Author Topic: Help needed (Read 4160 times)

Arpan · « **on:** December 17, 2008, 03:34:39 PM »

PC has become slow. Windows explorer close itself down abruptly.
Apart from this mozilla gets opened automatically with google homepage which is not my default webpage.
This are few things i have noticed. It seems to me that i have some kind of virus in my computer.
Any help to make me understand this situation will be appreciated.
I am attaching hijackthis log file herewith.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:36 AM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Softwares\avg75free_524a1293.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX2\avgsetup.exe
D:\Softwares\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs: ipktzv.dll

--
End of file - 4189 bytes

guestolo · « **Reply #1 on:** December 17, 2008, 03:41:44 PM »

There is no need to start a new topic
Here is the last topic you started>>>http://www.thetechguide.com/forum/index.php?showtopic=79144
I'll lock the other topic and please keep all replies back here in this topic

Are you in the process of installing AVG?
Can you reboot the computer

Afterwards, come back here
Insert your pen drive that's infected to this computer

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
Save it ONLY to your Desktop

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus, AntiSpyware and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool[/color]

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will run again on startup, it will prompt that it's creating a log
This process could take up to 15 minutes, let it run uninterrupted please

Arpan · « **Reply #2 on:** December 17, 2008, 04:32:38 PM »

In future, i will not repeat this mistake.
Thank you for replying my post.
I am now restarting my computer and will install ur saod software but i am not sure which pen drive has infected my computer. so is it fine if i dont have it?

I had installed avg but since it was a older version i removed it.
then i installed avast but even that was of older version. so i removed that also.

guestolo · « **Reply #3 on:** December 17, 2008, 04:35:11 PM »

Do you have the pen drives with you?

Arpan · « **Reply #4 on:** December 17, 2008, 04:38:58 PM »

no, i dont.
Is that pen drive really very imp?

guestolo · « **Reply #5 on:** December 17, 2008, 04:42:54 PM »

Quote

Is that pen drive really very imp?

Not at the moment

But if it is infected, any computer it's been inserted too
Could also be infected

For now, can you just carry on with the instructions from ComboFix

Arpan · « **Reply #6 on:** December 17, 2008, 05:00:52 PM »

Hey am back with the combofix log file. here it is.

ComboFix 08-12-16.03 - Owner 2008-12-18 3:21:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.790 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

