracting)
--> \Data1.cab
[1] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> \instmsiw.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'D:\'
Begin scan in 'E:\'
End of the scan: Wednesday, December 24, 2008 01:20
Used time: 28:25 Minute(s)
The scan has been done completely.
4404 Scanning directories
174422 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
174421 Files not concerned
1660 Archives were scanned
3 Warnings
0 Notes
-
Which drive is your G: drive?
-
that was for a pen drive. when i found virus in my pen drive, i formatted that drive bcoz that data was not imp for me.
-
You mean for the pen drive you didn't have before?
Remember what I said earlier
But if it is infected, any computer it's been inserted too
Could also be infected
What probably happened, you inserted the Pendrive, it didn't autostart, so you accessed it thru MyComputer without scanning it first
You can right click a pendrive in MyComputer and choose to Scan with Avira in the future
We have to ensure that pendrive will not reinfect you again
even if it's already formatted, do the following
download Flash_Disinfector (http://\"http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe\") and save it to your desktop- Double on Flash_Disinfector.exe and select Run As Administrator to run it. If you receive a prompt, please allow it.
- You will be prompted to plug in your flash drive. Plug it in. If you have more than one, plug them in
- Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
- When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
- Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Leave your Pendrive connected
Can you temporarily disable Avira protection, right click it's icon by the clock
and uncheck "AntiVir Guard Enable"
Then, REDownload ComboFix from
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 3[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
Save it ONLY to your Desktop
Double click on it to run it, let it run it's course than post back the log from it later
C:\ComboFix.txt
-
Forgot to add:
[color=\"#0000FF\"]Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/color]
-
What probably happened, you inserted the Pendrive, it didn't autostart, so you accessed it thru MyComputer without scanning it first
You can right click a pendrive in MyComputer and choose to Scan with Avira in the future
We have to ensure that pendrive will not reinfect you again
even if it's already formatted, do the following
no. it wasnt the way i did things. i was aware there could be virus in a pendrive. so i opened my computer and scanned it the way you said before. there i found this viruses. and i dont have that pen drive with me right now. it was my friends one. i cant get it back. m sorry.
How does the system look to u now, keeping aside that pen drive?
-
Well, I guess it looks OK
How is the system running?
You didn't post the new log from ComboFix so it's hard for me to tell, I would still run it just to double check that there are no leftovers behind. Post the new log afterwards
-
well system still hangs up abruptly and i did run flash disinfector. here is the combo fix log
ComboFix 08-12-21.04 - Owner 2008-12-25 1:05:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.612 [GMT 5.5:30]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.
2008-12-24 12:51 . 2008-12-24 12:58 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-24 12:12 . 2008-12-24 12:12 <DIR> d-------- c:\program files\CCleaner
2008-12-24 11:39 . 2008-12-24 11:39 <DIR> d-------- c:\documents and settings\Administrator
2008-12-21 12:18 . 2008-12-21 12:18 <DIR> d-------- c:\program files\Avira
2008-12-21 12:18 . 2008-12-21 12:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-21 00:14 . 2008-12-21 00:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems
2008-12-21 00:13 . 2008-12-21 00:13 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared
2008-12-20 11:57 . 2008-12-20 11:57 <DIR> d-------- c:\program files\Yahoo!
