1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Micro AV 2009 Virus **Insane**

Discussion in 'Windows - Virus and spyware problems' started by zoktai, Sep 11, 2008.

  1. zoktai

    zoktai Guest

    Micro AntiVirus Pop-up wormy thing!
    Hello!

    This little bitch of a virus made it into my PC today to mess up my whole works but I managed to get rid of it with a combination of spyware progs and "SmitFraud-fix" which I highly recomend after today...

    *deep breath*

    ...However, now my Internet browsers don't work. Opera Firefox or IE7 on XP. I'm connected, MSN and Torrents work etc but no browsing, its probably something simple ive overlooked. I've tried disabling all startup/services etc in msconfig to no avail. Any Suggestions?!

    Cheers. Zok
     
  2. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hi zoktai

    Before we begin the cleanup process, it is important to do a little analysis first. We will analyze your computer with a tool called HijackThis.

    Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

    Rename HijackThis(.exe) to scanner(.exe).

    Next, run scanner(.exe). A window will pop up.

    • Click on the button which says Main Menu, then Do a system scan and save a logfile.
    • Please wait for the scan to be completed.
    • After the scan has completed, a text window will pop up. Please post the contents of this window here.

    This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

    NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.

    Best Regards :D
     
  3. scheezits

    scheezits Member

    Joined:
    Sep 12, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Hi, i'm new to this forum but found it because i was searching for a way to remove Micro Virus 2009. So i'm going to download Hijackthis and post a log of what it finds. Please help me once I have!!!
    -Paul
     
  4. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Sure, scheezits. Follow my instructions exactly as they say it.
     
  5. compujas

    compujas Member

    Joined:
    Sep 13, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    I'm new here now because of this apparent virus. Below is my logfile from HijackThis as requested. Any ideas how to get rid of it. It seems like all those YUR*.exe files in the system directory are causing at least part of the problem. I also deleted the MicroAV folder under Program Files. Please help. Thanks.

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:47:21 PM, on 9/13/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal
    
    Running processes:
    C:\Fraps\fraps.exe
    C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
    C:\Program Files (x86)\Ideazon\Reaper\Reaper_Settings.exe
    C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
    C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe
    C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files (x86)\Pidgin\pidgin.exe
    C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files (x86)\Mozilla Firefox 3 Beta 4\firefox.exe
    C:\Users\Jason\Desktop\scanner.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: QXK Olive - {E6F9AADF-82B2-4F60-9482-23FF506C3535} - C:\Windows\vmgspntbbtx.dll
    O3 - Toolbar: fqbewlna - {CF83D74E-ED31-490D-B8EA-DA20D79F79EB} - C:\Windows\fqbewlna.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [\YUR5516.exe] C:\Windows\system32\YUR5516.exe
    O4 - HKLM\..\Run: [\YUR55B2.exe] C:\Windows\system32\YUR55B2.exe
    O4 - HKLM\..\Run: [\YUR590D.exe] C:\Windows\system32\YUR590D.exe
    O4 - HKLM\..\Run: [\YUR5AC3.exe] C:\Windows\system32\YUR5AC3.exe
    O4 - HKLM\..\Run: [ANTIVIRUS] "C:\Program Files (x86)\MicroAV\MicroAV.exe"
    O4 - HKCU\..\Run: [Reaper Gaming Mouse] C:\PROGRA~2\Ideazon\Reaper\Reaper_Settings.exe
    O4 - HKCU\..\Run: [LaunchList] C:\Program Files (x86)\Pinnacle\TVCenter Pro\LaunchList2.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [\YUR5516.exe] C:\Windows\system32\YUR5516.exe
    O4 - HKCU\..\Run: [\YUR55B2.exe] C:\Windows\system32\YUR55B2.exe
    O4 - HKCU\..\Run: [\YUR590D.exe] C:\Windows\system32\YUR590D.exe
    O4 - HKCU\..\Run: [\YUR5AC3.exe] C:\Windows\system32\YUR5AC3.exe
    O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files (x86)\MicroAV\MicroAV.exe
    O4 - HKCU\..\Run: [\YURA131.exe] C:\Windows\system32\YURA131.exe
    O4 - HKCU\..\Run: [\YURA095.exe] C:\Windows\system32\YURA095.exe
    O4 - HKCU\..\Run: [\YURA0D3.exe] C:\Windows\system32\YURA0D3.exe
    O4 - HKCU\..\Run: [\YURB248.exe] C:\Windows\system32\YURB248.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Pidgin.lnk = C:\Program Files (x86)\Pidgin\pidgin.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O13 - Gopher Prefix: 
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/url]
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
    O21 - SSODL: mgxfebsq - {820ECD0B-FC4F-4724-92BD-4499730C3CCA} - C:\Windows\mgxfebsq.dll
    O21 - SSODL: dtseqrxk - {2F9D62DE-9220-433C-9406-FAF79F1FE05B} - C:\Windows\dtseqrxk.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\SysWOW64\IoctlSvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files (x86)\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    
    --
    End of file - 11060 bytes
    
     
  6. compujas

    compujas Member

    Joined:
    Sep 13, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    There was also a PCHealthCenter folder in Program Files as well which came up as a virus, so I deleted the whole folder. It had files 0.exe, 1.exe, 2.exe, ... up to 7.exe. Those were also running at the time of all the popups and attacks, which I killed and then the stuff promptly went away.
     
