softwarereferral.com

[bprabhuram]

Sir

The above link appears whenever I open IE.

A new window always opens whenever IE is started and directs to this site.A Internet warning appears to download some site or other

I have downloaded DSS and the log is as below.

But I didnt get additional window as described in other threads which explained how to use DSS.



Pl help me out

Rgds

Prabhu ram

Deckard's System Scanner v20071014.68
Run by Prabhuram on 2007-12-30 11:11:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Prabhuram.exe) -------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:11:59 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Prabhuram\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\PRABHU~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Prabhuram\Local Settings\Temporary Internet Files\Content.IE5\WKCA02HK\install_sbd_en[1].exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDFC33B5-06F0-4C5D-9B55-BAD110D447D3}: NameServer = 202.54.12.164 202.54.29.5
O21 - SSODL: bvtqfvx - {3A73DE93-81D5-45C6-8F8F-2EC6999ED18F} - C:\WINDOWS\bvtqfvx.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


-- Files created between 2007-11-30 and 2007-12-30 -----------------------------

2007-12-27 10:27:08 0 d-------- C:\WINDOWS\system32\appmgmt
2007-12-27 09:56:58 0 d--hs---- C:\FOUND.014
2007-12-26 22:55:53 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-12-26 22:21:06 0 d-------- C:\Program Files\TrustedAntivirus
2007-12-26 21:56:16 0 d--hs---- C:\FOUND.013
2007-12-25 21:51:54 221184 --a------ C:\WINDOWS\bvtqfvx.dll
2007-12-25 21:51:48 86016 --a------ C:\WINDOWS\fvkwdrt.exe
2007-12-24 20:26:59 16752 --a------ C:\Documents and Settings\Prabhuram\Application Data\GDIPFONTCACHEV1.DAT
2007-12-23 09:40:28 0 d--hs---- C:\FOUND.012
2007-12-19 17:33:11 0 d-------- C:\Program Files\TERMINAL Studio
2007-12-19 15:22:48 0 d-------- C:\Program Files\PilotGroup
2007-12-12 19:17:44 0 d--hs---- C:\FOUND.011


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBI"="C:\Documents and Settings\Prabhuram\Local Settings\Temporary Internet Files\Content.IE5\WKCA02HK\install_sbd_en[1].exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bvtqfvx"= {3A73DE93-81D5-45C6-8F8F-2EC6999ED18F} - C:\WINDOWS\bvtqfvx.dll [12/25/2007 02:10 PM 221184]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c721b376-5ed8-11dc-99a1-001676a26f66}]
AutoRun\command- G:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2007-12-30 11:12:10 ------------

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click on "Uncheck All"

On the right side, under Extra Log, check all except "Event Logs".

Click Scan!

When finished, it shall produce a log for you. Post that log in your next reply.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disconnect from the internet....pull the plug!
   
3. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked
   
   R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
   
   Close HijackThis now.
   
   ---------------------------------------------------------------------------------------------
   
4. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
5. Double click on combofix.exe & follow the prompts. Type 1, then press Enter to start the fix.
   
6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
7. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
9. Re-establish an internet connection.
   
10. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
    
    ---------------------------------------------------------------------------------------------

So, please return with logs from:

DSS (extra.txt)
ComboFix
HijackThis

[bprabhuram]

Dear Sir

Thanks for the reply.

ComboFix 08-01-02.1 - Prabhuram 2008-01-02 14:05:41.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT 5.5:30]
Running from: C:\Documents and Settings\Prabhuram\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Prabhuram\Favorites\Error Cleaner.url
C:\Documents and Settings\Prabhuram\Favorites\Privacy Protector.url
C:\Documents and Settings\Prabhuram\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\bvtqfvx.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\fvkwdrt.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-02 14:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 10:48 . 2007-12-30 10:48 <DIR> d-------- C:\Deckard
2007-12-27 09:56 . 2007-12-27 09:56 <DIR> d--hs---- C:\FOUND.014
2007-12-26 22:21 . 2007-12-26 22:21 <DIR> d-------- C:\Program Files\TrustedAntivirus
2007-12-26 22:21 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-26 21:56 . 2007-12-26 21:56 <DIR> d--hs---- C:\FOUND.013
2007-12-24 20:26 . 2007-12-24 20:27 16,752 --a------ C:\Documents and Settings\Prabhuram\Application Data\GDIPFONTCACHEV1.DAT
2007-12-23 09:40 . 2007-12-23 09:40 <DIR> d--hs---- C:\FOUND.012
2007-12-19 17:33 . 2007-12-19 17:33 <DIR> d-------- C:\Program Files\TERMINAL Studio
2007-12-19 15:22 . 2007-12-19 15:22 <DIR> d-------- C:\Program Files\PilotGroup
2007-12-12 19:17 . 2007-12-12 19:17 <DIR> d--hs---- C:\FOUND.011