2008-12-20 11:57 . 2008-12-20 11:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-20 11:42 . 2008-12-20 11:43 <DIR> d-------- c:\documents and settings\Owner\Phone Browser
2008-12-20 11:42 . 2008-12-20 11:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\Datalayer
2008-12-20 11:40 . 2008-12-20 11:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Nokia
2008-12-20 11:39 . 2008-12-20 11:39 <DIR> d-------- c:\program files\DIFX
2008-12-20 11:38 . 2008-12-20 11:39 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-20 11:38 . 2008-12-20 11:38 <DIR> d-------- c:\program files\Nokia
2008-12-20 11:38 . 2008-12-20 11:38 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-20 11:38 . 2008-12-20 11:38 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-20 11:38 . 2008-12-20 11:39 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Suite
2008-12-20 11:38 . 2008-12-20 11:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-20 11:38 . 2006-05-29 19:56 127,488 --a------ c:\windows\system32\drivers\nmwcd.sys
2008-12-20 11:38 . 2006-05-29 19:56 50,688 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-20 11:38 . 2006-05-29 19:56 30,720 --a------ c:\windows\system32\nmwcdcocls.dll
2008-12-20 11:38 . 2006-05-29 19:56 13,312 --a------ c:\windows\system32\drivers\nmwcdcm.sys
2008-12-20 11:38 . 2006-05-29 19:56 8,704 --a------ c:\windows\system32\drivers\nmwcdc.sys
2008-12-20 11:38 . 2006-05-29 19:56 4,608 --a------ c:\windows\system32\nmwcdlog.dll
2008-12-19 04:11 . 2008-12-19 07:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2008-12-19 00:53 . 2008-12-19 10:25 1,589,280 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-19 00:53 . 2008-12-19 10:25 21,788 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-19 00:33 . 2008-12-19 00:34 <DIR> d-------- c:\program files\Any Video Converter
2008-12-19 00:11 . 2008-12-19 00:11 <DIR> d-------- c:\program files\GIMP-2.0
2008-12-19 00:09 . 2008-12-19 00:09 <DIR> d-------- C:\New Folder
2008-12-18 22:36 . 2008-12-18 22:36 <DIR> d-------- c:\windows\system32\xircom
2008-12-18 22:36 . 2008-12-18 22:36 <DIR> d-------- c:\windows\system32\npp
2008-12-18 22:36 . 2008-12-18 22:36 <DIR> d-------- c:\windows\srchasst
2008-12-18 22:36 . 2008-12-18 22:36 <DIR> d-------- c:\program files\microsoft frontpage
2008-12-18 11:43 . 2008-12-18 11:43 <DIR> d-------- c:\program files\Alwil Software
2008-12-18 11:35 . 2008-12-18 11:35 <DIR> d-------- C:\KitTorrent
2008-12-18 11:32 . 2008-12-18 11:48 <DIR> d-------- C:\(Any Video Convertor) (Many Formats..)
2008-12-18 10:43 . 2008-12-18 10:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-17 11:24 . 2008-12-17 11:24 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2008-12-17 10:31 . 2008-12-23 22:13 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.2
2008-12-17 10:29 . 2008-12-17 10:29 <DIR> d-------- c:\program files\Common Files\GTK
2008-12-17 06:01 . 2008-12-17 06:01 260 --a------ c:\windows\_delis32.ini
2008-12-16 12:22 . 2008-12-16 12:22 <DIR> d-------- c:\program files\Microsoft Works
2008-12-16 12:21 . 2008-12-16 12:21 <DIR> d-------- c:\program files\MSBuild
2008-12-16 12:20 . 2008-12-16 12:20 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-16 12:14 . 2008-12-16 12:15 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-16 12:13 . 2008-12-18 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 12:12 . 2008-12-16 12:12 <DIR> dr-h----- C:\MSOCache
2008-12-16 11:54 . 2008-12-16 12:08 <DIR> d-------- c:\program files\MsOffice2007
2008-12-16 11:13 . 2008-12-16 11:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-16 10:49 . 2008-12-16 10:49 26,944 --a------ c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-12-14 12:47 . 2008-12-18 10:42 <DIR> d-------- c:\program files\Winamp
2008-12-14 12:47 . 2008-12-21 06:02 <DIR> d-------- c:\documents and settings\Owner\Application Data\Winamp
2008-12-14 12:43 . 2008-12-14 12:43 <DIR> d-------- c:\program files\Combined Community Codec Pack
2008-12-14 03:10 . 2008-12-14 03:10 <DIR> d-------- c:\program files\Gabest
2008-12-13 23:37 . 2008-12-18 11:44 478 --a------ c:\windows\ODBC.INI
2008-12-13 23:31 . 2008-12-18 16:56 <DIR> d-------- c:\windows\ShellNew
2008-12-13 23:22 . 2008-12-13 23:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-13 23:22 . 2005-12-09 01:26 65,536 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-12-13 23:22 . 2005-12-09 01:26 49,152 --a------ c:\windows\system32\QuickTime.qts
2008-12-13 23:20 . 2008-12-13 23:20 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-13 23:18 . 1998-10-30 04:15 306,688 --a------ c:\windows\IsUninst.exe
2008-12-13 23:11 . 2008-12-13 23:11 <DIR> d-------- c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-13 23:10 . 2008-12-13 23:11 <DIR> d-------- c:\documents and settings\Owner\Application Data\bsplayer