  7. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey compujas

    Now, please download ComboFix.
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    Best Regards :D
     
    Last edited: Sep 14, 2008
  8. ataboo

    ataboo Member

    Joined:
    Sep 14, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Hey guys sorry to butt in but my PC has completely identical symptoms and I tried running combofix. It gives the message that it found a root kit and needs to reboot, but on reboot I get the screen saying vista can't boot up because combo_fix.sys is missing or corrupt (dos-esque) menu. I get the same message in safe mode. I managed to startup the computer by reverting to the last boot settings option for startup. When vista starts it asks if I want to run combofix.exe again and if I click yes nothing happens. Any ideas would be greatly appreciated.

    Alex Raboud
     
  9. compujas

    compujas Member

    Joined:
    Sep 13, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    I tried running Combofix, but it says it's good for Win2k and XP only (I have Vista).

    I think I managed to fix the problem anyway. I deleted those two folders that I said, and ran a trial version of Nod32 which found a few things and deleted them. Everything seems to work fine now. I also used HijackThis to get rid of those lines with YUR*.exe in the system folder as well as anything MicroAV related.
     
  10. scheezits

    scheezits Member

    Joined:
    Sep 12, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    I was able to get Microvirus off nicely without haveing to use hijack this, so thank you for the help you would have given me :)
     
  11. ataboo

    ataboo Member

    Joined:
    Sep 14, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Good to hear other people are having luck with this one. I'm still having problems. Now the infected pc won't boot in last configuration after trying combofix. I'm trying the recovery disk now to see if it can repair it. last time I had it running pccillin picked up a few .dlls in system32/ infected by vundo type trojans but was unable to delete or quarantine them. If I can get the pc to boot again I can send you a hijack log and the scan log if you want.

    thanks
     
  12. kbrown410

    kbrown410 Member

    Joined:
    Sep 14, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    I got his virus this afternoon.

    I removed it fairly simply, to be honest.

    First, I removed the desktop icons they installed, then restarted at "Last Known...."

    Then shredded the MicroAV folder in Program Files, using Tune-Up Utilities, and later the PCHealth Center folder mentioned above (after I found this thread)

    Then I entered the Registry, and deleted all MicroAV keys I found.

    Using CCleaner, I then cleaned the registry problems, cleaned the disk, and did the same again with the Tune-Up utilities reg cleaner.

    I also deleted the startup keys created that I found in CCleaner, searching for them using the Tune-Up reg editor (one was a string of "8"s, the other a HEX code)

    Now, I am clean, and working fine.


    Took me the best part of 90 minutes to be sure, but my computer is old and takes a while to load/shut down.


    Hope this helps - and basically, beware what you download from torrents (that's where my version came from, in an AV program ironically)
     
  13. TheMadBag

    TheMadBag Member

    Joined:
    Sep 14, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    Confirmed... I grabbed the CCleaner that the previous posted mentioned... Used the CCleaner to work through my registry (fairly easy and intuitive to use) then did a system restore from the late time I performed my auto updates.

    All symptoms gone.
     
  14. jswany

    jswany Guest

    hi, im new to this site. I have just got rid of this virus. I tried many of things including everything on this page and nothing worked it kept coming back, but after many frustrating hours i found a program that gets rid of the virus then ran a second program to get rid of the spyware.

    The first program i used was Combofix Download, this is a very easy to use program with no installation needed (please note the program when ran may look like it has crashed but hasn't its just doing its thing, once its detected the infection it will reboot your pc and clean it, do NOT use any programs once rebooted until combofix displays the dialog report and has finished, plz dont click the dialog box whilst its running as this WILL slow it down).

    The second program i ran was SuperAntiSpyware Download.
    This is a simple spyware removal program that will remove the remainder of the spyware.


    I Hope this helps for anyone else with the same problem.
    Both the programs mentioned are FREE
     
  15. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    *sniff sniff.... everyone's getting clean without my help... i'm so sad :(

    Just kidding. Glad to see all of you got clean at the same time, using simple methods. Indeed, Google may be your best friend when it comes to rogue antimalware programs. Researching is always good.

    If any of you have problems, feel free to get help here.

    Best Regards :D
     
  16. kbrown410

    kbrown410 Member

    Joined:
    Sep 14, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    I got clean.


    Then I got infected. Couldn't get rid of this one (same one again, but with different actions (couldn't check Genuine Windows, VIRUS ALERT! in system tray, virus shite background, so on)) - so I only had one option, complete re-install.

    Works, but a last resort. No idea what file I had opened either time to load the virus. Cunts
     
  17. mpowell52

    mpowell52 Member

    Joined:
    Sep 17, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    As luck would have it I just took AVG off my computer to try One Care from Microsoft and bam... 3 days later I get this AV Micro 2009. Yea, Yea, I know I should have never gone without being protected. But then I quess most of us make some mistakes in life. Anyway, I have read this thread and downloaded hijackthis. Below is a copy of the log it produced. I appreciate any help I can get.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:51:04 PM, on 9/17/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\rsvp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\DOCUME~1\OWNER~1.PAM\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe
    C:\DOCUME~1\OWNER~1.PAM\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
    O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O13 - DefaultPrefix:
    O15 - Trusted Zone: *.fnismls.com
    O15 - Trusted Zone: *.getmedianow.com
    O15 - Trusted Zone: *.live.com
    O15 - Trusted Zone: *.virtualearth.net
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177680780828
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
    O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
    O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9473 bytes
     
  18. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hi mpowell52

    First, please download ComboFix.
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    Best Regards :D
     
  19. sharib

    sharib Member

    Joined:
    Sep 18, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Hi, I'm desperately hoping someone here can help me. I was doing some stuff on my boss's computer today and ended up infecting his computer with this nasty virus, Microsoft AV 2009.....i tried to get rid of it on my own...tried shredding some files with spybot search and destroy. I can now only get the computer up in safe mode. Try to do a system restore to earlier today and it won't perform the restore.