[color=\"RED\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\abk.bat
C:\autorun.inf
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
C:\h3.bat
C:\p1y2.cmd
c:\windows\system32\cbXOEwXR.dll
c:\windows\system32\evqlhfle.ini
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gmurftjy.dll
c:\windows\system32\h@tkeysh@@k.dll
c:\windows\system32\hgGaxwvt.dll
c:\windows\system32\hgGyvuRk.dll
c:\windows\system32\ipktzv.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\lbjiyx.dll
c:\windows\system32\ljJYOhHx.dll
c:\windows\system32\MnmmlUvw.ini
c:\windows\system32\MnmmlUvw.ini2
c:\windows\system32\pmnmkjiI.dll
c:\windows\system32\rnhrxpoy.ini
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twext.exe
c:\windows\system32\uduymubw.dll
c:\windows\system32\wvUlmmnM.dll
c:\windows\system32\xxyxXRkL.dll
c:\windows\system32\yopxrhnr.dll
D:\abk.bat
D:\Autorun.inf
D:\h3.bat
D:\nq0cq.cmd
D:\p1y2.cmd
D:\resycled
d:\resycled\boot.com
E:\abk.bat
E:\Autorun.inf
E:\h3.bat
E:\nq0cq.cmd
E:\p1y2.cmd
E:\resycled
e:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-18 00:13 . 2008-12-18 00:13   <DIR>   d--------   c:\program files\Alwil Software
2008-12-18 00:05 . 2008-12-18 00:05   <DIR>   d--------   C:\KitTorrent
2008-12-18 00:02 . 2008-12-18 00:18   <DIR>   d--------   C:\(Any Video Convertor) (Many Formats..)
2008-12-17 23:13 . 2008-12-17 23:13   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avg7
2008-12-16 23:54 . 2008-12-16 23:54   <DIR>   d--------   c:\documents and settings\Owner\.thumbnails
2008-12-16 23:01 . 2008-12-17 23:21   <DIR>   d--------   c:\documents and settings\Owner\.gimp-2.2
2008-12-16 23:00 . 2008-12-16 23:00   <DIR>   d--------   c:\program files\GIMP-2.0
2008-12-16 22:59 . 2008-12-16 22:59   <DIR>   d--------   c:\program files\Common Files\GTK
2008-12-16 18:31 . 2008-12-16 18:31   260   --a------   c:\windows\_delis32.ini
2008-12-16 17:33 . 2008-12-16 17:33   <DIR>   d--------   c:\program files\Microsoft Office 2003 - Word-Excel-Powerpoint-Outlook
2008-12-16 03:20 . 2008-12-16 03:20   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-16 03:20 . 2008-12-16 03:20   1,409   --a------   c:\windows\QTFont.for
2008-12-16 00:52 . 2008-12-16 00:52   <DIR>   d--------   c:\program files\Microsoft Works
2008-12-16 00:51 . 2008-12-16 00:51   <DIR>   d--------   c:\program files\MSBuild
2008-12-16 00:50 . 2008-12-16 00:50   <DIR>   d--------   c:\program files\Microsoft.NET
2008-12-16 00:44 . 2008-12-16 00:45   <DIR>   d--------   c:\program files\Microsoft Visual Studio 8
2008-12-16 00:43 . 2008-12-17 18:49   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 00:42 . 2008-12-16 00:42   <DIR>   dr-h-----   C:\MSOCache
2008-12-16 00:24 . 2008-12-16 00:38   <DIR>   d--------   c:\program files\MsOffice2007
2008-12-15 23:43 . 2008-12-15 23:43   <DIR>   d--------   c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-15 23:19 . 2008-12-15 23:19   26,944   --a------   c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-12-15 09:29 . 2008-12-15 09:29   <DIR>   d--------   c:\program files\McAfee Total Protection 2008 (Retail)-HeartBug
2008-12-14 22:43 . 2008-12-14 22:45   <DIR>   d--------   c:\program files\Gimp+Brushes
2008-12-14 01:17 . 2008-12-17 23:12   <DIR>   d--------   c:\program files\Winamp
2008-12-14 01:17 . 2008-12-16 06:19   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Winamp
2008-12-14 01:13 . 2008-12-14 01:13   <DIR>   d--------   c:\program files\Combined Community Codec Pack
2008-12-13 15:40 . 2008-12-13 15:40   <DIR>   d--------   c:\program files\Gabest
2008-12-13 12:07 . 2008-12-18 00:14   478   --a------   c:\windows\ODBC.INI
2008-12-13 12:01 . 2008-12-16 00:58   <DIR>   d--------   c:\windows\ShellNew
2008-12-13 11:52 . 2008-12-13 11:52   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-13 11:52 . 2005-12-08 13:56   65,536   --a------   c:\windows\system32\QuickTimeVR.qtx
2008-12-13 11:52 . 2005-12-08 13:56   49,152   --a------   c:\windows\system32\QuickTime.qts
2008-12-13 11:50 . 2008-12-13 11:50   <DIR>   d--------   c:\windows\Downloaded Installations
2008-12-13 11:48 . 1998-10-29 16:45   306,688   --a------   c:\windows\IsUninst.exe
2008-12-13 11:41 . 2008-12-13 11:41   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-13 11:40 . 2008-12-13 11:41   <DIR>   d--------   c:\documents and settings\Owner\Application Data\bsplayer
