Attacked by a trojan ? Generic13.KUA

HishamK · 03-29-2009, 07:38 AM

I have been having this problem since the last 1 week but have not found any solution when I searched the internet.

I use a Pentium dual core duo machine running on windows xp and use the free version of AVG. I browse primarily with Firefox. The AVG has been popping up messages of a Trojan horse Generic13.KUA infection but not able to clear it.
It shows that the file c:\windows\cssrs.exe is affected.
The process names that are affected include.

install.exe file found in directories of c,d,e,f and also J ( the removable drive). I noticed that these install.exe files are generated automatically in all my drives including the removable ones.
c:\windows\javas.exe
c:\windows\explorer.exe

The computer ia also running slower than usual. Some of the file association are also going haywire. sometimes the system also shows error associated with direct x. help is rally appreciated bo

ThanQ in advance. This is a copy of my DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86
Run by Hisham at 18:48:44.68 on Sun 03/29/09
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2138 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Farstone\VirtualHardDrive\RdTask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\WINDOWS\pluscri.exe
J:\install.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\javas.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DEProNetDetect.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\components\XEN\DEProHttpD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\voip\voip platform\Bin\PhoneMIdServerUI.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hisham\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: IECatcher Class: {0682e46a-7040-4049-a6fd-0bcfbc673ad8} - c:\program files\flashdownloader\IntQd.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {FC3C24D3-4B56-4D13-BC64-EF3CCA1498BE} - No File
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Dewan Eja Pro] c:\program files\the name technology\dewan eja pro\DewanEjaPro.exe
uRun: [L08AXLRD_43890296] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Dewan Eja Pro Config] c:\progra~1\thenam~1\dewane~1\deconfig.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RamDrive] c:\program files\farstone\virtualharddrive\RdTask.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe
mRun: [3DNADesktop] "c:\program files\3dna\resources\3dnasys.exe" -open
mRun: [pluscri] c:\windows\pluscri.exe
mRun: [cssrs] c:\windows\cssrs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phonem~1.lnk - c:\program files\voip\voip platform\bin\PhoneMIdServerUI.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download by FlashDownloader - c:\program files\flashdownloader\IntQd.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open and Translate in Word
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hisham\applic~1\mozilla\firefox\profiles\kcy65f8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-16 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-11-16 12288]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-16 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-16 298264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-11-16 10752]
S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\google\update\GoogleUpdate.exe [2009-3-6 133104]
S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-3-19 25600]
S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-3-8 260144]

=============== Created Last 30 ================

2009-03-28 16:36 <DIR> --d----- c:\docume~1\hisham\applic~1\SYSTRAN
2009-03-27 18:33 <DIR> --d----- c:\windows\system32\Lang
2009-03-26 20:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-26 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-26 08:03 286,720 ----h--- C:\install.exe
2009-03-26 08:03 163 ----h--- C:\autorun.inf
2009-03-25 07:45 184,320 ----h--- c:\windows\cssrs.exe
2009-03-25 07:45 229,376 a------- c:\windows\pksamto17samto17.bak
2009-03-25 07:45 229,376 ----h--- c:\windows\pluscri.exe
2009-03-25 07:45 286,720 ----h--- c:\windows\javas.exe
2009-03-24 14:07 <DIR> --d----- C:\statistics
2009-03-20 00:06 <DIR> --d----- c:\program files\PTTSB
2009-03-19 19:13 <DIR> --d----- c:\windows\system32\URTTEMP
2009-03-19 17:08 <DIR> --d----- C:\mycard integtrator
2009-03-19 16:32 25,600 a------- c:\windows\system32\drivers\irisuxp.sys
2009-03-19 16:32 81,920 a------- c:\windows\system32\forinst.dll
2009-03-19 16:32 40,960 a------- c:\windows\system32\regdelete.exe
2009-03-19 16:32 40,960 a------- c:\windows\system32\infremove.exe
2009-03-18 10:22 <DIR> --d----- c:\program files\MyWay
2009-03-18 10:21 <DIR> --d----- c:\program files\DAMN NFO Viewer
2009-03-18 09:57 <DIR> --d----- c:\program files\Foxit Software
2009-03-17 22:46 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-17 22:46 1,409 a------- c:\windows\QTFont.for
2009-03-17 11:28 <DIR> --d----- c:\program files\MultiExtractor
2009-03-17 11:23 <DIR> --d----- c:\docume~1\hisham\applic~1\MultiExtractor
2009-03-15 00:44 <DIR> --d----- c:\docume~1\hisham\applic~1\Fabulous Finds
2009-03-15 00:43 <DIR> --d----- c:\program files\LeeGTs Games
2009-03-14 11:00 110 a------- c:\windows\system32\test.aok
2009-03-08 11:09 2,950 a------- c:\windows\vtplus32.ini
2009-03-08 11:09 <DIR> --d----- c:\program files\vtplus
2009-03-08 11:08 89,600 a------- c:\windows\system32\MSCAL.OCX
2009-03-08 11:08 65,536 a------- c:\windows\system32\dmcrypto.dll
2009-03-08 11:08 53,312 a------- c:\windows\system32\CHSUITE.OCX
2009-03-08 11:08 110,592 a------- c:\windows\system32\hcwsched.ocx
2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwsched.dll
2009-03-08 11:08 77,824 a------- c:\windows\system32\hcwsplit.ax
2009-03-08 11:08 69,632 a------- c:\windows\system32\hcwfread.ax
2009-03-08 11:08 53,248 a------- c:\windows\system32\MDCustomPanels.ocx
2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwfwrit.ax
2009-03-08 11:08 <DIR> --d----- c:\windows\system32\hauppauge
2009-03-08 11:08 569 a------- c:\windows\HCWPNP.INI
2009-03-08 11:08 <DIR> --d----- c:\program files\WinTV
2009-03-07 17:18 <DIR> --d----- c:\program files\WS_FTP
2009-03-07 16:41 <DIR> --d----- c:\program files\phpDesigner
2009-03-07 16:41 <DIR> --d----- c:\docume~1\hisham\applic~1\phpDesigner
2009-03-07 14:58 <DIR> --d----- c:\program files\Pinecoast
2009-03-07 14:40 <DIR> --d----- c:\program files\ParallelGraphics
2009-03-07 14:40 <DIR> --d----- c:\program files\common files\ParallelGraphics
2009-03-07 12:08 <DIR> --d----- c:\program files\IMSI
2009-03-07 11:05 <DIR> --d----- c:\program files\Sweet Home 3D
2009-03-06 18:37 <DIR> --d----- C:\speech1
2009-03-06 17:03 <DIR> --d----- c:\program files\Microsoft Speech SDK 5.1
2009-03-06 17:02 <DIR> --d----- C:\speech
2009-03-01 02:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-03-01 02:34 <DIR> --d----- c:\program files\common files\Corel
2009-03-01 02:33 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-01 02:33 88 ---shr-- c:\windows\system32\C3A29D82A6.sys
2009-03-01 02:17 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-28 21:04 <DIR> --d----- c:\program files\Zeallsoft

==================== Find3M ====================

2009-03-29 02:10 196,608 a------- c:\windows\system32\drivers\nStandard.bin
2009-02-28 21:39 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-09 19:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-01-27 11:22 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-20 13:24 103,714,297 a------- C:\New WinRAR ZIP archive.zip
2009-01-20 13:24 103,714,297 a------- C:\Copy of New WinRAR ZIP archive.zip
2008-12-28 01:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-12-26 19:51 2,523 a------- c:\program files\common files\unins000.dat
2008-12-26 19:51 728,858 a------- c:\program files\common files\unins000.exe
2008-12-11 00:14 8 ---shr-- c:\docume~1\alluse~1\applic~1\C3A29D82A6.sys
2008-03-09 07:25 236 a---h--- c:\program files\common files\dx.reg
2006-06-25 06:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 18:49:05.81 ===============

km2357 · 03-29-2009, 12:15 PM

Hello and welcome to Tech Support Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!

km2357 · 03-29-2009, 12:31 PM

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log, Please post C:\ComboFix.txt in your next post/reply.

HishamK · 03-30-2009, 01:15 AM

Thank you for the prompt reply.
I have disabled the teatimer as you mentioned.
I was however unable to disable my AVG free antivirus software (8.0) despite looking in vain for ways on how to do it in the net. I only managed to off the system tray component and check teh resident shield off but I dont htnik it did any good.

So I ran the combofix just as well but it did not generate any result.
Upon reactivation of the AVG still showed the threat.

please help..

HishamK · 03-30-2009, 06:57 AM

reposting this due to some new findings
1. the combofix log file was not being saved iniatially
2. later the folder c:\combofix also cannot be opened until i renamed it and openedit but it was empty
3. i found a new folder named c:\Qoobox containing two other folders named BackEnv and Quarantine and also sime files files named ComboFix2.txt ComboFix3.txt ComboFix4.txt. I can only open tehm after I renamed them. Here is the content of COmboFix4.txt