    Also I ran the combofix program to post a report. Also I can't even restart the computer without it going to a blue error screen on shutdown.

    Here is the report....Please HELP ME!!!! My boss is very computer dependent for his business and Friday will be a horrible day if I don't fix this....I think I may need a miracle. Thank You So Much!!!

    ComboFix 08-09-16.05 - Billy 2008-09-18 17:59:28.1 - NTFSx86 MINIMAL
    Running from: J:\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Billy\Cookies\billy@2o7[2].txt
    C:\Documents and Settings\Billy\Cookies\billy@ads.pointroll[2].txt
    C:\Documents and Settings\Billy\Cookies\billy@ehg.fedex[1].txt
    C:\Documents and Settings\Billy\Cookies\billy@insightexpressai[1].txt
    C:\Documents and Settings\Billy\Cookies\billy@media6degrees[1].txt
    C:\Documents and Settings\Billy\Cookies\billy@specificclick[2].txt
    C:\Documents and Settings\Billy\Cookies\billy@trafficmp[2].txt
    C:\Documents and Settings\Billy\Cookies\billy@www35.vzw[2].txt
    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\system32\byXOiFXp.dll
    C:\WINDOWS\system32\Cpl32ver.exe
    C:\WINDOWS\system32\eOXHNnnn.ini
    C:\WINDOWS\system32\eOXHNnnn.ini2
    C:\WINDOWS\system32\lbqbhvey.ini
    C:\WINDOWS\system32\nnnNHXOe.dll
    C:\WINDOWS\system32\ogtmxg.dll
    C:\WINDOWS\system32\rqRIXqno.dll
    C:\WINDOWS\system32\tdssadw.dll
    C:\WINDOWS\system32\tdssinit.dll
    C:\WINDOWS\system32\tdssl.dll
    C:\WINDOWS\system32\tdsslog.dll
    C:\WINDOWS\system32\tdssmain.dll
    C:\WINDOWS\system32\tdssserf.dll
    C:\WINDOWS\system32\tdssservers.dat
    C:\WINDOWS\system32\winghy32.dll
    C:\WINDOWS\system32\yevhbqbl.dll
    C:\WINDOWS\system32\yivhmrtu.dll
    C:\WINDOWS\system32\YUR1DB.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
    .

    2008-09-18 17:50 . 2006-11-29 13:54 <DIR> d--h----- C:\Documents and Settings\QBDataServiceUser18\Application Data\Gtek
    2008-09-18 17:50 . 2006-11-15 21:52 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18\Application Data\ATI
    2008-09-18 17:50 . 2008-09-18 17:50 <DIR> d-------- C:\Documents and Settings\QBDataServiceUser18
    2008-09-18 17:12 . 2008-09-18 17:49 5,760 --a------ C:\WINDOWS\system32\drivers\restore.sys
    2008-09-18 15:50 . 2008-09-18 15:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-09-18 15:50 . 2008-09-18 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-09-18 15:46 . 2008-09-18 15:46 <DIR> d-------- C:\quarantine
    2008-09-18 15:46 . 2008-09-18 07:45 166,400 --a------ C:\WINDOWS\system32\MicroAV.cpl
    2008-09-18 15:46 . 2008-09-18 17:49 32,256 --a------ C:\WINDOWS\system32\drivers\ati7djxx.sys
    2008-09-18 15:46 . 2008-09-18 15:46 5,136 --a------ C:\WINDOWS\system32\imod3.dll
    2008-09-18 15:40 . 1997-03-31 03:28 462,336 --a------ C:\WINDOWS\system32\TDBGS32.OCX
    2008-09-18 15:40 . 1998-06-23 11:30 203,011 --a------ C:\WINDOWS\system32\DBLIST32.OCX
    2008-09-18 15:40 . 1998-06-18 01:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
    2008-09-18 15:24 . 2007-07-30 14:44 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
    2008-09-18 15:24 . 2007-06-28 14:09 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
    2008-09-18 15:21 . 2008-09-18 16:19 <DIR> d-------- C:\Program Files\Intuit
    2008-09-18 15:21 . 2008-09-18 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
    2008-09-18 15:19 . 2008-09-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
    2008-09-17 10:38 . 2008-09-17 10:38 22 --a------ C:\WINDOWS\LOGO.INI
    2008-09-17 10:27 . 2008-09-17 10:27 <DIR> d-------- C:\Program Files\MySoftware
    2008-09-17 10:27 . 2008-09-17 10:29 <DIR> d-------- C:\Program Files\Common Files\MySoftware
    2008-08-31 14:41 . 2008-08-31 14:42 <DIR> d-------- C:\61af56d367a28f892243
    2008-08-19 12:32 . 2008-08-19 12:32 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2008-08-19 10:32 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\system32\spdwnwxp.exe
    2008-08-18 18:46 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-08-18 18:46 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-08-18 12:50 . 2008-09-17 11:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-08-18 12:46 . 2008-08-18 12:46 <DIR> d-------- C:\Program Files\MSECache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-18 21:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-09-17 14:37 --------- d-----w C:\Program Files\Java
    2008-09-17 14:26 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-08 14:27 --------- d-----w C:\Documents and Settings\Billy\Application Data\NCH Software
    2008-08-08 14:23 --------- d-----w C:\Program Files\NCH Software
    2008-08-08 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
    2008-07-19 21:07 --------- d-----w C:\Documents and Settings\Billy\Application Data\U3
    2004-08-04 11:00 94,784 --sh--w C:\WINDOWS\twain.dll
    2004-08-04 11:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
    2006-11-29 18:08 88 --sh--r C:\WINDOWS\system32\443E554886.sys
    2008-02-11 14:05 8 --sha-r C:\WINDOWS\system32\A857CCCBFD.sys
    2004-08-04 11:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
    2004-08-04 11:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
    2004-08-04 11:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
    2004-08-04 11:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
    2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
    2004-08-04 11:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
    2004-08-04 11:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingB772"="command" [X]
    "SpybotDeletingD877"="del" [X]
    "SpybotDeletingB8203"="command" [X]
    "SpybotDeletingD2381"="del" [X]
    "SpybotDeletingB7219"="command" [X]
    "SpybotDeletingD2302"="del" [X]
    "SpybotDeletingB8119"="command" [X]
    "SpybotDeletingD2252"="del" [X]
    "SpybotDeletingB8811"="command" [X]
    "SpybotDeletingD4004"="del" [X]
    "SpybotDeletingB2245"="command" [X]
    "SpybotDeletingD6359"="del" [X]
    "SpybotDeletingB7514"="command" [X]
    "SpybotDeletingD5532"="del" [X]
    "SpybotDeletingB6072"="command" [X]
    "SpybotDeletingD7099"="del" [X]
    "SpybotDeletingB7917"="command" [X]
    "SpybotDeletingD3633"="del" [X]
    "SpybotDeletingB9544"="command" [X]
    "SpybotDeletingD3765"="del" [X]
    "SpybotDeletingB4538"="command" [X]
    "SpybotDeletingD4641"="del" [X]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-11-15 26112]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-15 98304]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
    "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
    "FlashIcon"="C:\Program Files\Dane-Elec\USB 2.0 Card Reader Driver v2.3b\FlashIcon.exe" [2004-12-28 40960]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]
    "HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2001-08-23 311296]
    "CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
    "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "Tracker"="C:\Program Files\MySoftware\MyInvoices2\tracker.exe" [2007-01-23 114688]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 C:\WINDOWS\stsystra.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-03 94208]

