Help Remove Win32/NSAnti!!

amoghk · Jan 12, 2008

Hello..i've had this problem for a long time now.

My Computer is infected with Win32.NSAnti.
When I click on a disk in Windows My Computer
window, AVG 7.5 gives the notification about the
Win32.NSAnti virus, I move it to the vault but
the problem continues.
I Ran Hijack this and here is the log file..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:04 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKLM\..\Policies\Explorer\Run: [Explorer] Winlogons
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3C587AA-6F6F-4B8E-874E-5CB879A6C0A1}: NameServer = 218.248.255.145,61.1.64.65
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3453 bytes

I would require some assistance on to remove this virus.I hope Someone can help me on this..thx in advance
P.S: Do i need to attach the log file also or is pasting it fine..

Shaba · Jan 13, 2008

Hi amoghk

If you have any USB sticks or external drives, please don't use them.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

amoghk · Jan 13, 2008

Hey Thanx for the reply n advise..i tried what u saud and here are the logs..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:43 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKLM\..\Policies\Explorer\Run: [Explorer] Winlogons
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3C587AA-6F6F-4B8E-874E-5CB879A6C0A1}: NameServer = 218.248.255.145,61.1.64.65
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3382 bytes

ComboFix 08-01-13.1 - Administrator 2008-01-13 20:47:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.50 [GMT 5.5:30]Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 20:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 13:19 . 2008-01-13 16:36 106,153 -r-hs---- C:\d.com
2008-01-12 19:20 . 2008-01-12 19:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 18:50 . 2008-01-09 18:50 104,392 -r-hs---- C:\tio8x6.cmd
2008-01-08 21:19 . 2008-01-09 12:55 105,719 -r-hs---- C:\u.bat
2008-01-04 18:33 . 2008-01-04 18:33 104,542 -r-hs---- C:\semo2x.exe
2008-01-04 18:33 . 2008-01-13 20:47 492 -r-hs---- C:\autorun.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 09:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-10 07:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-06 05:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-30 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-03 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-02 07:25 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-02 04:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 04:50 --------- d-----w C:\Program Files\Yahoo!
2007-12-02 04:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-02 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-20 16:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2007-11-14 13:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Super-Cow
2007-10-30 06:52 3,082 ----a-w C:\WINDOWS\system32\affv11300p2now.sys
2007-08-17 15:23 16,752 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 06:01 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 05:57 126976]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 12:24 579072]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 17:16 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"= present
"winlogon"= C:\heap41a\svchost.exe C:\heap41a\std.txt
"Explorer"= Winlogons