ComboFix 09-03-29.02 - Hisham 2009-03-30 14:23:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2290 [GMT 8:00]
Running from: c:\documents and settings\Hisham\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\install.exe
c:\program files\MyWay
c:\windows\cssrs.exe
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt
E:\Autorun.inf
E:\install.exe
F:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-30 14:28 . 2009-03-30 14:28 184,320 --a------ c:\windows\cssrs.exe
2009-03-28 16:36 . 2009-03-28 16:36 <DIR> d-------- c:\documents and settings\Hisham\Application Data\SYSTRAN
2009-03-27 18:33 . 2009-03-27 18:33 <DIR> d-------- c:\windows\system32\Lang
2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 07:45 . 2009-03-11 14:44 286,720 ---h----- c:\windows\javas.exe
2009-03-25 07:45 . 2009-03-25 07:45 229,376 ---h----- c:\windows\pluscri.exe
2009-03-25 07:45 . 2009-03-25 07:45 229,376 --a------ c:\windows\pksamto17samto17.bak
2009-03-24 14:07 . 2009-03-28 02:00 <DIR> d-------- C:\statistics
2009-03-20 00:06 . 2009-03-20 00:06 <DIR> d-------- c:\program files\PTTSB
2009-03-19 19:13 . 2009-03-19 19:13 <DIR> d-------- c:\windows\system32\URTTEMP
2009-03-19 17:08 . 2009-03-20 00:15 <DIR> d-------- C:\mycard integtrator
2009-03-19 16:32 . 2001-08-30 18:58 81,920 --a------ c:\windows\system32\forinst.dll
2009-03-19 16:32 . 2001-09-22 12:06 40,960 --a------ c:\windows\system32\regdelete.exe
2009-03-19 16:32 . 2001-10-03 12:35 40,960 --a------ c:\windows\system32\infremove.exe
2009-03-19 16:32 . 2004-02-06 14:59 25,600 --a------ c:\windows\system32\drivers\irisuxp.sys
2009-03-18 10:21 . 2009-03-18 10:21 <DIR> d-------- c:\program files\DAMN NFO Viewer
2009-03-18 09:57 . 2009-03-18 09:57 <DIR> d-------- c:\program files\Foxit Software
2009-03-17 22:46 . 2009-03-29 09:46 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-17 22:46 . 2009-03-17 22:46 1,409 --a------ c:\windows\QTFont.for
2009-03-17 11:28 . 2009-03-17 11:29 <DIR> d-------- c:\program files\MultiExtractor
2009-03-17 11:23 . 2009-03-17 11:23 <DIR> d-------- c:\documents and settings\Hisham\Application Data\MultiExtractor
2009-03-15 00:44 . 2009-03-15 00:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Fabulous Finds
2009-03-15 00:43 . 2009-03-15 00:43 <DIR> d-------- c:\program files\LeeGTs Games
2009-03-14 11:00 . 2009-03-14 23:39 110 --a------ c:\windows\system32\test.aok
2009-03-08 11:09 . 2009-03-08 11:09 <DIR> d-------- c:\program files\vtplus
2009-03-08 11:09 . 2009-03-08 11:42 2,950 --a------ c:\windows\vtplus32.ini
2009-03-08 11:08 . 2009-03-08 11:08 <DIR> d-------- c:\windows\system32\hauppauge
2009-03-08 11:08 . 2009-03-08 11:09 <DIR> d-------- c:\program files\WinTV
2009-03-08 11:08 . 2001-10-12 13:09 110,592 --a------ c:\windows\system32\hcwsched.ocx
2009-03-08 11:08 . 1998-06-26 00:00 89,600 --a------ c:\windows\system32\MSCAL.OCX
2009-03-08 11:08 . 2002-12-17 11:15 77,824 --a------ c:\windows\system32\hcwsplit.ax
2009-03-08 11:08 . 2002-12-18 17:02 69,632 --a------ c:\windows\system32\hcwfread.ax
2009-03-08 11:08 . 2002-12-27 13:33 65,536 --a------ c:\windows\system32\dmcrypto.dll
2009-03-08 11:08 . 2001-08-02 14:48 53,312 --a------ c:\windows\system32\CHSUITE.OCX
2009-03-08 11:08 . 2001-01-12 12:02 53,248 --a------ c:\windows\system32\MDCustomPanels.ocx
2009-03-08 11:08 . 2003-01-31 17:19 53,248 --a------ c:\windows\system32\hcwsched.dll
2009-03-08 11:08 . 2002-10-31 22:32 53,248 --a------ c:\windows\system32\hcwfwrit.ax
2009-03-08 11:08 . 2009-03-08 11:08 569 --a------ c:\windows\HCWPNP.INI
2009-03-07 17:18 . 2009-03-07 17:18 <DIR> d-------- c:\program files\WS_FTP
2009-03-07 16:41 . 2009-03-07 16:42 <DIR> d-------- c:\program files\phpDesigner
2009-03-07 16:41 . 2009-03-07 17:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\phpDesigner
2009-03-07 14:58 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Pinecoast
2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\ParallelGraphics
2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\Common Files\ParallelGraphics
2009-03-07 12:08 . 2009-03-07 12:08 <DIR> d-------- c:\program files\IMSI
2009-03-07 11:05 . 2009-03-28 18:58 <DIR> d-------- c:\program files\Sweet Home 3D
2009-03-06 18:37 . 2009-03-06 18:37 <DIR> d-------- C:\speech1
2009-03-06 18:24 . 2009-03-06 18:39 <DIR> d-------- c:\program files\Google
2009-03-06 18:24 . 2009-03-30 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-06 17:03 . 2009-03-06 17:03 <DIR> d-------- c:\program files\Microsoft Speech SDK 5.1
2009-03-06 17:02 . 2009-03-06 17:03 <DIR> d-------- C:\speech
2009-03-01 02:35 . 2009-03-29 12:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Corel
2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\program files\Common Files\Corel
2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-03-01 02:33 . 2009-03-29 14:59 2,516 --ahs---- c:\windows\system32\KGyGaAvL.sys
2009-03-01 02:33 . 2009-03-01 02:35 88 -r-hs---- c:\windows\system32\C3A29D82A6.sys
2009-02-28 21:04 . 2009-02-28 21:04 <DIR> d-------- c:\program files\Zeallsoft
2009-02-26 20:42 . 2009-02-26 20:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\FiatLuxImaging
2009-02-26 20:41 . 2009-02-26 20:41 <DIR> d-------- c:\program files\FiatLux Imaging
2009-02-23 21:48 . 2009-02-23 21:48 <DIR> d-------- c:\program files\Ubisoft
2009-02-23 16:38 . 2009-02-23 16:38 <DIR> d-------- C:\$WIN_NT$.~BT
2009-02-23 16:38 . 2008-04-14 13:34 480,367 -ra------ C:\txtsetup.sif
2009-02-23 16:38 . 2008-04-14 06:02 260,288 -ra------ C:\$LDR$
2009-02-23 00:03 . 2009-02-23 00:03 <DIR> d-------- c:\windows\USB Vibration
2009-02-22 21:39 . 2009-02-22 21:39 36 --a------ c:\windows\PatchSettings.cfg
2009-02-22 21:22 . 2009-02-22 21:22 <DIR> d-------- c:\program files\USB Vibration
2009-02-19 21:33 . 2009-03-07 17:22 <DIR> d---s---- C:\malabar
2009-02-19 21:29 . 2009-02-19 21:29 <DIR> d-------- c:\program files\Microsoft Expression
2009-02-19 15:20 . 2009-02-19 15:20 <DIR> d-------- c:\program files\Mufid
2009-02-07 22:25 . 2009-02-07 22:26 <DIR> d-------- C:\web
2009-02-07 18:02 . 2009-02-07 18:02 <DIR> d-------- c:\program files\subtitles
2009-02-06 23:49 . 2009-02-06 23:49 <DIR> d-------- c:\program files\Xider
2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- c:\program files\Sierra On-Line
2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- C:\Papyrus
2009-02-06 22:14 . 26747-11-29 11:30 2,016 --a------ c:\windows\system32\drivers\papycpu2.sys
2009-02-06 22:14 . 26747-11-29 11:30 1,888 --a------ c:\windows\system32\drivers\papyjoy.sys
2009-02-06 22:13 . 2009-02-06 22:13 <DIR> d-------- c:\documents and settings\Hisham\WINDOWS
2009-02-06 22:13 . 2009-02-06 22:14 230 --a------ c:\windows\SIERRA.INI
2009-02-04 21:48 . 2009-02-04 21:48 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-02-01 22:16 . 2009-02-05 12:50 <DIR> d-------- c:\program files\Talisman 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 06:28 --------- d-----w c:\documents and settings\Hisham\Application Data\Skype
2009-03-30 06:28 --------- d-----w c:\documents and settings\Hisham\Application Data\Orbit
2009-03-30 05:50 --------- d-----w c:\documents and settings\Hisham\Application Data\skypePM
2009-03-28 18:10 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-03-26 15:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-24 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-19 13:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-18 01:26 --------- d-----w c:\program files\DigiCel
2009-03-07 09:18 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 06:52 --------- d-----w c:\program files\Orbitdownloader
2009-02-28 18:35 --------- d-----w c:\program files\Corel
2009-02-28 18:17 --------- d-----w c:\program files\Democracy
2009-02-28 13:39 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-19 22:32 --------- d-----w c:\documents and settings\Hisham\Application Data\AVGTOOLBAR
2009-01-20 05:24 103,714,297 ----a-w C:\New WinRAR ZIP archive.zip
2009-01-20 05:24 103,714,297 ----a-w C:\Copy of New WinRAR ZIP archive.zip
2008-12-27 17:51 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-26 11:51 728,858 ----a-w c:\program files\Common Files\unins000.exe
2008-12-26 11:51 2,523 ----a-w c:\program files\Common Files\unins000.dat
2008-12-18 12:37 737,280 ----a-w c:\windows\iun6002.exe
2008-12-10 16:14 8 --sh--r c:\documents and settings\All Users\Application Data\C3A29D82A6.sys
2008-03-08 23:25 236 ---ha-w c:\program files\Common Files\dx.reg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-03-07 1130496]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Dewan Eja Pro"="c:\program files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe" [2005-05-30 119296]
"L08AXLRD_43890296"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-07 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-06-25 5625344]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-10-23 380928]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Dewan Eja Pro Config"="c:\progra~1\THENAM~1\DEWANE~1\deconfig.exe" [2005-05-26 147456]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"RamDrive"="c:\program files\Farstone\VirtualHardDrive\RdTask.exe" [2007-03-02 135168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 462336]
"pluscri"="c:\windows\pluscri.exe" [2009-03-25 229376]
"cssrs"="c:\windows\cssrs.exe" [2009-03-30 184320]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-11-17 1690824]
PhoneMidServerUI.lnk - c:\program files\voip\voip platform\Bin\PhoneMIdServerUI.exe [2008-12-28 315497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-27 11:22 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"VIDC.NTN1"= nuvision.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"e:\\worm\\WORMS 4 MAYHEM.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\HeidiSQL\\heidisql.exe"=
"f:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Xider\\EsR\\Game.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Expression\\Web 2\\WebDesigner\\EXPRWD.EXE"=
"c:\\Program Files\\Ubisoft\\Prince of Persia\\Prince of Persia.exe"=
"c:\\Program Files\\Ubisoft\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=
"f:\\Islam\\batch\\URL2FILE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22176:TCP"= 22176:TCP:127.0.0.1/255.255.255.255:Enabled:Dewan Eja Pro Http Daemon

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 298264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864]
S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 133104]
S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-03-19 25600]
S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-03-08 260144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0fbba15-c7db-11dd-8895-0022158490f3}]
\Shell\AutoRun\command - gkbrewsv.com
\Shell\explore\Command - gkbrewsv.com
\Shell\open\Command - gkbrewsv.com
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 19:12]

2009-03-30 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 18:38]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Active Desktop Calendar - c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe
HKLM-Run-3DNADesktop - c:\program files\3DNA\Resources\3dnasys.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download by FlashDownloader - c:\program files\FlashDownloader\IntQd.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open and Translate in Word
FF - ProfilePath - c:\documents and settings\Hisham\Application Data\Mozilla\Firefox\Profiles\kcy65f8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 14:28:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4F56E727-0A5D-9C93-99600FC5295CA3F5}\{8257E326-E765-C505-3AEB2DA5981E86BA}\{7ADCE296-1D79-0777-094B0CE9C6E4DF1E}*]
"GG2KGGPNIIGO4BVBD4BQHYVQFA1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43,
a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]
"GG2KGGPNIIGO4BVBD4BQHYVQFA1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43,
a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CE901474-3557-00BE-0B74D16C6C9B8223}\{8B1B0984-A0E2-36AE-AE0ABC7DD3EE1D9C}\{C1D3D6EB-516B-0CD4-D732D0B608CDF1EA}*]
"GG2KGGPNIIGO4BVBD4BQHYVQFA1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43,
a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\javas.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\The Name Technology\Dewan Eja Pro\DEProNetDetect.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-03-30 14:31:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 06:31:25

Pre-Run: 142,579,793,920 bytes free
Post-Run: 142,726,541,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

297 --- E O F --- 2009-03-21 18:12:38

there was also anotehr file named Add-Remove Programs.txt
teh content of which are as follows