    C:\Documents and Settings\Billy\Start Menu\Programs\Startup\
    VirtualExpander.lnk - C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe [2007-08-29 434176]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-12 113664]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-15 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\imod3]
    2008-09-18 15:46 5136 C:\WINDOWS\system32\imod3.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7djxx.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WinBoats (Local Data)\\WinBoats.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

    R0 ati7djxx;ati7djxx;C:\WINDOWS\system32\Drivers\ati7djxx.sys [2008-09-18 32256]
    S2 QuickBooksDB18;QuickBooksDB18;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 128536]
    S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2001-08-23 18864]
    S3 filter;filter;C:\WINDOWS\system32\drivers\filter.sys [2004-11-26 8832]
    S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [ ]
    S3 restore;restore;C:\WINDOWS\system32\drivers\restore.sys [2008-09-18 5760]
    S4 agp440;Intel AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-04 42368]
    S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-04 44928]
    S4 alim1541;ALI AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-04 42752]
    S4 sisagp;SIS AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-04 41088]
    S4 viaagp;VIA AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-04 42240]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d79625b-da3a-11dc-9e65-0019d10ce7a0}]
    \Shell\AutoRun\command - J:\LaunchU3.exe -a
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{2d7bb11f-44ad-4943-9212-bc882cba20ff} - C:\WINDOWS\system32\ogtmxg.dll
    BHO-{BC0069D3-47BD-4CDA-8AB6-AE880C9C003F} - C:\WINDOWS\system32\nnnNHXOe.dll
    BHO-{DA2E0515-F0D5-4773-8191-400CCD50783B} - C:\WINDOWS\system32\rqRIXqno.dll
    ShellIconOverlayIdentifiers-{E4000AC4-5E5F-4956-807A-C5854405D64F} - %SystemRoot%\system32\VirtualExpander\VEShellExt.dll
    HKCU-Run-\YUR1B7.exe - C:\Windows\system32\YUR1B7.exe
    HKCU-Run-\YUR1B8.exe - C:\Windows\system32\YUR1B8.exe
    HKCU-Run-\YUR1B9.exe - C:\Windows\system32\YUR1B9.exe
    HKCU-Run-\YUR1BA.exe - C:\Windows\system32\YUR1BA.exe
    HKCU-Run-\YURD.exe - C:\Windows\system32\YURD.exe
    HKCU-Run-\YURE.exe - C:\Windows\system32\YURE.exe
    HKCU-Run-\YURF.exe - C:\Windows\system32\YURF.exe
    HKCU-Run-\YUR10.exe - C:\Windows\system32\YUR10.exe
    HKLM-Run-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    HKLM-Run-\YUR1B7.exe - C:\Windows\system32\YUR1B7.exe
    HKLM-Run-\YUR1B8.exe - C:\Windows\system32\YUR1B8.exe
    HKLM-Run-\YUR1B9.exe - C:\Windows\system32\YUR1B9.exe
    HKLM-Run-\YUR1BA.exe - C:\Windows\system32\YUR1BA.exe
    HKLM-Run-ANTIVIRUS - C:\Program Files\MicroAV\MicroAV.exe
    HKLM-Run-1ccd5b1f - C:\WINDOWS\system32\yevhbqbl.dll
    HKLM-Run-\YUR1DB.exe - C:\Windows\system32\YUR1DB.exe
    HKLM-Run-\YURD.exe - C:\Windows\system32\YURD.exe
    HKLM-Run-\YURE.exe - C:\Windows\system32\YURE.exe
    HKLM-Run-\YURF.exe - C:\Windows\system32\YURF.exe
    HKLM-Run-\YUR10.exe - C:\Windows\system32\YUR10.exe
    HKLM-Run-\YUR72.exe - C:\Windows\system32\YUR72.exe
    HKLM-Run-\YUR73.exe - C:\Windows\system32\YUR73.exe
    ShellExecuteHooks-{DA2E0515-F0D5-4773-8191-400CCD50783B} - C:\WINDOWS\system32\rqRIXqno.dll
    Notify-winghy32 - winghy32.dll