2008-12-13 11:39 . 2008-12-13 11:53   <DIR>   d--------   c:\program files\K-Lite Codec Pack
2008-12-13 11:36 . 2008-12-13 11:36   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Ahead
2008-12-13 11:26 . 2008-12-13 11:26   <DIR>   d--------   c:\program files\Power Video Converter
2008-12-13 11:25 . 2008-12-14 22:23   <DIR>   d--------   c:\program files\Common Files\Adobe
2008-12-13 11:21 . 2008-12-13 11:21   85,504   -rahs----   c:\windows\system32\vbsdfe1.dll
2008-12-13 11:18 . 2008-12-13 11:18   <DIR>   d--------   c:\windows\Cache
2008-12-13 11:11 . 2008-12-13 11:51   <DIR>   d--------   c:\program files\QuickTime
2008-12-13 11:11 . 1999-11-10 11:05   86,016   --a------   c:\windows\unvise32qt.exe
2008-12-12 04:03 . 2008-12-12 04:03   <DIR>   d--------   c:\program files\SmartSound Software Inc
2008-12-12 00:22 . 2004-06-10 08:31   135,168   -ra------   c:\windows\UNDPX2A.exe
2008-12-12 00:22 . 2004-06-10 08:34   53,693   -ra------   c:\windows\UNDPX2A.sys
2008-12-12 00:22 . 2004-06-09 17:42   15,429   -ra------   c:\windows\system32\drivers\Sacm2A.sys
2008-12-12 00:19 . 2008-12-12 00:19   0   --a------   c:\windows\nsreg.dat
2008-12-12 00:08 . 2002-03-11 07:18   151,552   -ra------   c:\windows\system32\igfxres.dll
2008-12-12 00:05 . 2000-10-20 04:28   765,952   -ra------   c:\windows\system\crlds3d.dll
2008-12-12 00:05 . 2001-11-22 22:08   712,704   -ra------   c:\windows\system32\Audio3D.dll
2008-12-12 00:05 . 2001-11-22 22:08   712,704   -ra------   c:\windows\system32\a3d.dll
2008-12-12 00:05 . 2002-04-15 03:53   421,888   -ra------   c:\windows\system\cmicnfg.cpl
2008-12-12 00:05 . 2002-04-21 22:36   407,439   -ra------   c:\windows\system32\drivers\cmuda.sys
2008-12-12 00:05 . 2002-02-27 00:08   28,672   -ra------   c:\windows\system32\udaprop.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 09:25   85,504   --sh--r   c:\windows\system32\vbsdfe0.dll
2008-12-18 09:25   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 09:04   ---------   d-----w   c:\documents and settings\Owner\Application Data\uTorrent
2008-12-16 23:35   113,878   --sha-r   c:\windows\system32\vamsoft.exe
2008-12-12 05:46   ---------   d-----w   c:\program files\Windows Media Connect 2
2008-12-12 05:46   ---------   d-----w   c:\program files\NotePad++
2008-12-12 05:46   ---------   d-----w   c:\program files\Foxit
2008-12-11 21:46   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-11 21:45   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-12-11 21:42   ---------   d-----w   c:\program files\Pinnacle Systems
2008-12-11 21:34   ---------   d-----w   c:\program files\DAP
2008-12-11 21:33   ---------   d-----w   c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-11 20:01   ---------   d-----w   c:\program files\Pinnacle
2008-12-11 19:39   ---------   d-----w   c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-11 19:29   ---------   d-----w   c:\program files\TC
2008-12-11 19:19   ---------   d-----w   c:\program files\uTorrent
2008-12-11 19:19   ---------   d-----w   c:\program files\Google
2008-12-11 19:17   50,688   ----a-w   c:\windows\system32\wbhelp2.dll
2008-12-11 19:10   ---------   d-----w   c:\program files\MiraScan
2008-12-11 19:00   ---------   d-----w   c:\program files\Ahead
2008-12-11 19:00   ---------   d-----w   c:\documents and settings\All Users\Application Data\Ahead
2008-12-11 18:59   ---------   d-----w   c:\program files\Common Files\Nero
2008-12-11 18:57   ---------   d-----w   c:\program files\Common Files\Ahead
2008-11-20 02:03   106,383   --sh--r   C:\6fnlpetp.exe
2006-12-13 10:12   66,648   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 10:12   54,352   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 10:12   34,928   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 10:12   46,696   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 10:12   172,120   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2007-02-20 00:44 665088 3ffa1573fc274e5aa7467d03941c45ee   c:\windows\ie7\wininet.dll
2007-01-12 09:27 822784 be43d00d802c92f01c8cc952c6f483f8   c:\windows\system32\wininet.dll
2007-01-12 09:27 822784 be43d00d802c92f01c8cc952c6f483f8   c:\windows\system32\dllcache\wininet.dll