1400
1400_Help
1400Trb
3DClinic
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
AiO_Scan
AiOSoftware
Al Quran Digital 2.1
Any Flv Player 2.4.1
ASUS Gamer OSD
ASUS Smart Doctor
ASUS Utilities
ASUS VGA Driver
ASUS VideoSecurity Online
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
AV301P Camera
AVG Free 8.0
Barbie - Fashion Show
Barbie(TM) Horse Adventures(TM)
BufferChm
Car Tycoon
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Corel Paint Shop Pro Photo XI
Corel Snapfire
Cortona® VRML Client
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Dewan Eja Pro
DirectX for Managed Code Update (Summer 2004)
DirectX10 NCT Release 2
DocProc
e-Malabari News Scroller
EPU-4 Engine
EsR 1.0
eSupportQFolder
Fabulous Finds
Farm Mania
Fax
FiatLux Visualize
FlashDownloader
FloorPlan 3D v10
FLV Player 2.0, build 24
Foxit PDF Editor
Fun Morph 3.0
Google Earth
Google Update Helper
Google Updater
GTA San Andreas
Hauppauge English Help Files and Resources
Hauppauge WinTV Scheduler
Hauppauge WinTV Soft PVR
Hauppauge WinTV Source Selector
Hauppauge WinTV2000
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB952287)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
ImagXpress
Ipswitch WS_FTP LE
IrfanView (remove only)
Kamus Al Mufid 1.0
Learning Essentials for Microsoft Office
Lernout & Hauspie TruVoice American English TTS Engine
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Age of Empires II
Microsoft Expression Web 2
Microsoft Expression Web 2 MUI (English)
Microsoft Math
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft Speech SDK 5.1
Microsoft Student 2007 for Learning Essentials
Microsoft Student with Encarta Premium 2008
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
MpcStar 1.7
MSDN Library - Visual Studio 6.0
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
MultiExtractor
Muslim Explorer 7 (v.2007)
MyKad Integrator 1.4 Selayang Hospital
NASCAR® Racing 4
neroxml
NewCopy
Online Manuals for WinTV (English)
Orbit Downloader
PDF Settings
phpDesigner version 6.2.2
PowerISO
Prince of Persia
ProductContext
Qur'an Viewer 2.9
QuranReciter 4.0 beta 1
Readme
Realtek High Definition Audio Driver
Satellite TV for PC
Scan
ScannerCopy
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Skins
Skype™ 3.6
SolutionCenter
Spybot - Search & Destroy
Status
SwirlX3DViewer 2.5.0
Talisman 3
TrayApp
TTSReder v1.00
Twin USB Vibration Gamepad
Unload
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Virtual Hard Drive Pro
Visual Basic 6.0
voip platform
VTPlus32 for WinTV (English)
Warcraft III
WebFldrs XP
WebReg
Windows Presentation Foundation
Windows Resource Kit Tools
Windows XP Service Pack 3
WinRAR archiver
Wireless - G DSL Router
XML Paper Specification Shared Components Pack 1.0
XviD MPEG-4 Video Codec
Yahoo! Toolbar

I also found a file called catchme.log under C:\Qoobox\Quarantine with contains the following information

-------- Mon 03/30/09 - 14:21:27.75 -------------

file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe ( 184320 bytes )
ntfs_kill: 0
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.1 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.2 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.3 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect.
read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect.

-------- Mon 03/30/09 - 14:50:36.21 -------------

file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.4 ( 184320 bytes )
ntfs_kill: 0
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.5 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.6 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect.

-------- Mon 03/30/09 - 19:19:47.20 -------------

file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.7 ( 184320 bytes )
ntfs_kill: 0
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.8 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.9 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.10 ( 184320 bytes )
C:\WINDOWS\cssrs.exe is damaged PE file
ntfs_kill: 7
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully
read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect.
read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect.

-------- 2009-03-30 - 19:50:17.67 -------------

-------- Mon 03/30/09 - 20:13:24.31 -------------

file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.11 ( 184320 bytes )
ntfs_kill: 0
dev_kill_file: 0
PE file "C:\WINDOWS\cssrs.exe" killed successfully

km2357 · 03-30-2009, 01:18 PM

Do you recognize the following file?

f:\Islam\batch\URL2FILE.EXE

Step # 1: Download and Run Flash_Disinfector

Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.

Step # 2: Run CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

http://www.techsupportforum.com/2051953-post5.html

KILLALL::

File::

c:\windows\cssrs.exe
C:\gkbrewsv.com

Collect::

c:\windows\javas.exe
c:\windows\pluscri.exe
c:\windows\pksamto17samto17.bak

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pluscri"=-
"cssrs"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0fbba15-c7db-11dd-8895-0022158490f3}]

Regnull::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4F56E727-0A5D-9C93-99600FC5295CA3F5}\{8257E326-E765-C505-3AEB2DA5981E86BA}\{7ADCE296-1D79-0777-094B0CE9C6E4DF1E}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CE901474-3557-00BE-0B74D16C6C9B8223}\{8B1B0984-A0E2-36AE-AE0ABC7DD3EE1D9C}\{C1D3D6EB-516B-0CD4-D732D0B608CDF1EA}*]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Note: This CFScript is for use on hishamk's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 2 has been completed.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

HishamK · 03-31-2009, 08:45 AM

Thanks again yes I recognise the file URL2FILE.EXE
I downloaded it from
hxxp://www.chami.com/dl/url2file/app/
and used it to batch download some image image based document files form internet. I was a dos based program but but not trigger the antivirus on running...

I did as you mentions 1) the Flash_Disinfector for my thumbdrive and teh text file dropped into ComboFix. and you know what ... the antivirus does not show those pop -up messages anymore ( for the last 20 minutes at least).. Thank you.. Thank you.. Does this mean that my PC has been disinfected? Here is the latest log produced by combofix

ComboFix 09-03-29.02 - Hisham 2009-03-31 21:46:05.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2280 [GMT 8:00]
Running from: c:\documents and settings\Hisham\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Hisham\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\gkbrewsv.com
c:\windows\cssrs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\install.exe
c:\windows\cssrs.exe
c:\windows\ggcktxt.txt
c:\windows\ggcktxt1.txt
c:\windows\javas.exe
c:\windows\pksamto17samto17.bak
c:\windows\pluscri.exe
E:\Autorun.inf
E:\install.exe
F:\Autorun.inf
F:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-30 20:13 . 2009-03-30 20:19 <DIR> d-------- C:\ComboFx
2009-03-30 19:50 . 2009-03-30 19:57 <DIR> d-------- C:\ComboFix1
2009-03-28 16:36 . 2009-03-28 16:36 <DIR> d-------- c:\documents and settings\Hisham\Application Data\SYSTRAN
2009-03-27 18:33 . 2009-03-27 18:33 <DIR> d-------- c:\windows\system32\Lang
2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 14:07 . 2009-03-28 02:00 <DIR> d-------- C:\statistics
2009-03-20 00:06 . 2009-03-20 00:06 <DIR> d-------- c:\program files\PTTSB
2009-03-19 19:13 . 2009-03-19 19:13 <DIR> d-------- c:\windows\system32\URTTEMP
2009-03-19 17:08 . 2009-03-20 00:15 <DIR> d-------- C:\mycard integtrator
2009-03-19 16:32 . 2001-08-30 18:58 81,920 --a------ c:\windows\system32\forinst.dll
2009-03-19 16:32 . 2001-09-22 12:06 40,960 --a------ c:\windows\system32\regdelete.exe
2009-03-19 16:32 . 2001-10-03 12:35 40,960 --a------ c:\windows\system32\infremove.exe
2009-03-19 16:32 . 2004-02-06 14:59 25,600 --a------ c:\windows\system32\drivers\irisuxp.sys
2009-03-18 10:21 . 2009-03-18 10:21 <DIR> d-------- c:\program files\DAMN NFO Viewer
2009-03-18 09:57 . 2009-03-18 09:57 <DIR> d-------- c:\program files\Foxit Software
2009-03-17 22:46 . 2009-03-29 09:46 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-17 22:46 . 2009-03-17 22:46 1,409 --a------ c:\windows\QTFont.for
2009-03-17 11:28 . 2009-03-17 11:29 <DIR> d-------- c:\program files\MultiExtractor
2009-03-17 11:23 . 2009-03-17 11:23 <DIR> d-------- c:\documents and settings\Hisham\Application Data\MultiExtractor
2009-03-15 00:44 . 2009-03-15 00:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Fabulous Finds
2009-03-15 00:43 . 2009-03-15 00:43 <DIR> d-------- c:\program files\LeeGTs Games
2009-03-14 11:00 . 2009-03-14 23:39 110 --a------ c:\windows\system32\test.aok
2009-03-08 11:09 . 2009-03-08 11:09 <DIR> d-------- c:\program files\vtplus
2009-03-08 11:09 . 2009-03-08 11:42 2,950 --a------ c:\windows\vtplus32.ini
2009-03-08 11:08 . 2009-03-08 11:08 <DIR> d-------- c:\windows\system32\hauppauge
2009-03-08 11:08 . 2009-03-08 11:09 <DIR> d-------- c:\program files\WinTV
2009-03-08 11:08 . 2001-10-12 13:09 110,592 --a------ c:\windows\system32\hcwsched.ocx
2009-03-08 11:08 . 1998-06-26 00:00 89,600 --a------ c:\windows\system32\MSCAL.OCX
2009-03-08 11:08 . 2002-12-17 11:15 77,824 --a------ c:\windows\system32\hcwsplit.ax
2009-03-08 11:08 . 2002-12-18 17:02 69,632 --a------ c:\windows\system32\hcwfread.ax
2009-03-08 11:08 . 2002-12-27 13:33 65,536 --a------ c:\windows\system32\dmcrypto.dll
2009-03-08 11:08 . 2001-08-02 14:48 53,312 --a------ c:\windows\system32\CHSUITE.OCX
2009-03-08 11:08 . 2001-01-12 12:02 53,248 --a------ c:\windows\system32\MDCustomPanels.ocx
2009-03-08 11:08 . 2003-01-31 17:19 53,248 --a------ c:\windows\system32\hcwsched.dll
2009-03-08 11:08 . 2002-10-31 22:32 53,248 --a------ c:\windows\system32\hcwfwrit.ax
2009-03-08 11:08 . 2009-03-08 11:08 569 --a------ c:\windows\HCWPNP.INI
2009-03-07 17:18 . 2009-03-07 17:18 <DIR> d-------- c:\program files\WS_FTP
2009-03-07 16:41 . 2009-03-07 16:42 <DIR> d-------- c:\program files\phpDesigner
2009-03-07 16:41 . 2009-03-07 17:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\phpDesigner
2009-03-07 14:58 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Pinecoast
2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\ParallelGraphics
2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\Common Files\ParallelGraphics
2009-03-07 12:08 . 2009-03-07 12:08 <DIR> d-------- c:\program files\IMSI
2009-03-07 11:05 . 2009-03-28 18:58 <DIR> d-------- c:\program files\Sweet Home 3D
2009-03-06 18:37 . 2009-03-06 18:37 <DIR> d-------- C:\speech1
2009-03-06 18:24 . 2009-03-06 18:39 <DIR> d-------- c:\program files\Google
2009-03-06 18:24 . 2009-03-31 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-06 17:03 . 2009-03-06 17:03 <DIR> d-------- c:\program files\Microsoft Speech SDK 5.1
2009-03-06 17:02 . 2009-03-06 17:03 <DIR> d-------- C:\speech
2009-03-01 02:35 . 2009-03-29 12:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Corel
2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\program files\Common Files\Corel
2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-03-01 02:33 . 2009-03-29 14:59 2,516 --ahs---- c:\windows\system32\KGyGaAvL.sys
2009-03-01 02:33 . 2009-03-01 02:35 88 -r-hs---- c:\windows\system32\C3A29D82A6.sys
2009-02-28 21:04 . 2009-02-28 21:04 <DIR> d-------- c:\program files\Zeallsoft
2009-02-26 20:42 . 2009-02-26 20:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\FiatLuxImaging
2009-02-26 20:41 . 2009-02-26 20:41 <DIR> d-------- c:\program files\FiatLux Imaging
2009-02-23 21:48 . 2009-02-23 21:48 <DIR> d-------- c:\program files\Ubisoft
2009-02-23 16:38 . 2009-02-23 16:38 <DIR> d-------- C:\$WIN_NT$.~BT
2009-02-23 16:38 . 2008-04-14 13:34 480,367 -ra------ C:\txtsetup.sif
2009-02-23 16:38 . 2008-04-14 06:02 260,288 -ra------ C:\$LDR$
2009-02-23 00:03 . 2009-02-23 00:03 <DIR> d-------- c:\windows\USB Vibration
2009-02-22 21:39 . 2009-02-22 21:39 36 --a------ c:\windows\PatchSettings.cfg
2009-02-22 21:22 . 2009-02-22 21:22 <DIR> d-------- c:\program files\USB Vibration
2009-02-19 21:33 . 2009-03-07 17:22 <DIR> d---s---- C:\malabar
2009-02-19 21:29 . 2009-02-19 21:29 <DIR> d-------- c:\program files\Microsoft Expression
2009-02-19 15:20 . 2009-02-19 15:20 <DIR> d-------- c:\program files\Mufid
2009-02-07 22:25 . 2009-02-07 22:26 <DIR> d-------- C:\web
2009-02-07 18:02 . 2009-02-07 18:02 <DIR> d-------- c:\program files\subtitles
2009-02-06 23:49 . 2009-02-06 23:49 <DIR> d-------- c:\program files\Xider
2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- c:\program files\Sierra On-Line
2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- C:\Papyrus
2009-02-06 22:14 . 26747-11-29 11:30 2,016 --a------ c:\windows\system32\drivers\papycpu2.sys
2009-02-06 22:14 . 26747-11-29 11:30 1,888 --a------ c:\windows\system32\drivers\papyjoy.sys
2009-02-06 22:13 . 2009-02-06 22:13 <DIR> d-------- c:\documents and settings\Hisham\WINDOWS
2009-02-06 22:13 . 2009-02-06 22:14 230 --a------ c:\windows\SIERRA.INI
2009-02-04 21:48 . 2009-02-04 21:48 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-02-01 22:16 . 2009-02-05 12:50 <DIR> d-------- c:\program files\Talisman 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 13:49 --------- d-----w c:\documents and settings\Hisham\Application Data\Orbit
2009-03-31 13:31 --------- d-----w c:\documents and settings\Hisham\Application Data\Skype
2009-03-31 13:30 --------- d-----w c:\documents and settings\Hisham\Application Data\skypePM
2009-03-28 18:10 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-03-26 15:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-24 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-19 13:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-18 01:26 --------- d-----w c:\program files\DigiCel
2009-03-07 09:18 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 06:52 --------- d-----w c:\program files\Orbitdownloader
2009-02-28 18:35 --------- d-----w c:\program files\Corel
2009-02-28 18:17 --------- d-----w c:\program files\Democracy
2009-02-28 13:39 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-19 22:32 --------- d-----w c:\documents and settings\Hisham\Application Data\AVGTOOLBAR
2009-01-20 05:24 103,714,297 ----a-w C:\New WinRAR ZIP archive.zip
2009-01-20 05:24 103,714,297 ----a-w C:\Copy of New WinRAR ZIP archive.zip
2008-12-27 17:51 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-26 11:51 728,858 ----a-w c:\program files\Common Files\unins000.exe
2008-12-26 11:51 2,523 ----a-w c:\program files\Common Files\unins000.dat
2008-12-18 12:37 737,280 ----a-w c:\windows\iun6002.exe
2008-12-10 16:14 8 --sh--r c:\documents and settings\All Users\Application Data\C3A29D82A6.sys
2008-03-08 23:25 236 ---ha-w c:\program files\Common Files\dx.reg
.