2008-12-13 23:09 . 2008-12-13 23:23 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-13 23:06 . 2008-12-13 23:06 <DIR> d-------- c:\documents and settings\Owner\Application Data\Ahead
2008-12-13 22:56 . 2008-12-13 22:56 <DIR> d-------- c:\program files\Power Video Converter
2008-12-13 22:55 . 2008-12-21 00:16 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-13 22:48 . 2008-12-13 22:48 <DIR> d-------- c:\windows\Cache
2008-12-13 22:41 . 2008-12-13 23:21 <DIR> d-------- c:\program files\QuickTime
2008-12-13 22:41 . 1999-11-10 22:35 86,016 --a------ c:\windows\unvise32qt.exe
2008-12-12 15:33 . 2008-12-12 15:33 <DIR> d-------- c:\program files\SmartSound Software Inc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 08:44 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-12 05:46 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-12 05:46 --------- d-----w c:\program files\NotePad++
2008-12-12 05:46 --------- d-----w c:\program files\Foxit
2008-12-11 21:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 21:45 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-11 21:42 --------- d-----w c:\program files\Pinnacle Systems
2008-12-11 21:34 --------- d-----w c:\program files\DAP
2008-12-11 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-11 20:01 --------- d-----w c:\program files\Pinnacle
2008-12-11 19:39 --------- d-----w c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-11 19:29 --------- d-----w c:\program files\TC
2008-12-11 19:19 --------- d-----w c:\program files\uTorrent
2008-12-11 19:19 --------- d-----w c:\program files\Google
2008-12-11 19:17 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-12-11 19:10 --------- d-----w c:\program files\MiraScan
2008-12-11 19:00 --------- d-----w c:\program files\Ahead
2008-12-11 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-11 18:59 --------- d-----w c:\program files\Common Files\Nero
2008-12-11 18:57 --------- d-----w c:\program files\Common Files\Ahead
2008-12-21 08:45 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 08:45 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 08:45 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 08:45 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 08:45 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 68856]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-12-12 3114496]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-06-21 4538368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-03-11 106496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-16 229376]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-13 266497]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-01-09 c:\windows\system32\advpack.dll]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-17 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.VP31"= vp31vfw.dll
"VIDC.FFDS"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2008-12-12 180480]
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-12-25 01:07:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-25 1:08:18
ComboFix-quarantined-files.txt 2008-12-24 19:38:14
Pre-Run: 7,496,040,448 bytes free
Post-Run: 7,487,504,384 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
201
-
well system still hangs up abruptly
Can you explain exactly what it's doing, is it only on startup?
-
As i have observed in past 2-3 days, system is not hanging anymore and i am really happy for it and also appreciate your help throughout these days. But i dont understand one thing here. I have a folder called "films" in my E drive, one of the partition of hard drive. whenever i keep open this folder for a minute or so it shows me an error message that "windows explorer has encountered an error, so it will close down." Then obviously win explorer gets close down. This does not happen if i open any other folder in E or any other drive. I neither understand the logic behind this problem nor the reason.
Can you help me with this issue?
-
Since it's only one folder, and probably video files, it could be just one corrupt file in the folder causing the problem
Go to START>>RUN>>Copy and paste the following into the open field
regsvr32 /u shmedia.dll
Then click OK
See if you can open the Films folder without the error
What view are you using in that folder
Eg.. Thumbnails, Icons, Tiles?
-
The given task completed successfully. There is a thumbnail view. It seems the error is gone.
It was not showing error at the time of opening the folder. In fact error used to come after 1-2 minutes of opening it which i am noticing right now. so it seems it has been repaired now.
-
Do the following again
Start>>Run>>copy and paste the following
combofix /u
Hit OK
Again, this will uninstall ComboFix
Everything else ok?
I'll lock this topic if you find no other problems