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCD]
F:\Run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 00:56]
S3 cheetah1;cheetah1;E:\New Folder\Cheetah Engine 1.4\cheetah.sys []
S3 DADriv1;DADriv1;E:\New Folder\DAEngine\DAK32.sys []
S3 dump_wmimmc;dump_wmimmc;D:\Maple\game\MapleStory\GameGuard\dump_wmimmc.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;E:\Moonlight Engine 1083\IlvMoney1083.sys []
S3 Kaspersky1;Kaspersky1;E:\New Folder\New Folder\Kaspersky.sys []
S3 projectx1;projectx1;E:\Marche0698 Hack Pack\ProjectX_3.0 Engine\ProjectX3.0 Tux-Hack\FelipeZe.sys []
S3 SoRa01;SoRa01;E:\New Folder\SoRa Remak Engine 2.6\SoRa.sys []
S3 sys_com001;sys_com001;E:\New Folder\SysComEngine_1059\syscom.sys []
S3 toBzM;toBzM;C:\toBzM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79c1991c-9140-11dc-8989-000fea9f9422}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79c1991d-9140-11dc-8989-000fea9f9422}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4280019-24b8-11dc-a297-000fea9f9422}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ceeaa4d4-2001-11dc-a283-000fea9f9422}]
\Shell\AutoRun\command - G:\tio8x6.cmd
\Shell\explore\Command - G:\tio8x6.cmd
\Shell\open\Command - G:\tio8x6.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f098327a-226a-11dc-a294-000fea9f9422}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-09-03 03:30:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-12-03 04:30:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-12-31 05:30:01 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-06 06:30:04 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 07:30:05 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 08:30:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 09:30:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 10:30:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 11:30:03 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 12:30:04 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 13:30:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-08 14:30:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-08 15:30:09 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-07 16:30:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-09 17:30:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-10-19 02:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-10-19 02:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-16 10:15:43 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-09-03 03:30:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-12-03 04:30:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-12-31 05:30:02 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-06 06:30:05 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-13 07:30:06 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-13 08:30:01 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-13 09:30:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-13 10:30:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-13 11:30:03 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-13 12:30:05 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-13 13:30:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-08 14:30:02 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-08 15:30:10 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-07 16:30:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2008-01-09 17:30:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\N2EkWjYn.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-10-19 02:00:00 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-19 13:18:45 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-09-03 03:30:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-12-03 04:30:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-12-31 05:30:02 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-06 06:30:05 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-13 07:30:06 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-13 08:30:01 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-13 09:30:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-13 10:30:01 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-13 11:30:04 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-13 12:30:05 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-13 13:30:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-08 14:30:02 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2008-01-08 15:30:10 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-07 16:30:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2008-01-09 17:30:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\gpe80vNb.exe
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
"2007-08-08 10:49:08 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\Xi3HW3bs.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 20:49:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 20:50:44
ComboFix-quarantined-files.txt 2008-01-13 15:20:30
.
2007-08-01 13:05:52 --- E O F ---

These are the 2 logs..
I tried the combofix and the problem has stopped..do i have to do anyting else..
you also said that it was due to some USB problem..will i get infected the next time i us the pendrive since i use it quite frequently...thx for the solution if there is any thing else plz do tell..

Shaba · Jan 13, 2008

Hi

Yes, you are not clean.

"will i get infected the next time i us the pendrive since i use it quite frequently"

Yes, that's why please don't use it until you're clean or we won't get you clean.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\d.com
C:\tio8x6.cmd
C:\u.bat
C:\semo2x.exe
C:\autorun.inf
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"=-
"winlogon"=-
"Explorer"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ceeaa4d4-2001-11dc-a283-000fea9f9422}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

amoghk · Jan 15, 2008

I am sorry i couldnt be online yesterday since i was busy
i did what u said and here is the combofix log..
what else do i have to do...

ComboFix 08-01-13.1 - Administrator 2008-01-15 17:02:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.59 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\autorun.inf
C:\d.com
C:\semo2x.exe
C:\tio8x6.cmd
C:\u.bat
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\d.com
C:\semo2x.exe
C:\tio8x6.cmd
C:\u.bat
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-13 20:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 19:20 . 2008-01-12 19:20 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 15:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-10 07:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-06 05:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-30 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-03 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-02 07:25 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-02 04:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 04:50 --------- d-----w C:\Program Files\Yahoo!
2007-12-02 04:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-02 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-20 16:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2007-10-30 06:52 3,082 ----a-w C:\WINDOWS\system32\affv11300p2now.sys
2007-08-17 15:23 16,752 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-13_20.50.16.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 15:17:33 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 11:31:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 15:17:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 11:31:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 15:17:33 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 11:31:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 15:17:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 11:31:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 15:17:33 3,391,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-15 11:31:42 3,391,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 15:17:34 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 11:31:42 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-13 15:12:22 216,756 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-01-15 11:25:29 216,767 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 06:01 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 05:57 126976]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 12:24 579072]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 17:16 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCD]
F:\Run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 00:56]
S3 cheetah1;cheetah1;E:\New Folder\Cheetah Engine 1.4\cheetah.sys []
S3 DADriv1;DADriv1;E:\New Folder\DAEngine\DAK32.sys []
S3 dump_wmimmc;dump_wmimmc;D:\Maple\game\MapleStory\GameGuard\dump_wmimmc.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;E:\Moonlight Engine 1083\IlvMoney1083.sys []
S3 Kaspersky1;Kaspersky1;E:\New Folder\New Folder\Kaspersky.sys []
S3 projectx1;projectx1;E:\Marche0698 Hack Pack\ProjectX_3.0 Engine\ProjectX3.0 Tux-Hack\FelipeZe.sys []
S3 SoRa01;SoRa01;E:\New Folder\SoRa Remak Engine 2.6\SoRa.sys []
S3 sys_com001;sys_com001;E:\New Folder\SysComEngine_1059\syscom.sys []
S3 toBzM;toBzM;C:\toBzM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79c1991c-9140-11dc-8989-000fea9f9422}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79c1991d-9140-11dc-8989-000fea9f9422}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4280019-24b8-11dc-a297-000fea9f9422}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f098327a-226a-11dc-a294-000fea9f9422}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 17:04:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 17:04:44
ComboFix-quarantined-files.txt 2008-01-15 11:34:30
ComboFix2.txt 2008-01-13 15:20:45
.
2007-08-01 13:05:52 --- E O F ---