2007-02-20 00:45 360704 253e84b9c0f0d9cd42e0892413d69daa   c:\windows\system32\drivers\tcpip.sys

2007-02-05 09:37 2197760 c0a57196e32e2a04724b3fc52a85ad6a   c:\windows\system32\ntoskrnl.exe

2007-02-16 14:25 1403392 cd755f94692db3fb4c6642b075bdd683   c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vamsoft"="c:\windows\system32\vamsoft.exe" [2008-12-16 113878]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 68856]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-12-11 3114496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-03-11 106496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-01-08 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ipktzv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.VP31"= vp31vfw.dll
"VIDC.FFDS"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2008-12-11 180480]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a59e0d0-ca46-11dd-b251-c79340ca48d0}]
\Shell\AutoRun\command - G:\abk.bat
\Shell\explore\Command - G:\abk.bat
\Shell\open\Command - G:\abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34ff4730-ca5b-11dd-b252-001ac35bf8a1}]
\Shell\AutoRun\command - G:\abk.bat
\Shell\explore\Command - G:\abk.bat
\Shell\open\Command - G:\abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65407264-cc63-11dd-b257-001ac35bf8a1}]
\Shell\AutoRun\command - G:\p1y2.cmd
\Shell\explore\Command - G:\p1y2.cmd
\Shell\open\Command - G:\p1y2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15a9bc0-cb45-11dd-b254-001ac35bf8a1}]
\Shell\AutoRun\command - G:\h3.bat
\Shell\explore\Command - G:\h3.bat
\Shell\open\Command - G:\h3.bat
.
- - - - ORPHANS REMOVED - - - -

BHO-{5A786FCA-0B26-43B1-B59F-749F6996C345} - c:\windows\system32\wvUlmmnM.dll
BHO-{66f065b6-4833-4a45-951c-a45079def343} - c:\windows\system32\ipktzv.dll
BHO-{8EA86503-476F-476A-A55A-7225082DF3EB} - c:\windows\system32\ljJYOhHx.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
ShellExecuteHooks-{8EA86503-476F-476A-A55A-7225082DF3EB} - c:\windows\system32\ljJYOhHx.dll
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 03:25:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-18 3:26:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 09:26:46

Pre-Run: 7,171,162,112 bytes free
Post-Run: 7,480,913,920 bytes free

263

Arpan · « **Reply #7 on:** December 17, 2008, 05:19:22 PM »

Is my computer safe now? Do i still need to do anything?
Please reply...

guestolo · « **Reply #8 on:** December 17, 2008, 05:42:41 PM »

Can you do the following still

Download > [color=\"red\"]OTMoveIt3[/color] <[/url] by OldTimer.

Save it to your desktop.
Double-click OTMoveIt3.exe to run it.
Copy the entries below in Blue to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
[color=\"#0000FF\"]
:Processes
explorer.exe
VistaDrive.exe
:Services
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vamsoft"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a59e0d0-ca46-11dd-b251-c79340ca48d0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34ff4730-ca5b-11dd-b252-001ac35bf8a1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65407264-cc63-11dd-b257-001ac35bf8a1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15a9bc0-cb45-11dd-b254-001ac35bf8a1}]
:Files
c:\windows\VistaDrive
c:\windows\system32\vamsoft.exe
c:\windows\system32\vbsdfe0.dll
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
[/color]

======================================================
Return to OTMoveIt3, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
Click the red "[color=\"red\"]MoveIt![/color]" button.
Close OTMoveIt when it has completed.

[color=\"red\"]Note[/color]: If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

If prompted on startup to Run OTMoveit again, allow it please

A Log should open, I'll need to see it later
If no log opens
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log

NEXT: Do the following
If you haven't installed any Anti-Virus software yet
Don't do it yet, if you have, temporarily disable it
Then,
Download the latest version of [color=\"#800080\"]Kaspersky Virus Removal Tool[/color]

Close all other applications and double-click and run the installer.
When AVPTool starts, select All the scanable items except for CD-ROM drives and click the Scan button.
If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active) if prompted
After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
In the Scan window click the Reports button and select Save to file.
Name the report AVPT.txt, and save it to the Desktop.
Close AVPTool.
You will be prompted if you want to uninstall the program; click Yes.
You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
Copy and paste the Only the first part of the report ([color=\"#0000FF\"]Detected[/color]) that you saved in your next reply. Do not include the longer list marked Events.

With the AVPT.txt file
Can you also include the log from OTMoveit3 and a fresh Hijackthis log

EDIT>>If you are transferring tools to this computer
Please ensure you place them on the infected computer's desktop before running

Arpan · « **Reply #9 on:** December 19, 2008, 12:12:15 AM »

I am sorry to be so late in completing the task u had given. Hope you are still around!
first i have put up report from kaspersky antivirus tool.