((((((((((((((((((((((((((((( SnapShot@2009-03-30_14.30.48.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-30 06:04:51 71,454 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-31 13:33:45 71,454 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-30 06:04:51 441,514 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-31 13:33:45 441,514 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-03-07 1130496]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Dewan Eja Pro"="c:\program files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe" [2005-05-30 119296]
"L08AXLRD_43890296"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-07 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-06-25 5625344]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-10-23 380928]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Dewan Eja Pro Config"="c:\progra~1\THENAM~1\DEWANE~1\deconfig.exe" [2005-05-26 147456]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"RamDrive"="c:\program files\Farstone\VirtualHardDrive\RdTask.exe" [2007-03-02 135168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 462336]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-11-17 1690824]
PhoneMidServerUI.lnk - c:\program files\voip\voip platform\Bin\PhoneMIdServerUI.exe [2008-12-28 315497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-27 11:22 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"VIDC.NTN1"= nuvision.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"e:\\worm\\WORMS 4 MAYHEM.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\HeidiSQL\\heidisql.exe"=
"f:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Xider\\EsR\\Game.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Expression\\Web 2\\WebDesigner\\EXPRWD.EXE"=
"c:\\Program Files\\Ubisoft\\Prince of Persia\\Prince of Persia.exe"=
"c:\\Program Files\\Ubisoft\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=
"f:\\Islam\\batch\\URL2FILE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22176:TCP"= 22176:TCP:127.0.0.1/255.255.255.255:Enabled:Dewan Eja Pro Http Daemon

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 298264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864]
S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 133104]
S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-03-19 25600]
S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-03-08 260144]
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 19:12]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 18:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download by FlashDownloader - c:\program files\FlashDownloader\IntQd.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open and Translate in Word
FF - ProfilePath - c:\documents and settings\Hisham\Application Data\Mozilla\Firefox\Profiles\kcy65f8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 21:49:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\The Name Technology\Dewan Eja Pro\DEProNetDetect.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-03-31 21:52:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 13:52:25
ComboFix2.txt 2009-03-30 12:19:14
ComboFix3.txt 2009-03-30 11:57:09
ComboFix4.txt 2009-03-30 07:00:50

Pre-Run: 142,701,895,680 bytes free
Post-Run: 142,691,946,496 bytes free

285 --- E O F --- 2009-03-21 18:12:38

km2357 · 03-31-2009, 01:27 PM

We still have some more work to do on your computer, but good to hear that the pop-ups have stopped.

Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step # 2 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.

Post the MalwareBytes' Log in your next post.

HishamK · 03-31-2009, 06:42 PM

Done!!
Here is the report from Malwarebytes' log

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/1/09 8:38:12 AM
mbam-log-2009-04-01 (08-38-12).txt

Scan type: Quick Scan
Objects scanned: 71368
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BTW Are there any programs I can run on a regular basis to spring clean the system...

HishamK

km2357 · 03-31-2009, 11:44 PM

Quote:

BTW Are there any programs I can run on a regular basis to spring clean the system...

Once we are done working on your computer, I'll list some tools/programs you can use to help keep your computer clean.

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

First, go to Add/Remove Programs and uninstall all previous versions.
Please go to this link Adobe Acrobat Reader Download Link
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Note: Adobe 9.1 is a large program and if you prefer a smaller program you can get Foxit 3.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.0 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay

Step # 2: Run Kaspersky Online Scan

Please make sure that all programs are closed when installing Java.

Click here to visit Java's website.
Scroll down to Java Runtime Environment (JRE) 6 Update 13. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 13 License Agreement box and click on Continue.
Click on jre-6u13-windows-i586-p.exe link to download it and save this to a convenient location.
Double click on jre-6u13-windows-i586-p.exe to install Java.
After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh DDS log
3. How is your computer doing, any problems?

HishamK · 04-01-2009, 03:33 PM

sorry for the late reply as the karpesky scan took a long time to download and run. I have changed to a new version of adobe reader and installed JRE 6 before running the online scan. I can only run it on IE as firefox keep coming up with the message that the necessary plugin is not installed.

The are still bugs in this PC.. AVG poped op another message and similarly when i ran the malwarebyte after anoher latest update it detected and killed twh o other bug. Teh online scan also picked up one or two things .. here are the findings

The malwarebytes' log

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3

4/1/09 7:16:22 PM
mbam-log-2009-04-01 (19-16-22).txt

Scan type: Quick Scan
Objects scanned: 72368
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\quranviewer2.dochostuihandler (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f2bbc05-40df-11d2-9455-00104bc936ff} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------------------
After that the karpersky report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, April 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 01, 2009 15:45:07
Records in database: 1993026
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 157124
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:26:38

File name / Threat name / Threats count
C:\Documents and Settings\Hisham\My Documents\URL2File.zip Infected: not-a-virus:Downloader.Win32.Url2File.a 1
F:\Islam\batch\URL2FILE.EXE Infected: not-a-virus:Downloader.Win32.Url2File.a 1

The selected area was scanned.

and the dds.txt

DDS (Ver_09-03-16.01) - NTFSx86
Run by Hisham at 18:48:44.68 on Sun 03/29/09
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2138 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Farstone\VirtualHardDrive\RdTask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\WINDOWS\pluscri.exe
J:\install.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\javas.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DEProNetDetect.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\components\XEN\DEProHttpD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\voip\voip platform\Bin\PhoneMIdServerUI.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hisham\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: IECatcher Class: {0682e46a-7040-4049-a6fd-0bcfbc673ad8} - c:\program files\flashdownloader\IntQd.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {FC3C24D3-4B56-4D13-BC64-EF3CCA1498BE} - No File
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Dewan Eja Pro] c:\program files\the name technology\dewan eja pro\DewanEjaPro.exe
uRun: [L08AXLRD_43890296] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Dewan Eja Pro Config] c:\progra~1\thenam~1\dewane~1\deconfig.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RamDrive] c:\program files\farstone\virtualharddrive\RdTask.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe
mRun: [3DNADesktop] "c:\program files\3dna\resources\3dnasys.exe" -open
mRun: [pluscri] c:\windows\pluscri.exe
mRun: [cssrs] c:\windows\cssrs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phonem~1.lnk - c:\program files\voip\voip platform\bin\PhoneMIdServerUI.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download by FlashDownloader - c:\program files\flashdownloader\IntQd.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open and Translate in Word
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hisham\applic~1\mozilla\firefox\profiles\kcy65f8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-16 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-11-16 12288]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-16 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-16 298264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-11-16 10752]
S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\google\update\GoogleUpdate.exe [2009-3-6 133104]
S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-3-19 25600]
S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-3-8 260144]