Shaba · Jan 15, 2008

Hi

Please post also a fresh HijackThis log

amoghk · Jan 16, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:56 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3C587AA-6F6F-4B8E-874E-5CB879A6C0A1}: NameServer = 218.248.255.145,61.1.64.65
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3279 bytes
Here it is what do i do now...!

Shaba · Jan 16, 2008

Hi

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank <-- unless you have set it by yourself
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

amoghk · Jan 17, 2008

here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:20 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3C587AA-6F6F-4B8E-874E-5CB879A6C0A1}: NameServer = 218.248.255.145,61.1.64.65
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3267 bytes

amoghk · Jan 17, 2008

here is the kaspersky report,i was interrupted many times while the scanning was going on by virii detected by avg

Thursday, January 17, 2008 11:06:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 515845

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 31216
Number of viruses found 11
Number of infected objects 121
Number of suspicious objects 0
Duration of the scan process 00:34:33

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008011720080118\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VACGEJNK\Horoscope_PU_namepins[1].swf Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VACGEJNK\Horoscope_PU_namepins[2].swf Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.bua skipped

C:\QooBox\Quarantine\C\d.com.vir Infected: Worm.Win32.AutoRun.bss skipped

C:\QooBox\Quarantine\C\semo2x.exe.vir Infected: Worm.Win32.AutoRun.blu skipped

C:\QooBox\Quarantine\C\tio8x6.cmd.vir Infected: Worm.Win32.AutoRun.bpn skipped

C:\QooBox\Quarantine\C\u.bat.vir Infected: Worm.Win32.AutoRun.bnw skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir Infected: Worm.Win32.AutoRun.bss skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP21\A0054274.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP34\A0068567.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071490.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071492.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071503.dll Infected: not-a-virus:Monitor.Win32.Hooker.e skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071510.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071511.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071522.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071523.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071529.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071541.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071542.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071556.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071557.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071569.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071570.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071581.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071582.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071600.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071601.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071607.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071608.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071611.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071612.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071630.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071631.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071645.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071646.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071647.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071652.exe Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071653.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071662.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071663.bat Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071664.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071681.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071682.bat Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071683.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071688.exe Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071689.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071694.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071695.bat Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071696.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071705.dll Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071706.bat Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071707.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071712.exe Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071713.dll Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071728.dll Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071729.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071742.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071743.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071755.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071756.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071762.exe Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071771.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071772.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071773.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071778.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071779.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071807.exe Infected: Worm.Win32.AutoRun.bts skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071808.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071809.com Infected: Worm.Win32.AutoRun.bts skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071810.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071821.com Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071822.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071831.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071832.com Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071833.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP44\A0071839.exe Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP44\A0071840.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP44\A0071841.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071898.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071899.com Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071900.exe Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071901.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071902.bat Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\sam Object is locked skipped