Scan
----
Scanned:   433446
Detected:   20
Untreated:   0
Start time:   12/18/2008 1:46:00 PM
Duration:   06:11:01
Finish time:   12/18/2008 7:57:01 PM

Detected
--------
Status   Object
------   ------
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh   File: E:\6fnlpetp.exe
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh   File: C:\6fnlpetp.exe
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh   File: D:\6fnlpetp.exe
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh   File: C:\Qoobox\Quarantine\C\abk.bat.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\kamsoft.exe.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh   File: C:\Qoobox\Quarantine\C\h3.bat.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akuh   File: C:\Qoobox\Quarantine\C\p1y2.cmd.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.akva   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasretyw0.dll.vir
deleted: Trojan program Trojan-GameThief.Win32.Magania.anvg   File: C:\_OTMoveIt\MovedFiles\12182008_131830\windows\system32\vbsdfe0.dll
deleted: Trojan program Trojan-GameThief.Win32.Magania.anvg   File: C:\WINDOWS\system32\vbsdfe1.dll
deleted: Trojan program Trojan-GameThief.Win32.OnLineGames.tywl   File: C:\_OTMoveIt\MovedFiles\12182008_131830\windows\system32\vamsoft.exe
deleted: Trojan program Trojan.Win32.Agent.avwp   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\lbjiyx.dll.vir
deleted: Trojan program Trojan.Win32.Agent.avwp   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\uduymubw.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnmkjiI.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGaxwvt.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGyvuRk.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXOEwXR.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyxXRkL.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen   File: C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJYOhHx.dll.vir
deleted: Trojan program Trojan.Win32.Monder.gen   File: D:\Softwares\Microsoft Office 2003 - Word-Excel-Powerpoint-Outlook\Microsoft Office 2003 - Word-Excel-Powerpoint-Outlook.EXE//data0000.cab/is154858.exe

Now, it is otmoveit log.

========== PROCESSES ==========
Process explorer.exe killed successfully.
Process VistaDrive.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vamsoft deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VistaDrive deleted successfully.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a59e0d0-ca46-11dd-b251-c79340ca48d0}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34ff4730-ca5b-11dd-b252-001ac35bf8a1}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65407264-cc63-11dd-b257-001ac35bf8a1}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c15a9bc0-cb45-11dd-b254-001ac35bf8a1}\\ deleted successfully.
========== FILES ==========
c:\windows\VistaDrive moved successfully.
c:\windows\system32\vamsoft.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\vbsdfe0.dll
c:\windows\system32\vbsdfe0.dll NOT unregistered.
c:\windows\system32\vbsdfe0.dll moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12182008_131830

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\XUL.mfl moved successfully.

Finally fresh hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:28 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Softwares\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

--
End of file - 3733 bytes

guestolo · « **Reply #10 on:** December 19, 2008, 12:43:38 AM »

That's looking better
Can you do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Kaspersky's Virus Removal tool is no replacement for a Resident up to date Virus Scanner installed on your computer
And you should of already removed Kaspersky's

Can you do the following please
Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935
Save the installer to desktop

Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time

NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it

A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"

Quarantine or delete everything it finds
When the scan is finished
Reboot the computer
Back in Windows
Can you post all the following back please:
1. Post a fresh hijackthis log
2. Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"

Let me also know how things are now running

Arpan · « **Reply #11 on:** December 19, 2008, 01:10:00 PM »

In your other posts you have ranked avira antivirus as third after avast and avg. If that is the case, then why are you asking me to install avira?

guestolo · « **Reply #12 on:** December 19, 2008, 01:21:28 PM »

Quote

other posts you have ranked avira antivirus as third after avast and avg. If that is the case, then why are you asking me to install avira?

I never ranked it 3rd, but you don't need to install it, I really like Avira
Try Avast if you like
Avast is another great AntiVirus
I've been hesitant with AVG, as it has slowed some computers down

I put Avira and Avast as my favorite free AV's
AVG right below them, it got a bit bloated

They all have a free version, as I indicated here
http://www.thetechguide.com/forum/index.php?showtopic=15894

NOTE: I have Avira, 3rd on that list>>Alphabetical
Decide which you want to try, ONLY install one, the AVG 7.5 version you were going to install earlier will not be supported early in the New Year
The newest is AVG8

After you are sure your product is updated, run a complete scan
Reboot afterwards
Come back and post a fresh Hijackthis log and keep me informed how things are running

Arpan · « **Reply #13 on:** December 19, 2008, 01:39:32 PM »

Certainly i will keep you posted. As of now it is looking better than before. No more windows are getting opened automatically eg firefox.
But not quite sure about win explorer problem. I have opened it right now. I will wait for the result. If it closes down itself abruptly, I wil let u know.