=============== Created Last 30 ================

2009-03-28 16:36 <DIR> --d----- c:\docume~1\hisham\applic~1\SYSTRAN
2009-03-27 18:33 <DIR> --d----- c:\windows\system32\Lang
2009-03-26 20:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-26 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-26 08:03 286,720 ----h--- C:\install.exe
2009-03-26 08:03 163 ----h--- C:\autorun.inf
2009-03-25 07:45 184,320 ----h--- c:\windows\cssrs.exe
2009-03-25 07:45 229,376 a------- c:\windows\pksamto17samto17.bak
2009-03-25 07:45 229,376 ----h--- c:\windows\pluscri.exe
2009-03-25 07:45 286,720 ----h--- c:\windows\javas.exe
2009-03-24 14:07 <DIR> --d----- C:\statistics
2009-03-20 00:06 <DIR> --d----- c:\program files\PTTSB
2009-03-19 19:13 <DIR> --d----- c:\windows\system32\URTTEMP
2009-03-19 17:08 <DIR> --d----- C:\mycard integtrator
2009-03-19 16:32 25,600 a------- c:\windows\system32\drivers\irisuxp.sys
2009-03-19 16:32 81,920 a------- c:\windows\system32\forinst.dll
2009-03-19 16:32 40,960 a------- c:\windows\system32\regdelete.exe
2009-03-19 16:32 40,960 a------- c:\windows\system32\infremove.exe
2009-03-18 10:22 <DIR> --d----- c:\program files\MyWay
2009-03-18 10:21 <DIR> --d----- c:\program files\DAMN NFO Viewer
2009-03-18 09:57 <DIR> --d----- c:\program files\Foxit Software
2009-03-17 22:46 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-17 22:46 1,409 a------- c:\windows\QTFont.for
2009-03-17 11:28 <DIR> --d----- c:\program files\MultiExtractor
2009-03-17 11:23 <DIR> --d----- c:\docume~1\hisham\applic~1\MultiExtractor
2009-03-15 00:44 <DIR> --d----- c:\docume~1\hisham\applic~1\Fabulous Finds
2009-03-15 00:43 <DIR> --d----- c:\program files\LeeGTs Games
2009-03-14 11:00 110 a------- c:\windows\system32\test.aok
2009-03-08 11:09 2,950 a------- c:\windows\vtplus32.ini
2009-03-08 11:09 <DIR> --d----- c:\program files\vtplus
2009-03-08 11:08 89,600 a------- c:\windows\system32\MSCAL.OCX
2009-03-08 11:08 65,536 a------- c:\windows\system32\dmcrypto.dll
2009-03-08 11:08 53,312 a------- c:\windows\system32\CHSUITE.OCX
2009-03-08 11:08 110,592 a------- c:\windows\system32\hcwsched.ocx
2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwsched.dll
2009-03-08 11:08 77,824 a------- c:\windows\system32\hcwsplit.ax
2009-03-08 11:08 69,632 a------- c:\windows\system32\hcwfread.ax
2009-03-08 11:08 53,248 a------- c:\windows\system32\MDCustomPanels.ocx
2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwfwrit.ax
2009-03-08 11:08 <DIR> --d----- c:\windows\system32\hauppauge
2009-03-08 11:08 569 a------- c:\windows\HCWPNP.INI
2009-03-08 11:08 <DIR> --d----- c:\program files\WinTV
2009-03-07 17:18 <DIR> --d----- c:\program files\WS_FTP
2009-03-07 16:41 <DIR> --d----- c:\program files\phpDesigner
2009-03-07 16:41 <DIR> --d----- c:\docume~1\hisham\applic~1\phpDesigner
2009-03-07 14:58 <DIR> --d----- c:\program files\Pinecoast
2009-03-07 14:40 <DIR> --d----- c:\program files\ParallelGraphics
2009-03-07 14:40 <DIR> --d----- c:\program files\common files\ParallelGraphics
2009-03-07 12:08 <DIR> --d----- c:\program files\IMSI
2009-03-07 11:05 <DIR> --d----- c:\program files\Sweet Home 3D
2009-03-06 18:37 <DIR> --d----- C:\speech1
2009-03-06 17:03 <DIR> --d----- c:\program files\Microsoft Speech SDK 5.1
2009-03-06 17:02 <DIR> --d----- C:\speech
2009-03-01 02:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-03-01 02:34 <DIR> --d----- c:\program files\common files\Corel
2009-03-01 02:33 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-01 02:33 88 ---shr-- c:\windows\system32\C3A29D82A6.sys
2009-03-01 02:17 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-28 21:04 <DIR> --d----- c:\program files\Zeallsoft

==================== Find3M ====================

2009-03-29 02:10 196,608 a------- c:\windows\system32\drivers\nStandard.bin
2009-02-28 21:39 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-09 19:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-01-27 11:22 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-20 13:24 103,714,297 a------- C:\New WinRAR ZIP archive.zip
2009-01-20 13:24 103,714,297 a------- C:\Copy of New WinRAR ZIP archive.zip
2008-12-28 01:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-12-26 19:51 2,523 a------- c:\program files\common files\unins000.dat
2008-12-26 19:51 728,858 a------- c:\program files\common files\unins000.exe
2008-12-11 00:14 8 ---shr-- c:\docume~1\alluse~1\applic~1\C3A29D82A6.sys
2008-03-09 07:25 236 a---h--- c:\program files\common files\dx.reg
2006-06-25 06:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 18:49:05.81 ===============

shall i delete the location where url to file files are found or should we dispose it in some other way...?

km2357 · 04-01-2009, 04:51 PM

Quote:

AVG poped op another message

What did the AVG pop-up say?

Quote:

shall i delete the location where url to file files are found or should we dispose it in some other way...?

Yes, you can go ahead and delete the following files:

C:\Documents and Settings\Hisham\My Documents\URL2File.zip
F:\Islam\batch\URL2FILE.EXE

Let me know if you have any troubles deleting them.

Quote:

Run by Hisham at 18:48:44.68 on Sun 03/29/09

Run by Hisham at 18:48:44.68 on Sun 03/29/09

The DDS log you posted is the exact same one you posted at the start of this thread. Please run DDS again and post the new log that appears.

HishamK · 04-02-2009, 04:00 AM

Two messages popped up saying

"Trojan horse Generic13.KUA";"C:\System Volume Information\_restore{DD217265-899B-48F8-B555-8E5ED0DA8A6C}\RP4\A0001474.exe";"Infected";"4/1/09, 6:48:27 PM";"File";"C:\WINDOWS\system32\svchost.exe"

and

"Trojan horse Generic13.KUA";"C:\System Volume Information\_restore{DD217265-899B-48F8-B555-8E5ED0DA8A6C}\RP4\A0001474.exe";"Moved to Virus Vault";"4/1/09, 6:17:38 PM";"File";"C:\WINDOWS\system32\svchost.exe"

This was just before Malwarebytes' reported 2 viruses and deleted them as ( I put up the result of its log in my last reply)

I am sorry I copied the same dds result as previously. This is one I am actually supposed to post....

DDS (Ver_09-03-16.01) - NTFSx86
Run by Hisham at 5:19:38.87 on Thu 04/02/09
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2194 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Farstone\VirtualHardDrive\RdTask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\voip\voip platform\Bin\PhoneMIdServerUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Hisham\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: IECatcher Class: {0682e46a-7040-4049-a6fd-0bcfbc673ad8} - c:\program files\flashdownloader\IntQd.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {FC3C24D3-4B56-4D13-BC64-EF3CCA1498BE} - No File
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Dewan Eja Pro] c:\program files\the name technology\dewan eja pro\DewanEjaPro.exe
uRun: [L08AXLRD_43890296] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Dewan Eja Pro Config] c:\progra~1\thenam~1\dewane~1\deconfig.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RamDrive] c:\program files\farstone\virtualharddrive\RdTask.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\hisham\startm~1\programs\startup\wordwe~1.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phonem~1.lnk - c:\program files\voip\voip platform\bin\PhoneMIdServerUI.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download by FlashDownloader - c:\program files\flashdownloader\IntQd.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open and Translate in Word
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hisham\applic~1\mozilla\firefox\profiles\kcy65f8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-16 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-11-16 12288]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-16 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-16 298264]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-1 179856]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-1 15504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-1 38496]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-11-16 10752]
S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\google\update\GoogleUpdate.exe [2009-3-6 133104]
S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-3-19 25600]
S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-3-8 260144]

=============== Created Last 30 ================

2009-04-01 17:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-01 17:38 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-01 08:16 <DIR> --d----- c:\docume~1\hisham\applic~1\Malwarebytes
2009-04-01 08:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 08:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 08:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 08:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-31 23:50 <DIR> --d----- c:\docume~1\hisham\applic~1\WordWeb
2009-03-31 23:50 1,291,880 a------- c:\windows\wweb32.dll
2009-03-31 23:50 <DIR> --d----- c:\program files\WordWeb
2009-03-31 21:44 <DIR> --d----- C:\ComboFix
2009-03-30 20:13 <DIR> --d----- C:\ComboFx
2009-03-30 19:50 <DIR> --d----- C:\ComboFix1
2009-03-30 14:22 <DIR> a-dshr-- C:\cmdcons
2009-03-30 14:21 161,792 a------- c:\windows\SWREG.exe
2009-03-30 14:21 98,816 a------- c:\windows\sed.exe
2009-03-28 16:36 <DIR> --d----- c:\docume~1\hisham\applic~1\SYSTRAN
2009-03-27 18:33 <DIR> --d----- c:\windows\system32\Lang
2009-03-26 20:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-26 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-24 14:07 <DIR> --d----- C:\statistics
2009-03-20 00:06 <DIR> --d----- c:\program files\PTTSB
2009-03-19 19:13 <DIR> --d----- c:\windows\system32\URTTEMP
2009-03-19 17:08 <DIR> --d----- C:\mycard integtrator
2009-03-19 16:32 25,600 a------- c:\windows\system32\drivers\irisuxp.sys
2009-03-19 16:32 81,920 a------- c:\windows\system32\forinst.dll
2009-03-19 16:32 40,960 a------- c:\windows\system32\regdelete.exe
2009-03-19 16:32 40,960 a------- c:\windows\system32\infremove.exe
2009-03-18 10:21 <DIR> --d----- c:\program files\DAMN NFO Viewer
2009-03-18 09:57 <DIR> --d----- c:\program files\Foxit Software
2009-03-17 22:46 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-17 22:46 1,409 a------- c:\windows\QTFont.for
2009-03-17 11:28 <DIR> --d----- c:\program files\MultiExtractor
2009-03-17 11:23 <DIR> --d----- c:\docume~1\hisham\applic~1\MultiExtractor
2009-03-15 00:44 <DIR> --d----- c:\docume~1\hisham\applic~1\Fabulous Finds
2009-03-15 00:43 <DIR> --d----- c:\program files\LeeGTs Games
2009-03-14 11:00 110 a------- c:\windows\system32\test.aok
2009-03-08 11:09 2,950 a------- c:\windows\vtplus32.ini
2009-03-08 11:09 <DIR> --d----- c:\program files\vtplus
2009-03-08 11:08 89,600 a------- c:\windows\system32\MSCAL.OCX
2009-03-08 11:08 65,536 a------- c:\windows\system32\dmcrypto.dll
2009-03-08 11:08 53,312 a------- c:\windows\system32\CHSUITE.OCX
2009-03-08 11:08 110,592 a------- c:\windows\system32\hcwsched.ocx
2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwsched.dll
2009-03-08 11:08 77,824 a------- c:\windows\system32\hcwsplit.ax
2009-03-08 11:08 69,632 a------- c:\windows\system32\hcwfread.ax
2009-03-08 11:08 53,248 a------- c:\windows\system32\MDCustomPanels.ocx
2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwfwrit.ax
2009-03-08 11:08 <DIR> --d----- c:\windows\system32\hauppauge
2009-03-08 11:08 569 a------- c:\windows\HCWPNP.INI
2009-03-08 11:08 <DIR> --d----- c:\program files\WinTV
2009-03-07 17:18 <DIR> --d----- c:\program files\WS_FTP
2009-03-07 16:41 <DIR> --d----- c:\program files\phpDesigner
2009-03-07 16:41 <DIR> --d----- c:\docume~1\hisham\applic~1\phpDesigner
2009-03-07 14:58 <DIR> --d----- c:\program files\Pinecoast
2009-03-07 14:40 <DIR> --d----- c:\program files\ParallelGraphics
2009-03-07 14:40 <DIR> --d----- c:\program files\common files\ParallelGraphics
2009-03-07 12:08 <DIR> --d----- c:\program files\IMSI
2009-03-07 11:05 <DIR> --d----- c:\program files\Sweet Home 3D
2009-03-06 18:37 <DIR> --d----- C:\speech1
2009-03-06 17:03 <DIR> --d----- c:\program files\Microsoft Speech SDK 5.1
2009-03-06 17:02 <DIR> --d----- C:\speech

==================== Find3M ====================

2009-04-02 01:07 196,608 a------- c:\windows\system32\drivers\nStandard.bin
2009-03-29 14:59 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-28 21:39 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-09 19:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-01-27 11:22 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-20 13:24 103,714,297 a------- C:\New WinRAR ZIP archive.zip
2009-01-20 13:24 103,714,297 a------- C:\Copy of New WinRAR ZIP archive.zip
2008-12-28 01:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-12-26 19:51 2,523 a------- c:\program files\common files\unins000.dat
2008-12-26 19:51 728,858 a------- c:\program files\common files\unins000.exe
2008-12-11 00:14 8 ---shr-- c:\docume~1\alluse~1\applic~1\C3A29D82A6.sys
2008-03-09 07:25 236 a---h--- c:\program files\common files\dx.reg
2006-06-25 06:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 5:20:03.78 ===============

---------------------------------------------------------------

I deleted both the url2file.zip and url2file.exe files without any difficulty..

km2357 · 04-02-2009, 12:39 PM

Your DDS log looks good.