amoghk · Jan 17, 2008

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071496.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071513.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071525.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071544.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071559.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071572.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071584.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071603.exe Object is locked skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071613.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071614.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071632.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071633.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071648.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071649.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071665.bat Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071666.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071671.bat Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071672.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071684.bat Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071685.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071697.bat Infected: Worm.Win32.AutoRun.bnw skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071698.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071708.bat Infected: Worm.Win32.AutoRun.bnw skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071709.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071731.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071745.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071758.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071774.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071775.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071811.com Infected: Worm.Win32.AutoRun.bts skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071812.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071823.com Infected: Worm.Win32.AutoRun.bss skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071824.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071834.com Infected: Worm.Win32.AutoRun.bss skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071835.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\change.log Object is locked skipped

D:\autorun.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\semo2x.exe Object is locked skipped

D:\u.bat Infected: Worm.Win32.AutoRun.bnw skipped

D:\tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\d.com Infected: Worm.Win32.AutoRun.bss skipped

E:\semo2x.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071498.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071515.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071527.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071546.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071561.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071574.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071586.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071605.exe Object is locked skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071615.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071616.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071634.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071635.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071650.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071651.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071667.bat Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071668.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071673.bat Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071674.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071686.bat Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071687.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071699.bat Infected: Worm.Win32.AutoRun.bnw skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071700.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071710.bat Infected: Worm.Win32.AutoRun.bnw skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071711.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071733.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071747.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071760.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071776.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071777.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071813.com Infected: Worm.Win32.AutoRun.bts skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071814.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071825.com Infected: Worm.Win32.AutoRun.bss skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071826.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071836.com Infected: Worm.Win32.AutoRun.bss skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071837.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\change.log Object is locked skipped

E:\autorun.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\u.bat Infected: Worm.Win32.AutoRun.bnw skipped

E:\tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\d.com Infected: Worm.Win32.AutoRun.bss skipped

Scan process completed.

amoghk · Jan 17, 2008

PLz advise me on what to do furthur....

Shaba · Jan 17, 2008

Hi

Not fully clean yet.

Download OTMoveIt by OldTimer to your Desktop.

Double click OTMoveIt.exe to launch it.
Copy/Paste the contents of the box below into the left hand panel of OTMoveIt.

D:\autorun.inf
D:\semo2x.exe
D:\u.bat
D:\tio8x6.cmd
D:\d.com
E:\semo2x.exe
E:\autorun.inf
E:\u.bat
E:\tio8x6.cmd
E:\d.com

Click the Move It button.
The list will be processed and the results will appear in the right hand pane.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
When finished click Exit to exit the programme.
A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
Post back a contents of that file, please.

amoghk · Jan 18, 2008

Here it is..

D:\autorun.inf moved successfully.
File/Folder D:\semo2x.exe not found.
D:\u.bat moved successfully.
D:\tio8x6.cmd moved successfully.
D:\d.com moved successfully.
File/Folder E:\semo2x.exe not found.
E:\autorun.inf moved successfully.
E:\u.bat moved successfully.
E:\tio8x6.cmd moved successfully.
E:\d.com moved successfully.

Created on 01/18/2008 12:22:38

Thx for helping me so far. What do i do next??

Shaba · Jan 18, 2008

Hi

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

amoghk · Jan 18, 2008

here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:29 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3C587AA-6F6F-4B8E-874E-5CB879A6C0A1}: NameServer = 218.248.255.145,61.1.64.65
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3296 bytes

amoghk · Jan 18, 2008

and here is the kaspersky report

Friday, January 18, 2008 5:04:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/01/2008
Kaspersky Anti-Virus database records: 519212

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 30059
Number of viruses found 10
Number of infected objects 127
Number of suspicious objects 0
Duration of the scan process 00:25:22

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008011820080119\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.bua skipped