Hey thanx for helping me through. I really appreciate it. Please dont mind my last post. Actually i have had many suggestions about no of AV programs from numerous people around me and i was quite bugged with that. When i read ur other posts, somewhere u had written this thing but that could be in context with some other problem. I can understand that you are helping so many people here and i shouldnt have said u this way. I m sorry.

guestolo · « **Reply #14 on:** December 19, 2008, 02:27:53 PM »

I forgot to ask earlier
Your custom install of XP

Did you purposely set the following
In the START menu, did you purposely set it so the "Set Program Access and Defaults" link is missing?

In the Windows Control Panel
Did you purposely set it to force a Classic View of the Control Panel?

Run your virus scanner first, then give me the info above with a fresh Hijackthis log please

Arpan · « **Reply #15 on:** December 19, 2008, 03:47:46 PM »

I got this copy of windows from my friend. I have not customized anything in this except for the control panel's classic view. I did this because i was unable to find add/remove programs in the other view.

See, i havent changed anything in start menu as fer as i can understand. I didnt get ur question abt start menu customization. so if anything u want to know further, can u ask me in little detail. so that i can answer u better.

Now here is avira's log file:

Avira AntiVir Personal
Report file date: Sunday, December 21, 2008 01:05

Scanning for 1106377 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: COMPUTER2007

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 06:55:46
ANTIVIR2.VDF : 7.1.0.250 342528 Bytes 12/18/2008 06:57:32
ANTIVIR3.VDF : 7.1.1.14 95232 Bytes 12/19/2008 06:57:58
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 12/21/2008 07:02:19
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/21/2008 07:01:58
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 12/21/2008 07:00:55
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/21/2008 06:58:40
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/21/2008 06:58:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/21/2008 06:58:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, December 21, 2008 01:05

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'uTorrent.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'googletalk.exe' - '1' Module(s) have been scanned
Scan process 'YahooMessenger.exe' - '1' Module(s) have been scanned
Scan process 'DataLayer.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'LaunchApplication.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'DAP.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '48' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\New Folder\McAfee Total Protection 2008 (Retail)-HeartBug\en-AU\Acroread\AcroRead.exe

Archive type: CAB SFX (self extracting)