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
    R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
    R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
    O8 -: Copy to &Lightning Note - C:\Program Files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

    O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://71.1.7.66:50000/SysCamInst.cab
    C:\WINDOWS\Downloaded Program Files\install.inf
    C:\WINDOWS\Downloaded Program Files\ipv6cam.ocx
    C:\WINDOWS\Downloaded Program Files\AudioClient.ocx

    O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
    C:\WINDOWS\Downloaded Program Files\OberonGameHost_dbg.inf
    C:\WINDOWS\Downloaded Program Files\OberonGameHost.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-18 1—»àòÔ\ëâ«�ë}ô¼'õŽG�çöâªð¥—ñ¹Ç¿»íÚYþ«:öºÏïð\ΑçwÇû à97Î�s‹ß=*™€wûêuŽIÅàÝÍ É÷@ùøÜàãzçõ£—ç€tÎ�sº¼�évþœÃ— ô³|îI½£ÈáHãÈ�s–í«¯í³À»î=õ®Šïa.½Ì£úÑ}Ô·£µÔ{’í}ŽrF
    ”Ç´Ÿ¡û,ðn·»Àþ�ë\ý ¼gnØn×;·ÕµÔ;iwkf†„ûúá’¢5@w5ÌFðÎ2žwRï ´=à=sàúBªÑËåNƒ+à}ð€÷…*Âú”àySÌLÀ{/¢Šç½Rï“"ª
    ÊÛíz×9<£÷ðÞ|¹Ý«±ö,ðø ?Q%íAê�TI�wT-½
    ßeJß۵ȺhgýL+”¤Æ3Ð} ïqº“z§�êÝfðžbª ö5J Ùå®Íxô3«Ôø^§ýšbæ§:t|ÇóN!Õ�$Š
    ¼§˜* �‚Të”ÐÙ¤ó x¼‹¨êöÚM‚çM1ó3];ø¾IÇߌç(ªQmÅT[ê]®w�óíÜ]àÝÚ™T¥À–:LtüšbfâyO²}»Þ£Sï¸H{ÕVLµ¥ÞÕùTêß©‹‰i}ó¹×ß©”5+kŠ™ðqº;õ.窀À¥ËÞ]Pµô2øZéhÐ9ÄõÞ43ýÌu€¹ý¼)fþIë´îX
    © éŽ÷*¦Š^æ¨`.÷cÜÒ¿»æcÂý àý1up[qÕ_k>÷aÂó~L×á”
    ¿Þ»Ï=©w…rÜžF׿û0ÂÕµ °ØñðŽÓ—BzšN X·Ôû¯¼ÇçÞSïJnž
     
  20. bibhash84

    bibhash84 Member

    Joined:
    Sep 18, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    hi.. i got this virus and followed the instructions on this thread. here's my log file from HijackThis!


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:11:43 AM, on 9/19/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20815)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\LClock\LClock.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\Shared Files\CTSched.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Styler\Styler.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\uTorrent\utorrent.exe
    C:\Program Files\Sify Broadband\BBClient.exe
    C:\Program Files\Sify Broadband\BBImpSec.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\scanner.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R3 - URLSearchHook: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
    O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
    O1 - Hosts: 210.210.19.82 www.sifymall.com
    O2 - BHO: (no name) - {70D11273-F4B5-41BF-B7A9-D383DC6F5906} - C:\WINDOWS\system32\efcATNGv.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: {84e8b8e8-175e-a138-52f4-2e6b8092adfa} - {afda2908-b6e2-4f25-831a-e5718e8b8e48} - C:\WINDOWS\system32\whotbx.dll
    O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
    O3 - Toolbar: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
    O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll
    O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
    O4 - HKLM\..\Run: [\YURB0AA.exe] C:\Windows\system32\YURB0AA.exe
    O4 - HKLM\..\Run: [\YURB0AB.exe] C:\Windows\system32\YURB0AB.exe
    O4 - HKLM\..\Run: [\YURB0AC.exe] C:\Windows\system32\YURB0AC.exe
    O4 - HKLM\..\Run: [\YURB0AD.exe] C:\Windows\system32\YURB0AD.exe
    O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
    O4 - HKLM\..\Run: [645134f6] rundll32.exe "C:\WINDOWS\system32\oakwawdm.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
    O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
    O4 - HKCU\..\Run: [\YURB0AA.exe] C:\Windows\system32\YURB0AA.exe
    O4 - HKCU\..\Run: [\YURB0AB.exe] C:\Windows\system32\YURB0AB.exe
    O4 - HKCU\..\Run: [\YURB0AC.exe] C:\Windows\system32\YURB0AC.exe
    O4 - HKCU\..\Run: [\YURB0AD.exe] C:\Windows\system32\YURB0AD.exe
    O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Styler.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215648502390
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15102/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{82BD5E09-5DCE-4F0E-A7CD-963D54BF269F}: NameServer = 202.144.50.4,202.144.66.6
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - AppInit_DLLs: whotbx.dll
    O20 - Winlogon Notify: khfdeFxY - C:\WINDOWS\SYSTEM32\khfdeFxY.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 9006 bytes