C:\QooBox\Quarantine\C\d.com.vir Infected: Worm.Win32.AutoRun.bss skipped

C:\QooBox\Quarantine\C\tio8x6.cmd.vir Infected: Worm.Win32.AutoRun.bpn skipped

C:\QooBox\Quarantine\C\u.bat.vir Infected: Worm.Win32.AutoRun.bnw skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir Infected: Worm.Win32.AutoRun.bpn skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Infected: Worm.Win32.AutoRun.bpn skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071503.dll Infected: not-a-virus:Monitor.Win32.Hooker.e skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP42\A0071556.dll Object is locked skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071611.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071612.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071630.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071631.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071646.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071647.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071652.exe Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071663.bat Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071664.inf Infected: Worm.Win32.AutoRun.bnq skipped

.

amoghk · Jan 18, 2008

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071681.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071682.bat Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071683.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071688.exe Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071689.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071694.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071695.bat Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071696.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071705.dll Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071706.bat Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071707.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071712.exe Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071713.dll Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071728.dll Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071729.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071742.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071743.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071755.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071756.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071762.exe Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071771.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071772.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071773.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071778.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071779.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071807.exe Infected: Worm.Win32.AutoRun.bts skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071808.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071809.com Infected: Worm.Win32.AutoRun.bts skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071810.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071821.com Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071822.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071831.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071832.com Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071833.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP44\A0071839.exe Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP44\A0071840.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP44\A0071841.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071898.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071899.com Infected: Worm.Win32.AutoRun.bss skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071901.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0071902.bat Infected: Worm.Win32.AutoRun.bnw skipped

C:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\change.log Object is locked skipped

C:\tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\sam Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\autorun.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\_OTMoveIt\MovedFiles\d.com Infected: Worm.Win32.AutoRun.bss skipped

C:\_OTMoveIt\MovedFiles\tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\_OTMoveIt\MovedFiles\u.bat Infected: Worm.Win32.AutoRun.bnw skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071613.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071614.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071632.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071633.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071648.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071649.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071665.bat Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071666.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071671.bat Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071672.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071684.bat Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071685.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071697.bat Infected: Worm.Win32.AutoRun.bnw skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071698.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071708.bat Infected: Worm.Win32.AutoRun.bnw skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071709.inf Infected: Worm.Win32.AutoRun.bnq skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071731.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071745.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071758.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071774.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071775.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071811.com Infected: Worm.Win32.AutoRun.bts skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071812.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071823.com Infected: Worm.Win32.AutoRun.bss skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071824.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071834.com Infected: Worm.Win32.AutoRun.bss skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071835.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072019.inf Infected: Worm.Win32.AutoRun.bua skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072020.bat Infected: Worm.Win32.AutoRun.bnw skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072021.cmd Infected: Worm.Win32.AutoRun.bpn skipped

D:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072022.com Infected: Worm.Win32.AutoRun.bss skipped

D:\tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071615.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071616.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071634.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071635.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071650.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071651.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071667.bat Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071668.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071673.bat Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071674.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071686.bat Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071687.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071699.bat Infected: Worm.Win32.AutoRun.bnw skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071700.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071710.bat Infected: Worm.Win32.AutoRun.bnw skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071711.inf Infected: Worm.Win32.AutoRun.bnq skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071733.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071747.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071760.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071776.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071777.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071813.com Infected: Worm.Win32.AutoRun.bts skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071814.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071825.com Infected: Worm.Win32.AutoRun.bss skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071826.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071836.com Infected: Worm.Win32.AutoRun.bss skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP43\A0071837.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072023.inf Infected: Worm.Win32.AutoRun.bua skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072024.bat Infected: Worm.Win32.AutoRun.bnw skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072025.cmd Infected: Worm.Win32.AutoRun.bpn skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\A0072026.com Infected: Worm.Win32.AutoRun.bss skipped

E:\System Volume Information\_restore{B16E9466-2541-44C7-B790-318717F9D664}\RP45\change.log Object is locked skipped

Scan process completed

Shaba · Jan 18, 2008

Hi

Have you lately used any usb sticks etc.?

I ask because some bad files have came back.

amoghk · Jan 19, 2008

No i havnt used any but i hav surfed on the net alot these days..is it because of that....

Help Remove Win32/NSAnti!!

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member