What AVG found were two infected System Restore points. They harmless where they are. Shortly, I will be showing how to remove them and set a new, clean one.

Any other problems?

HishamK · 04-02-2009, 03:57 PM

Things look OK. The firefox that I use to browse does not seem to run some javascripts properly (eg. the "check all' in yahoo mail website for instance does not work). Don't know if it is related or it is just some server side related problem. checked for firefox websites for updates but none available though. Otherwise things are running smoothly..

km2357 · 04-03-2009, 12:43 AM

You can try reinstalling Firefox or Java or both to see if that fixes it. If it happens on certain websites and not others, you can try contacting those websites and letting them know about the problem.

Since you report no more malware problems, you are good to go.

You can delete dds.pif

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK

Empty your Recycle Bin.

Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.

Make your Internet Explorer more secure This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Set correct settings for files that should be hidden in Windows XP

Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK

Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
1. Click the start button on the task bar at the bottom of your screen
2. Click run
3. In the dialog box, type services.msc
4. hit enter, then locate dns client
5. Highlight it, then doubleclick it.
6. On the dropdown box, change the setting from automatic to manual.
7. Click ok..
Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place
Please read Understanding Spyware, Browser Hijackers, and Dialers
Please read Simple and easy ways to keep your computer safe and secure on the Internet
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
Opera.
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/m...revention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

HishamK · 04-04-2009, 10:43 PM

Thank you...

will make the necessary changes
could not reply earlier as i was getting error from this website while doing so.
The problems are all settled. Thank you again

Hisham

km2357 · 04-04-2009, 11:34 PM

You're welcome. I'm glad I was able to help you out.

Good luck and safe surfing.

03-29-2009, 12:15 PM	#2 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Attacked by a trojan ? Generic13.KUA Hello and welcome to Tech Support Forum. My name is km2357 and I will be helping you to remove any infection(s) that you may have. I will be giving you a series of instructions that need to be followed in the order in which I give them to you. If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again. Please do not start another thread or topic, I will assist you at this thread until we solve your problems. Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same. I will be back as soon as possible with your first instructions! __________________ Member of ASAP

03-29-2009, 12:31 PM	#3 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Attacked by a trojan ? Generic13.KUA Step # 1: Disable Teatimer Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled. This is a two step process. First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol) If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless. If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D Click Mode, choose Advanced Mode Go To the bottom of the Vertical Panel on the Left, Click Tools then, also in left panel, click Resident shows a red/white shield. If your firewall raises a question, say OK In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active OK any prompts. Use File, Exit to terminate Spybot Reboot your machine for the changes to take effect. Step # 2: Download and Run ComboFix We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IMPORTANT !!! Save ComboFix.exe to your Desktop When finished, it shall produce a log, Please post C:\ComboFix.txt in your next post/reply. __________________ Member of ASAP

03-30-2009, 01:15 AM	#4 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA Thank you for the prompt reply. I have disabled the teatimer as you mentioned. I was however unable to disable my AVG free antivirus software (8.0) despite looking in vain for ways on how to do it in the net. I only managed to off the system tray component and check teh resident shield off but I dont htnik it did any good. So I ran the combofix just as well but it did not generate any result. Upon reactivation of the AVG still showed the threat. please help..