    Next, i used Combocleaner and here is combo's log

    ComboFix 08-09-16.05 - Bibhash 2008-09-19 4:18:19.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1399 [GMT 5.5:30]
    Running from: C:\Documents and Settings\Bibhash\Desktop\Combo-Fix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Bibhash\Cookies\bibhash@ad.yieldmanager[1].txt
    C:\Documents and Settings\Bibhash\Cookies\bibhash@clicktorrent[1].txt
    C:\Documents and Settings\Bibhash\Cookies\bibhash@www.wowwiki[2].txt
    C:\Program Files\MicroAV
    C:\Program Files\MicroAV\MicroAV.exe
    C:\Program Files\MicroAV\MicroAV.ooo
    C:\Program Files\MicroAV\MicroAV0.dat
    C:\Program Files\MicroAV\MicroAV1.dat
    C:\Program Files\PCHealthCenter\0.exe
    C:\Program Files\PCHealthCenter\0.gif
    C:\Program Files\PCHealthCenter\1.exe
    C:\Program Files\PCHealthCenter\1.gif
    C:\Program Files\PCHealthCenter\1.ico
    C:\Program Files\PCHealthCenter\2.exe
    C:\Program Files\PCHealthCenter\2.gif
    C:\Program Files\PCHealthCenter\2.ico
    C:\Program Files\PCHealthCenter\3.exe
    C:\Program Files\PCHealthCenter\3.gif
    C:\Program Files\PCHealthCenter\4.exe
    C:\Program Files\PCHealthCenter\5.exe
    C:\Program Files\PCHealthCenter\7.exe
    C:\Program Files\PCHealthCenter\sc.html
    C:\WINDOWS\system32\1.ico
    C:\WINDOWS\system32\2.ico
    C:\WINDOWS\system32\efcATNGv.dll
    C:\WINDOWS\system32\khfdeFxY.dll
    C:\WINDOWS\system32\mdwawkao.ini
    C:\WINDOWS\system32\opnooOfC.dll
    C:\WINDOWS\system32\vGNTAcfe.ini
    C:\WINDOWS\system32\vGNTAcfe.ini2
    C:\WINDOWS\system32\YURB0AA.exe
    C:\WINDOWS\system32\YURB0AB.exe
    C:\WINDOWS\system32\YURB0AC.exe
    C:\WINDOWS\system32\YURB0AD.exe
    C:\x

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
    .

    2008-09-19 04:22 . 2008-09-19 04:22 <DIR> d-------- C:\WINDOWS\system32\xircom
    2008-09-19 04:22 . 2008-09-19 04:22 <DIR> d-------- C:\Program Files\microsoft frontpage
    2008-09-19 04:22 . 2008-09-19 04:22 74 ---hs---- C:\WINDOWS\system32\mdwawkao.ini
    2008-09-19 04:11 . 2008-09-19 04:11 137,344 --a------ C:\WINDOWS\system32\whotbx.dll
    2008-09-19 04:11 . 2008-09-19 04:11 137,344 --a------ C:\WINDOWS\system32\gvkapxam.dll
    2008-09-19 04:11 . 2008-09-19 04:11 103,552 --a------ C:\WINDOWS\system32\oakwawdm.dll
    2008-09-19 04:05 . 2007-06-28 14:36 401,720 --a------ C:\scanner.exe
    2008-09-19 04:01 . 2008-09-19 04:21 <DIR> d-------- C:\Program Files\PCHealthCenter
    2008-09-17 02:40 . 2008-09-17 02:40 <DIR> d-------- C:\Program Files\DaemonTools_WhenUSaveNow_Installer
    2008-09-17 02:39 . 2008-09-17 02:39 <DIR> d-------- C:\Program Files\DAEMON Tools
    2008-09-17 02:39 . 2008-09-17 02:39 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
    2008-09-17 02:37 . 2008-09-17 02:37 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2008-09-17 02:37 . 2008-09-17 02:37 96,384 --a------ C:\WINDOWS\system32\drivers\sptd3325.sys
    2008-09-13 19:08 . 2008-09-13 19:11 <DIR> d-------- C:\Program Files\ABC Amber LIT Converter
    2008-09-11 22:47 . 2008-09-11 22:50 <DIR> d-------- C:\Program Files\Google
    2008-09-05 01:01 . 2008-09-05 01:01 <DIR> d-------- C:\Program Files\Webteh
    2008-09-05 01:01 . 2008-09-05 01:01 <DIR> d-------- C:\Program Files\BS.Player ControlBar
    2008-09-05 01:01 . 2008-09-05 01:01 <DIR> d-------- C:\Documents and Settings\Bibhash\Application Data\BSplayer Pro
    2008-09-05 01:01 . 2008-09-05 05:39 <DIR> d-------- C:\Documents and Settings\Bibhash\Application Data\BSplayer
    2008-08-28 02:51 . 2008-08-28 02:51 <DIR> d-------- C:\Documents and Settings\Bibhash\Application Data\vlc
    2008-08-28 02:49 . 2008-08-28 02:49 <DIR> d-------- C:\Program Files\VideoLAN