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-25 00:53 24,192 ----a-w C:\Documents and Settings\Prabhuram\usbsermptxp.sys
2007-07-25 00:53 22,768 ----a-w C:\Documents and Settings\Prabhuram\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBI"="C:\Documents and Settings\Prabhuram\Local Settings\Temporary Internet Files\Content.IE5\WKCA02HK\install_sbd_en[1].exe" [ ]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c721b376-5ed8-11dc-99a1-001676a26f66}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 1424
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SBI = C:\Documents and Settings\Prabhuram\Local Settings\Temporary Internet Files\Content.IE5\WKCA02HK\install_sbd_en[1].exe?? ???"???????????4?9?*&?|??9??&?|????t?p??I??????????????????)??|\??w???????????????| ?9????????w???w????????????????????t?p???9?h?@????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-02 1440
ComboFix-quarantined-files.txt 2008-01-02 08:36:40

Logfile of HijackThis v1.99.1
Scan saved at 2:08:26 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Prabhuram\Local Settings\Temporary Internet Files\Content.IE5\WKCA02HK\install_sbd_en[1].exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDFC33B5-06F0-4C5D-9B55-BAD110D447D3}: NameServer = 202.54.12.164 202.54.29.5
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe




Regards

Prabhu ram

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please do not attach logs unless requested. They are more difficult to review that way. Instead, post them in the body of the reply.

Thanks.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WebVideo Support

You may receive notification that this has already been uninstalled, or is otherwsie corrupt, would you like to remove it from the list. Click on Yes, or OK.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Folder::
C:\Program Files\TrustedAntivirus

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBI"=-

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[bprabhuram]

Dear Sir

Thanks for your mail.

ComboFix 08-01-02.1 - Prabhuram 2008-01-03 1917.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT 5.5:30]
Running from: C:\Documents and Settings\Prabhuram\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Prabhuram\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\TrustedAntivirus

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-02 14:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 10:48 . 2007-12-30 10:48 <DIR> d-------- C:\Deckard
2007-12-27 09:56 . 2007-12-27 09:56 <DIR> d--hs---- C:\FOUND.014
2007-12-26 22:21 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-26 21:56 . 2007-12-26 21:56 <DIR> d--hs---- C:\FOUND.013
2007-12-24 20:26 . 2007-12-24 20:27 16,752 --a------ C:\Documents and Settings\Prabhuram\Application Data\GDIPFONTCACHEV1.DAT
2007-12-23 09:40 . 2007-12-23 09:40 <DIR> d--hs---- C:\FOUND.012
2007-12-19 17:33 . 2007-12-19 17:33 <DIR> d-------- C:\Program Files\TERMINAL Studio
2007-12-19 15:22 . 2007-12-19 15:22 <DIR> d-------- C:\Program Files\PilotGroup
2007-12-12 19:17 . 2007-12-12 19:17 <DIR> d--hs---- C:\FOUND.011

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-25 00:53 24,192 ----a-w C:\Documents and Settings\Prabhuram\usbsermptxp.sys
2007-07-25 00:53 22,768 ----a-w C:\Documents and Settings\Prabhuram\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-02_14.06.27.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 02:30:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c721b376-5ed8-11dc-99a1-001676a26f66}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 1958
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 19:07:15
ComboFix-quarantined-files.txt 2008-01-03 13:37:14
ComboFix2.txt 2008-01-02 08:36:42

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 03, 2008 8:40:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/01/2008
Kaspersky Anti-Virus database records: 501978
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 58618
Number of viruses found: 2
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 00:45:36

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Prabhuram\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Prabhuram\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Prabhuram\Local Settings\History\History.IE5\MSHist012008010320080104\index.dat Object is locked skipped
C:\Documents and Settings\Prabhuram\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Prabhuram\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Prabhuram\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Prabhuram\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Prabhuram\ntuser.dat Object is locked skipped
C:\Program Files\Hijackthis\backups\backup-20071230-000409-863.dll Object is locked skipped
C:\System Volume Information\_restore{48616B48-4623-4EA2-83BB-996649BACC74}\RP42\A0056834.dll Object is locked skipped
C:\System Volume Information\_restore{48616B48-4623-4EA2-83BB-996649BACC74}\RP44\A0056901.DLL Infected: not-a-virus:AdWare.Win32.Agent.ze skipped
C:\System Volume Information\_restore{48616B48-4623-4EA2-83BB-996649BACC74}\RP44\A0056902.exe Object is locked skipped
C:\System Volume Information\_restore{48616B48-4623-4EA2-83BB-996649BACC74}\RP45\change.log Object is locked skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\ProductPath\pgs.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\~uga6psetup.exe/file14 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\~uga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\~uga6psetup.exe/file23 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\~uga6psetup.exe/file24 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\~uga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\~uga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20071230110314\backup\DOCUME~1\PRABHU~1\LOCALS~1\Temp\~uga6psetup.exe Inno: infected - 6 skipped
C:\QooBox\Quarantine\C\WINDOWS\bvtqfvx.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ze skipped
C:\QooBox\Quarantine\C\WINDOWS\fvkwdrt.exe.vir Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{48616B48-4623-4EA2-83BB-996649BACC74}\RP45\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{48616B48-4623-4EA2-83BB-996649BACC74}\RP45\change.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 8:40:58 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDFC33B5-06F0-4C5D-9B55-BAD110D447D3}: NameServer = 202.54.12.164 202.54.29.5
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe



Rgds

Prabhu ram

[tetonbob]

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[bprabhuram]

Dear Sir

The problem seems to have vanished and many thanks for your same.

We are delighted at your services and your altruistic service.

Rgds

DBP

[tetonbob]

You're quite welcome for the help.

Surf Safely!