03-30-2009, 06:57 AM	#5 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA reposting this due to some new findings 1. the combofix log file was not being saved iniatially 2. later the folder c:\combofix also cannot be opened until i renamed it and openedit but it was empty 3. i found a new folder named c:\Qoobox containing two other folders named BackEnv and Quarantine and also sime files files named ComboFix2.txt ComboFix3.txt ComboFix4.txt. I can only open tehm after I renamed them. Here is the content of COmboFix4.txt ComboFix 09-03-29.02 - Hisham 2009-03-30 14:23:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2290 [GMT 8:00] Running from: c:\documents and settings\Hisham\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning enabled (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\install.exe c:\program files\MyWay c:\windows\cssrs.exe c:\windows\ggcktxt.txt c:\windows\ggcktxt1.txt E:\Autorun.inf E:\install.exe F:\install.exe . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 ))))))))))))))))))))))))))))))) . 2009-03-30 14:28 . 2009-03-30 14:28 184,320 --a------ c:\windows\cssrs.exe 2009-03-28 16:36 . 2009-03-28 16:36 <DIR> d-------- c:\documents and settings\Hisham\Application Data\SYSTRAN 2009-03-27 18:33 . 2009-03-27 18:33 <DIR> d-------- c:\windows\system32\Lang 2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-25 07:45 . 2009-03-11 14:44 286,720 ---h----- c:\windows\javas.exe 2009-03-25 07:45 . 2009-03-25 07:45 229,376 ---h----- c:\windows\pluscri.exe 2009-03-25 07:45 . 2009-03-25 07:45 229,376 --a------ c:\windows\pksamto17samto17.bak 2009-03-24 14:07 . 2009-03-28 02:00 <DIR> d-------- C:\statistics 2009-03-20 00:06 . 2009-03-20 00:06 <DIR> d-------- c:\program files\PTTSB 2009-03-19 19:13 . 2009-03-19 19:13 <DIR> d-------- c:\windows\system32\URTTEMP 2009-03-19 17:08 . 2009-03-20 00:15 <DIR> d-------- C:\mycard integtrator 2009-03-19 16:32 . 2001-08-30 18:58 81,920 --a------ c:\windows\system32\forinst.dll 2009-03-19 16:32 . 2001-09-22 12:06 40,960 --a------ c:\windows\system32\regdelete.exe 2009-03-19 16:32 . 2001-10-03 12:35 40,960 --a------ c:\windows\system32\infremove.exe 2009-03-19 16:32 . 2004-02-06 14:59 25,600 --a------ c:\windows\system32\drivers\irisuxp.sys 2009-03-18 10:21 . 2009-03-18 10:21 <DIR> d-------- c:\program files\DAMN NFO Viewer 2009-03-18 09:57 . 2009-03-18 09:57 <DIR> d-------- c:\program files\Foxit Software 2009-03-17 22:46 . 2009-03-29 09:46 54,156 --ah----- c:\windows\QTFont.qfn 2009-03-17 22:46 . 2009-03-17 22:46 1,409 --a------ c:\windows\QTFont.for 2009-03-17 11:28 . 2009-03-17 11:29 <DIR> d-------- c:\program files\MultiExtractor 2009-03-17 11:23 . 2009-03-17 11:23 <DIR> d-------- c:\documents and settings\Hisham\Application Data\MultiExtractor 2009-03-15 00:44 . 2009-03-15 00:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Fabulous Finds 2009-03-15 00:43 . 2009-03-15 00:43 <DIR> d-------- c:\program files\LeeGTs Games 2009-03-14 11:00 . 2009-03-14 23:39 110 --a------ c:\windows\system32\test.aok 2009-03-08 11:09 . 2009-03-08 11:09 <DIR> d-------- c:\program files\vtplus 2009-03-08 11:09 . 2009-03-08 11:42 2,950 --a------ c:\windows\vtplus32.ini 2009-03-08 11:08 . 2009-03-08 11:08 <DIR> d-------- c:\windows\system32\hauppauge 2009-03-08 11:08 . 2009-03-08 11:09 <DIR> d-------- c:\program files\WinTV 2009-03-08 11:08 . 2001-10-12 13:09 110,592 --a------ c:\windows\system32\hcwsched.ocx 2009-03-08 11:08 . 1998-06-26 00:00 89,600 --a------ c:\windows\system32\MSCAL.OCX 2009-03-08 11:08 . 2002-12-17 11:15 77,824 --a------ c:\windows\system32\hcwsplit.ax 2009-03-08 11:08 . 2002-12-18 17:02 69,632 --a------ c:\windows\system32\hcwfread.ax 2009-03-08 11:08 . 2002-12-27 13:33 65,536 --a------ c:\windows\system32\dmcrypto.dll 2009-03-08 11:08 . 2001-08-02 14:48 53,312 --a------ c:\windows\system32\CHSUITE.OCX 2009-03-08 11:08 . 2001-01-12 12:02 53,248 --a------ c:\windows\system32\MDCustomPanels.ocx 2009-03-08 11:08 . 2003-01-31 17:19 53,248 --a------ c:\windows\system32\hcwsched.dll 2009-03-08 11:08 . 2002-10-31 22:32 53,248 --a------ c:\windows\system32\hcwfwrit.ax 2009-03-08 11:08 . 2009-03-08 11:08 569 --a------ c:\windows\HCWPNP.INI 2009-03-07 17:18 . 2009-03-07 17:18 <DIR> d-------- c:\program files\WS_FTP 2009-03-07 16:41 . 2009-03-07 16:42 <DIR> d-------- c:\program files\phpDesigner 2009-03-07 16:41 . 2009-03-07 17:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\phpDesigner 2009-03-07 14:58 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Pinecoast 2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\ParallelGraphics 2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\Common Files\ParallelGraphics 2009-03-07 12:08 . 2009-03-07 12:08 <DIR> d-------- c:\program files\IMSI 2009-03-07 11:05 . 2009-03-28 18:58 <DIR> d-------- c:\program files\Sweet Home 3D 2009-03-06 18:37 . 2009-03-06 18:37 <DIR> d-------- C:\speech1 2009-03-06 18:24 . 2009-03-06 18:39 <DIR> d-------- c:\program files\Google 2009-03-06 18:24 . 2009-03-30 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater 2009-03-06 17:03 . 2009-03-06 17:03 <DIR> d-------- c:\program files\Microsoft Speech SDK 5.1 2009-03-06 17:02 . 2009-03-06 17:03 <DIR> d-------- C:\speech 2009-03-01 02:35 . 2009-03-29 12:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Corel 2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\program files\Common Files\Corel 2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel 2009-03-01 02:33 . 2009-03-29 14:59 2,516 --ahs---- c:\windows\system32\KGyGaAvL.sys 2009-03-01 02:33 . 2009-03-01 02:35 88 -r-hs---- c:\windows\system32\C3A29D82A6.sys 2009-02-28 21:04 . 2009-02-28 21:04 <DIR> d-------- c:\program files\Zeallsoft 2009-02-26 20:42 . 2009-02-26 20:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\FiatLuxImaging 2009-02-26 20:41 . 2009-02-26 20:41 <DIR> d-------- c:\program files\FiatLux Imaging 2009-02-23 21:48 . 2009-02-23 21:48 <DIR> d-------- c:\program files\Ubisoft 2009-02-23 16:38 . 2009-02-23 16:38 <DIR> d-------- C:\$WIN_NT$.~BT 2009-02-23 16:38 . 2008-04-14 13:34 480,367 -ra------ C:\txtsetup.sif 2009-02-23 16:38 . 2008-04-14 06:02 260,288 -ra------ C:\$LDR$ 2009-02-23 00:03 . 2009-02-23 00:03 <DIR> d-------- c:\windows\USB Vibration 2009-02-22 21:39 . 2009-02-22 21:39 36 --a------ c:\windows\PatchSettings.cfg 2009-02-22 21:22 . 2009-02-22 21:22 <DIR> d-------- c:\program files\USB Vibration 2009-02-19 21:33 . 2009-03-07 17:22 <DIR> d---s---- C:\malabar 2009-02-19 21:29 . 2009-02-19 21:29 <DIR> d-------- c:\program files\Microsoft Expression 2009-02-19 15:20 . 2009-02-19 15:20 <DIR> d-------- c:\program files\Mufid 2009-02-07 22:25 . 2009-02-07 22:26 <DIR> d-------- C:\web 2009-02-07 18:02 . 2009-02-07 18:02 <DIR> d-------- c:\program files\subtitles 2009-02-06 23:49 . 2009-02-06 23:49 <DIR> d-------- c:\program files\Xider 2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- c:\program files\Sierra On-Line 2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- C:\Papyrus 2009-02-06 22:14 . 26747-11-29 11:30 2,016 --a------ c:\windows\system32\drivers\papycpu2.sys 2009-02-06 22:14 . 26747-11-29 11:30 1,888 --a------ c:\windows\system32\drivers\papyjoy.sys 2009-02-06 22:13 . 2009-02-06 22:13 <DIR> d-------- c:\documents and settings\Hisham\WINDOWS 2009-02-06 22:13 . 2009-02-06 22:14 230 --a------ c:\windows\SIERRA.INI 2009-02-04 21:48 . 2009-02-04 21:48 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment 2009-02-01 22:16 . 2009-02-05 12:50 <DIR> d-------- c:\program files\Talisman 3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-30 06:28 --------- d-----w c:\documents and settings\Hisham\Application Data\Skype 2009-03-30 06:28 --------- d-----w c:\documents and settings\Hisham\Application Data\Orbit 2009-03-30 05:50 --------- d-----w c:\documents and settings\Hisham\Application Data\skypePM 2009-03-28 18:10 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin 2009-03-26 15:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-03-24 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-19 13:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-03-18 01:26 --------- d-----w c:\program files\DigiCel 2009-03-07 09:18 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-07 06:52 --------- d-----w c:\program files\Orbitdownloader 2009-02-28 18:35 --------- d-----w c:\program files\Corel 2009-02-28 18:17 --------- d-----w c:\program files\Democracy 2009-02-28 13:39 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2009-02-19 22:32 --------- d-----w c:\documents and settings\Hisham\Application Data\AVGTOOLBAR 2009-01-20 05:24 103,714,297 ----a-w C:\New WinRAR ZIP archive.zip 2009-01-20 05:24 103,714,297 ----a-w C:\Copy of New WinRAR ZIP archive.zip 2008-12-27 17:51 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2008-12-26 11:51 728,858 ----a-w c:\program files\Common Files\unins000.exe 2008-12-26 11:51 2,523 ----a-w c:\program files\Common Files\unins000.dat 2008-12-18 12:37 737,280 ----a-w c:\windows\iun6002.exe 2008-12-10 16:14 8 --sh--r c:\documents and settings\All Users\Application Data\C3A29D82A6.sys 2008-03-08 23:25 236 ---ha-w c:\program files\Common Files\dx.reg . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-03-07 1130496] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Dewan Eja Pro"="c:\program files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe" [2005-05-30 119296] "L08AXLRD_43890296"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-07 21686568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-06-25 5625344] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-10-23 380928] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "Dewan Eja Pro Config"="c:\progra~1\THENAM~1\DEWANE~1\deconfig.exe" [2005-05-26 147456] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "RamDrive"="c:\program files\Farstone\VirtualHardDrive\RdTask.exe" [2007-03-02 135168] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 462336] "pluscri"="c:\windows\pluscri.exe" [2009-03-25 229376] "cssrs"="c:\windows\cssrs.exe" [2009-03-30 184320] "RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-11-17 1690824] PhoneMidServerUI.lnk - c:\program files\voip\voip platform\Bin\PhoneMIdServerUI.exe [2008-12-28 315497] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-01-27 11:22 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll "VIDC.NTN1"= nuvision.ax [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"= "e:\\worm\\WORMS 4 MAYHEM.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"= "c:\\Program Files\\HeidiSQL\\heidisql.exe"= "f:\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Xider\\EsR\\Game.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Microsoft Expression\\Web 2\\WebDesigner\\EXPRWD.EXE"= "c:\\Program Files\\Ubisoft\\Prince of Persia\\Prince of Persia.exe"= "c:\\Program Files\\Ubisoft\\Prince of Persia\\PrinceOfPersia_Launcher.exe"= "f:\\Islam\\batch\\URL2FILE.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "22176:TCP"= 22176:TCP:127.0.0.1/255.255.255.255:Enabled:Dewan Eja Pro Http Daemon R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 903960] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 298264] R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864] S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 133104] S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-03-19 25600] S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-03-08 260144] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0fbba15-c7db-11dd-8895-0022158490f3}] \Shell\AutoRun\command - gkbrewsv.com \Shell\explore\Command - gkbrewsv.com \Shell\open\Command - gkbrewsv.com . Contents of the 'Scheduled Tasks' folder 2009-03-30 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 19:12] 2009-03-30 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 18:38] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Active Desktop Calendar - c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe HKLM-Run-3DNADesktop - c:\program files\3DNA\Resources\3dnasys.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://search.orbitdownloader.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/http://www.yahoo.com IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204 IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202 IE: Download by FlashDownloader - c:\program files\FlashDownloader\IntQd.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Open and Translate in Word FF - ProfilePath - c:\documents and settings\Hisham\Application Data\Mozilla\Firefox\Profiles\kcy65f8s.default\ FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll . ************************************************************************ catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-30 14:28:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4F56E727-0A5D-9C93-99600FC5295CA3F5}\{8257E326-E765-C505-3AEB2DA5981E86BA}\{7ADCE296-1D79-0777-094B0CE9C6E4DF1E}] "GG2KGGPNIIGO4BVBD4BQHYVQFA1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43, a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}] "GG2KGGPNIIGO4BVBD4BQHYVQFA1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43, a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CE901474-3557-00BE-0B74D16C6C9B8223}\{8B1B0984-A0E2-36AE-AE0ABC7DD3EE1D9C}\{C1D3D6EB-516B-0CD4-D732D0B608CDF1EA}] "GG2KGGPNIIGO4BVBD4BQHYVQFA1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43, a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(812) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\scardsvr.exe c:\windows\ATKKBService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\javas.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\The Name Technology\Dewan Eja Pro\DEProNetDetect.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\Skype\Plugin Manager\skypePM.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************* . Completion time: 2009-03-30 14:31:27 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-30 06:31:25 Pre-Run: 142,579,793,920 bytes free Post-Run: 142,726,541,312 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [Boot Loader] Timeout=2 Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [Operating Systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 297 --- E O F --- 2009-03-21 18:12:38 there was also anotehr file named Add-Remove Programs.txt teh content of which are as follows 1400 1400_Help 1400Trb 3DClinic Acrobat.com Adobe AIR Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe Device Central CS3 Adobe ExtendScript Toolkit 2 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Fonts All Adobe Help Viewer CS3 Adobe Linguistics CS3 Adobe PDF Library Files Adobe Photoshop CS3 Adobe Reader 9 Adobe Setup Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 Age of Empires III Age of Empires III - The Asian Dynasties Age of Empires III - The WarChiefs AiO_Scan AiOSoftware Al Quran Digital 2.1 Any Flv Player 2.4.1 ASUS Gamer OSD ASUS Smart Doctor ASUS Utilities ASUS VGA Driver ASUS VideoSecurity Online Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver ATI - Software Uninstall Utility ATI AVIVO Codecs ATI Catalyst Control Center ATI Display Driver ATI Parental Control & Encoder AV301P Camera AVG Free 8.0 Barbie - Fashion Show Barbie(TM) Horse Adventures(TM) BufferChm Car Tycoon Catalyst Control Center - Branding Catalyst Control Center Core Implementation Catalyst Control Center Graphics Full Existing Catalyst Control Center Graphics Full New Catalyst Control Center Graphics Light Catalyst Control Center Localization Chinese Standard Catalyst Control Center Localization Chinese Traditional Catalyst Control Center Localization Czech Catalyst Control Center Localization Danish Catalyst Control Center Localization Dutch Catalyst Control Center Localization Finnish Catalyst Control Center Localization French Catalyst Control Center Localization German Catalyst Control Center Localization Greek Catalyst Control Center Localization Hungarian Catalyst Control Center Localization Italian Catalyst Control Center Localization Japanese Catalyst Control Center Localization Korean Catalyst Control Center Localization Norwegian Catalyst Control Center Localization Polish Catalyst Control Center Localization Portuguese Catalyst Control Center Localization Russian Catalyst Control Center Localization Spanish Catalyst Control Center Localization Swedish Catalyst Control Center Localization Thai Catalyst Control Center Localization Turkish ccc-core-preinstall ccc-core-static ccc-utility CCC Help Chinese Standard CCC Help Chinese Traditional CCC Help Czech CCC Help Danish CCC Help Dutch CCC Help English CCC Help Finnish CCC Help French CCC Help German CCC Help Greek CCC Help Hungarian CCC Help Italian CCC Help Japanese CCC Help Korean CCC Help Norwegian CCC Help Polish CCC Help Portuguese CCC Help Russian CCC Help Spanish CCC Help Swedish CCC Help Thai CCC Help Turkish Corel Paint Shop Pro Photo XI Corel Snapfire Cortona® VRML Client CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CustomerResearchQFolder Destinations DeviceManagementQFolder Dewan Eja Pro DirectX for Managed Code Update (Summer 2004) DirectX10 NCT Release 2 DocProc e-Malabari News Scroller EPU-4 Engine EsR 1.0 eSupportQFolder Fabulous Finds Farm Mania Fax FiatLux Visualize FlashDownloader FloorPlan 3D v10 FLV Player 2.0, build 24 Foxit PDF Editor Fun Morph 3.0 Google Earth Google Update Helper Google Updater GTA San Andreas Hauppauge English Help Files and Resources Hauppauge WinTV Scheduler Hauppauge WinTV Soft PVR Hauppauge WinTV Source Selector Hauppauge WinTV2000 High Definition Audio Driver Package - KB888111 Hotfix for Windows XP (KB952287) HP Extended Capabilities 5.3 HP Image Zone Express HP Imaging Device Functions 5.3 HP PSC & OfficeJet 5.3.B HP Software Update HP Solution Center & Imaging Support Tools 5.3 HPProductAssistant ImagXpress Ipswitch WS_FTP LE IrfanView (remove only) Kamus Al Mufid 1.0 Learning Essentials for Microsoft Office Lernout & Hauspie TruVoice American English TTS Engine MarketResearch Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft .NET Framework 3.0 Service Pack 1 Microsoft .NET Framework 3.5 Microsoft Age of Empires II Microsoft Expression Web 2 Microsoft Expression Web 2 MUI (English) Microsoft Math Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Groove MUI (English) 2007 Microsoft Office Groove Setup Metadata MUI (English) 2007 Microsoft Office InfoPath MUI (English) 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs Microsoft Software Update for Web Folders (English) 12 Microsoft Speech SDK 5.1 Microsoft Student 2007 for Learning Essentials Microsoft Student with Encarta Premium 2008 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.0.8) MpcStar 1.7 MSDN Library - Visual Studio 6.0 MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB925673) MultiExtractor Muslim Explorer 7 (v.2007) MyKad Integrator 1.4 Selayang Hospital NASCAR® Racing 4 neroxml NewCopy Online Manuals for WinTV (English) Orbit Downloader PDF Settings phpDesigner version 6.2.2 PowerISO Prince of Persia ProductContext Qur'an Viewer 2.9 QuranReciter 4.0 beta 1 Readme Realtek High Definition Audio Driver Satellite TV for PC Scan ScannerCopy Security Update for Windows Media Player (KB952069) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Skins Skype™ 3.6 SolutionCenter Spybot - Search & Destroy Status SwirlX3DViewer 2.5.0 Talisman 3 TrayApp TTSReder v1.00 Twin USB Vibration Gamepad Unload Update for Windows XP (KB898461) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Virtual Hard Drive Pro Visual Basic 6.0 voip platform VTPlus32 for WinTV (English) Warcraft III WebFldrs XP WebReg Windows Presentation Foundation Windows Resource Kit Tools Windows XP Service Pack 3 WinRAR archiver Wireless - G DSL Router XML Paper Specification Shared Components Pack 1.0 XviD MPEG-4 Video Codec Yahoo! Toolbar I also found a file called catchme.log under C:\Qoobox\Quarantine with contains the following information -------- Mon 03/30/09 - 14:21:27.75 ------------- file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe ( 184320 bytes ) ntfs_kill: 0 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.1 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.2 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.3 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect. read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect. -------- Mon 03/30/09 - 14:50:36.21 ------------- file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.4 ( 184320 bytes ) ntfs_kill: 0 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.5 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.6 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect. -------- Mon 03/30/09 - 19:19:47.20 ------------- file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.7 ( 184320 bytes ) ntfs_kill: 0 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.8 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.9 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.10 ( 184320 bytes ) C:\WINDOWS\cssrs.exe is damaged PE file ntfs_kill: 7 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect. read file error: C:\WINDOWS\cssrs.exe, The parameter is incorrect. -------- 2009-03-30 - 19:50:17.67 ------------- -------- Mon 03/30/09 - 20:13:24.31 ------------- file zipped: C:\WINDOWS\cssrs.exe -> _cssrs_.exe.zip -> cssrs.exe.11 ( 184320 bytes ) ntfs_kill: 0 dev_kill_file: 0 PE file "C:\WINDOWS\cssrs.exe" killed successfully