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-18 22:44 --------- d-----w C:\Documents and Settings\Bibhash\Application Data\uTorrent
    2008-09-18 11:28 --------- d-----w C:\Program Files\Minilyrics
    2008-09-18 08:29 --------- d-----w C:\Documents and Settings\Bibhash\Application Data\Broadband
    2008-09-18 08:04 --------- d-----w C:\Documents and Settings\Bibhash\Application Data\AVG7
    2008-09-16 21:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-09-06 18:45 --------- d-----w C:\Program Files\Winamp
    2008-09-04 18:45 --------- d-----w C:\Program Files\GetRight
    2008-08-14 17:12 --------- d-----w C:\Program Files\Java
    2008-08-12 12:26 2,829 ----a-w C:\WINDOWS\War3Unin.pif
    2008-08-12 12:26 139,264 ----a-w C:\WINDOWS\War3Unin.exe
    2008-08-07 17:23 --------- d-----w C:\Program Files\Common Files\Ahead
    2008-08-07 17:23 --------- d-----w C:\Program Files\Ahead
    2008-07-28 10:25 --------- d-----w C:\Program Files\EasySify 2
    2008-07-28 06:13 --------- d-----w C:\Program Files\Teamspeak2_RC2
    2008-07-28 06:13 --------- d-----w C:\Documents and Settings\Bibhash\Application Data\teamspeak2
    2008-07-27 00:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-26 23:43 --------- d-----w C:\Program Files\MKVtoolnix
    2008-07-26 23:41 --------- d-----w C:\Program Files\AviSynth 2.5
    2008-07-26 23:40 --------- d-----w C:\Program Files\StaxRip
    2008-07-25 16:54 --------- d-----w C:\Documents and Settings\Bibhash\Application Data\AdobeUM
    2008-07-19 14:41 --------- d-----w C:\Documents and Settings\Bibhash\Application Data\GetRight Pro
    2008-07-19 08:54 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-07-18 19:17 --------- d-----w C:\Program Files\Subdownloader
    2008-07-18 10:40 --------- d-----w C:\Program Files\Unlocker
    2008-07-18 10:38 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2008-07-18 10:38 --------- d--h--r C:\Documents and Settings\Bibhash\Application Data\SecuROM
    2008-07-03 23:22 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-07-03 23:22 102,400 ----a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-07-03 21:37 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-06-19 20:58 3,127 ----a-w C:\WINDOWS\system32\presetup.cmd
    2008-06-19 20:58 28,672 ----a-w C:\WINDOWS\system32\setupold.exe
    2008-06-19 20:46 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
    2008-06-19 20:46 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
    2008-06-19 20:46 483,840 ----a-w C:\WINDOWS\system32\wzcsvc.dll
    2008-06-19 20:46 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
    2008-06-19 20:46 35,328 ----a-w C:\WINDOWS\system32\pid.dll
    2008-06-19 20:46 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
    2008-06-19 20:46 20,992 ----a-w C:\WINDOWS\system32\hid.dll
    2008-06-19 20:46 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
    2008-06-19 20:46 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll
    2008-06-19 20:43 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
    2008-06-19 20:43 140,288 ----a-w C:\WINDOWS\system32\sfc_os.dll
    2008-06-19 20:41 98,304 ----a-w C:\WINDOWS\system32\makecab.exe
    2008-06-19 20:40 443,752 ----a-w C:\WINDOWS\system32\d3dx10_34.dll
    2008-06-19 20:40 443,752 ----a-w C:\WINDOWS\system32\d3dx10_33.dll
    2008-06-19 20:40 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
    2008-06-19 20:40 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
    2008-06-19 20:40 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
    2008-06-19 20:40 3,727,720 ----a-w C:\WINDOWS\system32\d3dx9_35.dll
    2008-06-19 20:40 3,497,832 ----a-w C:\WINDOWS\system32\d3dx9_34.dll
    2008-06-19 20:40 3,495,784 ----a-w C:\WINDOWS\system32\d3dx9_33.dll
    2008-06-19 20:40 3,426,072 ----a-w C:\WINDOWS\system32\d3dx9_32.dll
    2008-06-19 20:40 2,414,360 ----a-w C:\WINDOWS\system32\d3dx9_31.dll
    2008-06-19 20:40 2,297,552 ----a-w C:\WINDOWS\system32\d3dx9_26.dll
    2008-06-19 20:40 176,640 ----a-w C:\WINDOWS\system32\taskmgr.exe
    2008-06-19 20:39 8,636 ----a-w C:\WINDOWS\modifyPE.exe
    2008-06-19 20:39 61,440 ----a-w C:\WINDOWS\system32\CopyToSendTo.dll
    2008-06-19 20:39 394,240 ----a-w C:\WINDOWS\system32\HMTCD.dll
    2008-06-19 20:39 269,312 ----a-w C:\WINDOWS\upx.exe
    2008-06-19 20:39 114,688 ----a-w C:\WINDOWS\system32\cabarc.exe
    .