--> \Data1.cab
[1] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> \instmsiw.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Adobe\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '49c6ec9e.qua'!
C:\Program Files\Adobe\Adobe Photoshop CS2\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '49c6ed06.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\gmurftjy.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '49c2f0ae.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ipktzv.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '49b8f0b4.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUlmmnM.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.17 Trojan
[NOTE] The file was moved to '49a2f0be.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\yopxrhnr.dll.vir
[DETECTION] Is the TR/Vundo.Gen.6.25 Trojan
[NOTE] The file was moved to '49bdf0ba.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001165.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df091.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001171.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df099.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001360.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df09f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001366.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc6d8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001478.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0a3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001484.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeafc.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001580.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0a9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001586.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0aa.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002148.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0b8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002149.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae1.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002150.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0b9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002151.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae2.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002162.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0ba.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002166.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002228.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0be.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002235.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeae7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002395.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0c5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002396.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea9e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002397.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002398.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea90.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002419.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c6.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002420.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea9f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002421.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002423.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea92.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002439.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0c8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002445.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea91.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002485.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0ca.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002486.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea93.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002493.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0cc.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002496.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0cb.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002502.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '48fdea94.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002518.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea95.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002524.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0ce.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002566.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea97.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002572.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0cf.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002600.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0d0.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002601.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea89.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002602.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d2.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d1.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003598.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea8a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003599.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003600.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003601.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000758.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000764.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003613.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003619.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d4.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003632.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea8d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003633.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea80.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003634.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003635.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea82.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003645.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d6.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003652.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea8f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003668.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df0db.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003669.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea84.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003670.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0dd.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003671.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0d8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003688.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdea81.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003734.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '48fdea86.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003737.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0dc.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003738.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdea85.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003739.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df0df.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0003760.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeab8.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004421.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df100.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004422.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb59.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004424.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df102.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004425.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df101.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004444.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004445.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '497df104.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004446.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df103.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004452.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004457.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004463.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df106.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004467.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df105.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004473.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb5f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005419.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df138.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005420.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df107.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005422.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb50.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005425.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df109.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005439.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df108.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006419.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdeb52.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006420.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006422.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb54.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006423.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006446.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df10d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006447.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb56.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006453.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006459.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb55.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006466.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df10f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006467.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb48.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006485.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df111.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006494.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df110.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006496.dll
[DETECTION] Is the TR/Vundo.Gen.6.20 Trojan
[NOTE] The file was moved to '48fdeb4a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006501.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df112.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006502.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc76b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006504.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df114.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006510.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df113.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0007500.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fcc76c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0007501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df115.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0007509.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc76d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008501.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fcc76e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008502.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df117.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008504.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc760.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0008510.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df116.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP28\A0008590.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df11b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP28\A0008596.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc764.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0008603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df11f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0008609.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc758.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0008635.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '497df122.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009523.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '497df127.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009536.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df128.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009537.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc751.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009539.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df129.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0009540.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc752.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010503.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df12b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010504.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df12a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010505.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc753.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0010511.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df12c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc754.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011502.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df12d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011504.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc756.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0011510.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc755.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df12e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012502.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df12f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012505.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc748.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0012511.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc757.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013501.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df120.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013502.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df131.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013504.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc74a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013593.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df137.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013594.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc740.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013597.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc741.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP29\A0013603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP3\A0000767.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP3\A0000775.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc745.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013640.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013644.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df13e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013671.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df140.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013673.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df141.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013678.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc73a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013680.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df142.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013681.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc73b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013692.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '497df144.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013694.dll
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '497df143.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013695.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '48fcc73c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013696.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '48fcc73d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013697.dll
[DETECTION] Is the TR/Vundo.Gen.6.26 Trojan
[NOTE] The file was moved to '497df146.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013698.dll
[DETECTION] Is the TR/Vundo.Gen.6.18 Trojan
[NOTE] The file was moved to '48fcc73f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013699.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '497df145.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013700.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '48fcc73e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013702.dll
[DETECTION] Is the TR/Vundo.Gen.6.18 Trojan
[NOTE] The file was moved to '48fcc743.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013703.dll
[DETECTION] Is the TR/Vundo.Gen.6.17 Trojan
[NOTE] The file was moved to '48fcc747.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013704.dll
[DETECTION] Is the TR/Vundo.HO Trojan
[NOTE] The file was moved to '497df130.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013705.dll
[DETECTION] Is the TR/Vundo.Gen.6.25 Trojan
[NOTE] The file was moved to '497df147.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013718.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df148.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013776.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013777.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fcc735.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0013778.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0014776.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0014785.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdeb17.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP30\A0015785.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df14f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0016785.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df151.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018054.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df186.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018074.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df188.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018075.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebd1.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP31\A0018076.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df18a.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP34\A0018209.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '497df192.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP34\A0018210.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '48fdebcb.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP4\A0000790.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df195.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP4\A0000796.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebce.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000800.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df196.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000806.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df197.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000862.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df19b.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP5\A0000864.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc4.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000919.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df19c.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000920.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000937.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497df19d.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000938.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc6.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000939.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df19f.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP6\A0000940.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df19e.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0000955.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebc7.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0000956.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df190.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001046.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1a4.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001047.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48fdebfd.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001048.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1a5.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP7\A0001049.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebfe.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP8\A0001106.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1a9.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP8\A0001112.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1aa.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP9\A0001116.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdebf3.qua'!
C:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP9\A0001122.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df1ab.qua'!
Begin scan in 'D:\'
D:\Softwares\fire-movie.v.3.137.exe