    ------- Sigcheck -------

    2008-06-20 02:13 361344 68f06fe0021b01e670af37b8c5964fdf C:\WINDOWS\system32\drivers\tcpip.sys

    2008-04-23 11:28 2306560 8c4050bd9fd87e23cded28ffa889b0ba C:\WINDOWS\system32\ntoskrnl.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{afda2908-b6e2-4f25-831a-e5718e8b8e48}]
    2008-09-19 04:11 137344 --a------ C:\WINDOWS\system32\whotbx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{2C688203-7EB3-4327-9995-1CB417BA23F9}"= "C:\Program Files\BS.Player ControlBar\BSToolbar.dll" [2008-08-13 757192]

    [HKEY_CLASSES_ROOT\clsid\{2c688203-7eb3-4327-9995-1cb417ba23f9}]
    [HKEY_CLASSES_ROOT\BSToolbar.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{1FC79FB5-E4BD-48c8-B2E9-B8E74DB2C3A9}]
    [HKEY_CLASSES_ROOT\BSToolbar.ToolBandObj]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{2C688203-7EB3-4327-9995-1CB417BA23F9}"= "C:\Program Files\BS.Player ControlBar\BSToolbar.dll" [2008-08-13 757192]

    [HKEY_CLASSES_ROOT\clsid\{2c688203-7eb3-4327-9995-1cb417ba23f9}]
    [HKEY_CLASSES_ROOT\BSToolbar.ToolBandObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{1FC79FB5-E4BD-48c8-B2E9-B8E74DB2C3A9}]
    [HKEY_CLASSES_ROOT\BSToolbar.ToolBandObj]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
    "SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]
    "SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 C:\WINDOWS\MIDIDEF.EXE]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-19 65536]
    "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 13529088]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 86016]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-04 579584]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 180224]
    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
    "DaemonTools_WhenUSaveNow_Installer"="C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe" [2006-03-30 148480]
    "645134f6"="C:\WINDOWS\system32\oakwawdm.dll" [2008-09-19 103552]
    "nwiz"="nwiz.exe" [2008-05-02 C:\WINDOWS\system32\nwiz.exe]
    "P17Helper"="SPIRun.dll" [2006-07-03 C:\WINDOWS\system32\SPIRun.dll]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-07-04 219136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"="shell32" [X]
    "nltide_3"="advpack.dll" [2008-06-20 C:\WINDOWS\system32\advpack.dll]

    C:\Documents and Settings\Bibhash\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
    Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]
    Styler.lnk - C:\Documents and Settings\Bibhash\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-07-04 15086]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=whotbx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.l3fhg"= mp3fhg.acm
    "msacm.divxa32"= divxa32.acm
    "VIDC.X264"= x264vfw.dll
    "VIDC.HFYU"= huffyuv.dll
    "vidc.i263"= i263_32.drv
    "VIDC.YV12"= C:\WINDOWS\system32\xvidvfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�­Ý\†Ð=ŸàÛ±Þ"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\uTorrent\\utorrent.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "E:\\Battlefield 2\\BF2.exe"=


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
    RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
    .
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{f592709f-ff4a-4862-b659-4afabda56312} - (no file)
    BHO-{70D11273-F4B5-41BF-B7A9-D383DC6F5906} - C:\WINDOWS\system32\efcATNGv.dll
    Toolbar-{f592709f-ff4a-4862-b659-4afabda56312} - (no file)
    WebBrowser-{F592709F-FF4A-4862-B659-4AFABDA56312} - (no file)
    HKCU-Run-\YURB0AA.exe - C:\Windows\system32\YURB0AA.exe
    HKCU-Run-\YURB0AB.exe - C:\Windows\system32\YURB0AB.exe
    HKCU-Run-\YURB0AC.exe - C:\Windows\system32\YURB0AC.exe
    HKCU-Run-\YURB0AD.exe - C:\Windows\system32\YURB0AD.exe
    HKLM-Run-\YURB0AA.exe - C:\Windows\system32\YURB0AA.exe
    HKLM-Run-\YURB0AB.exe - C:\Windows\system32\YURB0AB.exe
    HKLM-Run-\YURB0AC.exe - C:\Windows\system32\YURB0AC.exe
    HKLM-Run-\YURB0AD.exe - C:\Windows\system32\YURB0AD.exe
    HKLM-Run-ANTIVIRUS - C:\Program Files\MicroAV\MicroAV.exe
    ShellExecuteHooks-{52A96517-3690-45C7-98A9-1DD379F9D9B5} - C:\WINDOWS\system32\khfdeFxY.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Bibhash\Application Data\Mozilla\Firefox\Profiles\3av6d288.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.bsplayer-search.com/startpage
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-19 04:22:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\WINDOWS\system32\mdwawkao.ini 294 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Styler\Styler.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Combo-Fix\pv.cfexe
    .
    **************************************************************************
    .
    Completion time: 2008-09-19 4:23:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-18 22:53:49

    Pre-Run: 43,855,466,496 bytes free
    Post-Run: 44,707,328,000 bytes free

    269


    My problem is that i still get an occasional pop-up while running IE7 (around every 5 mins) and the PcHealthCenter folder is still there in my c:\program files
    Please tell me what should i do to fix this! Thanks to ur previous instructions the annoying MicroAV window is gone :)


     

Share This Page