Archive type: NSIS

--> ProgramFilesDir/jah31371.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49bff397.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP1\A0000751.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df448.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001167.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee11.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP10\A0001172.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df449.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001362.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee12.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP11\A0001367.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001480.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP12\A0001485.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee13.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001582.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44c.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0001587.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee14.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002153.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP14\A0002154.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee16.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002164.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee15.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP15\A0002168.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44e.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002231.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee17.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002236.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df440.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002400.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df44f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002401.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee08.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002424.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee19.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP16\A0002425.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df442.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002441.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee1b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002446.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df451.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002495.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP17\A0002498.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df453.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002520.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df450.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP18\A0002525.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee09.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002568.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df452.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002573.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002605.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0c.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0002606.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df455.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003603.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0e.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP19\A0003604.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df454.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000760.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP2\A0000765.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df456.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003615.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df457.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003620.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee00.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003637.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df459.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003638.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee0f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003675.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df444.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP20\A0003676.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee1d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP21\A0003741.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee02.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0003762.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45b.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004427.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee04.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP22\A0004428.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df446.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004448.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee1f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP23\A0004453.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df478.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004459.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45d.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP24\A0004464.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee06.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004469.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45f.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0004474.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df458.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005424.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee01.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0005427.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006425.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee03.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006426.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee38.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006455.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df461.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP25\A0006460.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee3a.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006469.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45c.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP26\A0006474.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48fdee05.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006487.bat
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '497df45e.qua'!
D:\System Volume Information\_restore{50A50E2F-FDB3-48B3-9610-0A6A7A4FFEFA}\RP27\A0006488.cmd
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE]

Arpan · « **Reply #16 on:** December 19, 2008, 03:51:53 PM »

I forgot to tell u, i installed adobe photoshop today. Just thought u should be aware of this. Apart from that, i wanted ask u that should i also install firewall in my computer?

guestolo · « **Reply #17 on:** December 20, 2008, 05:27:42 PM »

Quote

I forgot to tell u, i installed adobe photoshop today. Just thought u should be aware of this. Apart from that, i wanted ask u that should i also install firewall in my computer?

Be very careful, many viruses, trojan, other malware come packaged in Cracks and keygenerators
As noted here

Code: [Select]

C:\Program Files\Adobe\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan
[NOTE] The file was moved to '49c6ec9e.qua'!
C:\Program Files\Adobe\Adobe Photoshop CS2\keygen.exe
[DETECTION] Is the TR/Agent.59904.B Trojan

Can you do the following
Hold onto Avira, but you can open it's Quarantine section and Use the Trash icon to delete all objects
Check out it's scheduler and schedule a weekly scan
Ensure to Activate it

Go to START>>RUN>>copy and paste the following then click OK
ComboFix /u
This will uninstall ComboFix and it's components

Can you Download CCleaner from the following link
http://www.ccleaner.com/download/builds
Choose the bottom download
CCleaner v2.14.763 - Slim

Save it then double click to Install
When installing, untick all options except for the Desktop Shortcut
After installation, delete the installer
In an open CCleaner window click on OPTIONS>>COOKIES
Move the ones you want to keep to the KEEP side
Then click on ADVANCED>>Untick "Only delete Temp files older than 48 hours"
Click on CLEANER on the left then click on "RUN CLEANER" on the bottom right
OK the prompt
Let it finish then Exit
You can manually check for updates on the bottom right hand side
of the main screen every couple months or so
If there is an update, I suggest that you untick the option to install the Toolbar
You can install over top of an older version, keeping your settings intact
I would hold onto this tool and run it every week

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

OTMoveIt3.exe

Double-click OTMoveIt3.exe to run it.
Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list
Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall
Select Yes to reboot Now

NOTE: This procedure will also delete OTMoveit.exe from desktop

A software Firewall is not a bad idea
the one built into XP will only filter incoming traffic
Others, such as the ones I have in this link
http://www.thetechguide.com/forum/index.php?showtopic=15894
Will filter incoming/outgoing traffic
Zone Alarm is fairly easy to use, ONLY install one Firewall software
If you go with ZA, ensure to untick any Toolbars it wants to install by default
This goes with any Firewall I have at those links, if they come bundled with a Toolbar of some sort
Untick the option

Take a look at miekiemoes site with other ideas on How to prevent Malware:

Arpan · « **Reply #18 on:** December 22, 2008, 02:07:55 PM »

my system is hanged everytime i start my comp as soon as i see desktop.
please help!

guestolo · « **Reply #19 on:** December 22, 2008, 02:25:10 PM »

Let's see if anything new has been added
Can you post a fresh Hijackthis log

In addition>>
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color][/url]
by OldTimer

Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES
Also, under Additional Scans, put a tick next to
Evnt - EventViewer Logs (Last 10 Errors)

Then click on [color=\"#0000FF\"]Run Scan [/color]

When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
It may be best to attach that log

News:

Author Topic: Help needed (Read 4160 times)