03-30-2009, 01:18 PM	#6 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Attacked by a trojan ? Generic13.KUA Do you recognize the following file? f:\Islam\batch\URL2FILE.EXE Step # 1: Download and Run Flash_Disinfector Download Flash_Disinfector from here and save it to your desktop. Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program. The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone. Please do so and allow the utility to clean up those drives as well. Step # 2: Run CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: http://www.techsupportforum.com/2051953-post5.html KILLALL:: File:: c:\windows\cssrs.exe C:\gkbrewsv.com Collect:: c:\windows\javas.exe c:\windows\pluscri.exe c:\windows\pksamto17samto17.bak Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "pluscri"=- "cssrs"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0fbba15-c7db-11dd-8895-0022158490f3}] Regnull:: [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4F56E727-0A5D-9C93-99600FC5295CA3F5}\{8257E326-E765-C505-3AEB2DA5981E86BA}\{7ADCE296-1D79-0777-094B0CE9C6E4DF1E}] [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}] [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CE901474-3557-00BE-0B74D16C6C9B8223}\{8B1B0984-A0E2-36AE-AE0ABC7DD3EE1D9C}\{C1D3D6EB-516B-0CD4-D732D0B608CDF1EA}] Save this as CFScript.txt* and change the "Save as type" to "All Files" and place it on your desktop. Note: This CFScript is for use on hishamk's computer only! Do not use it on your computer. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. In your next post/reply, I need to see the following: 1. The ComboFix Log that appears after Step 2 has been completed. When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK on the message box. __________________ Member of ASAP

03-31-2009, 08:45 AM	#7 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA Thanks again yes I recognise the file URL2FILE.EXE I downloaded it from hxxp://www.chami.com/dl/url2file/app/ and used it to batch download some image image based document files form internet. I was a dos based program but but not trigger the antivirus on running... I did as you mentions 1) the Flash_Disinfector for my thumbdrive and teh text file dropped into ComboFix. and you know what ... the antivirus does not show those pop -up messages anymore ( for the last 20 minutes at least).. Thank you.. Thank you.. Does this mean that my PC has been disinfected? Here is the latest log produced by combofix ComboFix 09-03-29.02 - Hisham 2009-03-31 21:46:05.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2280 [GMT 8:00] Running from: c:\documents and settings\Hisham\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Hisham\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) * Created a new restore point FILE :: C:\gkbrewsv.com c:\windows\cssrs.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\install.exe c:\windows\cssrs.exe c:\windows\ggcktxt.txt c:\windows\ggcktxt1.txt c:\windows\javas.exe c:\windows\pksamto17samto17.bak c:\windows\pluscri.exe E:\Autorun.inf E:\install.exe F:\Autorun.inf F:\install.exe . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 ))))))))))))))))))))))))))))))) . 2009-03-30 20:13 . 2009-03-30 20:19 <DIR> d-------- C:\ComboFx 2009-03-30 19:50 . 2009-03-30 19:57 <DIR> d-------- C:\ComboFix1 2009-03-28 16:36 . 2009-03-28 16:36 <DIR> d-------- c:\documents and settings\Hisham\Application Data\SYSTRAN 2009-03-27 18:33 . 2009-03-27 18:33 <DIR> d-------- c:\windows\system32\Lang 2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-03-26 20:24 . 2009-03-26 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-24 14:07 . 2009-03-28 02:00 <DIR> d-------- C:\statistics 2009-03-20 00:06 . 2009-03-20 00:06 <DIR> d-------- c:\program files\PTTSB 2009-03-19 19:13 . 2009-03-19 19:13 <DIR> d-------- c:\windows\system32\URTTEMP 2009-03-19 17:08 . 2009-03-20 00:15 <DIR> d-------- C:\mycard integtrator 2009-03-19 16:32 . 2001-08-30 18:58 81,920 --a------ c:\windows\system32\forinst.dll 2009-03-19 16:32 . 2001-09-22 12:06 40,960 --a------ c:\windows\system32\regdelete.exe 2009-03-19 16:32 . 2001-10-03 12:35 40,960 --a------ c:\windows\system32\infremove.exe 2009-03-19 16:32 . 2004-02-06 14:59 25,600 --a------ c:\windows\system32\drivers\irisuxp.sys 2009-03-18 10:21 . 2009-03-18 10:21 <DIR> d-------- c:\program files\DAMN NFO Viewer 2009-03-18 09:57 . 2009-03-18 09:57 <DIR> d-------- c:\program files\Foxit Software 2009-03-17 22:46 . 2009-03-29 09:46 54,156 --ah----- c:\windows\QTFont.qfn 2009-03-17 22:46 . 2009-03-17 22:46 1,409 --a------ c:\windows\QTFont.for 2009-03-17 11:28 . 2009-03-17 11:29 <DIR> d-------- c:\program files\MultiExtractor 2009-03-17 11:23 . 2009-03-17 11:23 <DIR> d-------- c:\documents and settings\Hisham\Application Data\MultiExtractor 2009-03-15 00:44 . 2009-03-15 00:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Fabulous Finds 2009-03-15 00:43 . 2009-03-15 00:43 <DIR> d-------- c:\program files\LeeGTs Games 2009-03-14 11:00 . 2009-03-14 23:39 110 --a------ c:\windows\system32\test.aok 2009-03-08 11:09 . 2009-03-08 11:09 <DIR> d-------- c:\program files\vtplus 2009-03-08 11:09 . 2009-03-08 11:42 2,950 --a------ c:\windows\vtplus32.ini 2009-03-08 11:08 . 2009-03-08 11:08 <DIR> d-------- c:\windows\system32\hauppauge 2009-03-08 11:08 . 2009-03-08 11:09 <DIR> d-------- c:\program files\WinTV 2009-03-08 11:08 . 2001-10-12 13:09 110,592 --a------ c:\windows\system32\hcwsched.ocx 2009-03-08 11:08 . 1998-06-26 00:00 89,600 --a------ c:\windows\system32\MSCAL.OCX 2009-03-08 11:08 . 2002-12-17 11:15 77,824 --a------ c:\windows\system32\hcwsplit.ax 2009-03-08 11:08 . 2002-12-18 17:02 69,632 --a------ c:\windows\system32\hcwfread.ax 2009-03-08 11:08 . 2002-12-27 13:33 65,536 --a------ c:\windows\system32\dmcrypto.dll 2009-03-08 11:08 . 2001-08-02 14:48 53,312 --a------ c:\windows\system32\CHSUITE.OCX 2009-03-08 11:08 . 2001-01-12 12:02 53,248 --a------ c:\windows\system32\MDCustomPanels.ocx 2009-03-08 11:08 . 2003-01-31 17:19 53,248 --a------ c:\windows\system32\hcwsched.dll 2009-03-08 11:08 . 2002-10-31 22:32 53,248 --a------ c:\windows\system32\hcwfwrit.ax 2009-03-08 11:08 . 2009-03-08 11:08 569 --a------ c:\windows\HCWPNP.INI 2009-03-07 17:18 . 2009-03-07 17:18 <DIR> d-------- c:\program files\WS_FTP 2009-03-07 16:41 . 2009-03-07 16:42 <DIR> d-------- c:\program files\phpDesigner 2009-03-07 16:41 . 2009-03-07 17:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\phpDesigner 2009-03-07 14:58 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Pinecoast 2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\ParallelGraphics 2009-03-07 14:40 . 2009-03-07 14:40 <DIR> d-------- c:\program files\Common Files\ParallelGraphics 2009-03-07 12:08 . 2009-03-07 12:08 <DIR> d-------- c:\program files\IMSI 2009-03-07 11:05 . 2009-03-28 18:58 <DIR> d-------- c:\program files\Sweet Home 3D 2009-03-06 18:37 . 2009-03-06 18:37 <DIR> d-------- C:\speech1 2009-03-06 18:24 . 2009-03-06 18:39 <DIR> d-------- c:\program files\Google 2009-03-06 18:24 . 2009-03-31 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater 2009-03-06 17:03 . 2009-03-06 17:03 <DIR> d-------- c:\program files\Microsoft Speech SDK 5.1 2009-03-06 17:02 . 2009-03-06 17:03 <DIR> d-------- C:\speech 2009-03-01 02:35 . 2009-03-29 12:44 <DIR> d-------- c:\documents and settings\Hisham\Application Data\Corel 2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\program files\Common Files\Corel 2009-03-01 02:34 . 2009-03-01 02:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel 2009-03-01 02:33 . 2009-03-29 14:59 2,516 --ahs---- c:\windows\system32\KGyGaAvL.sys 2009-03-01 02:33 . 2009-03-01 02:35 88 -r-hs---- c:\windows\system32\C3A29D82A6.sys 2009-02-28 21:04 . 2009-02-28 21:04 <DIR> d-------- c:\program files\Zeallsoft 2009-02-26 20:42 . 2009-02-26 20:45 <DIR> d-------- c:\documents and settings\Hisham\Application Data\FiatLuxImaging 2009-02-26 20:41 . 2009-02-26 20:41 <DIR> d-------- c:\program files\FiatLux Imaging 2009-02-23 21:48 . 2009-02-23 21:48 <DIR> d-------- c:\program files\Ubisoft 2009-02-23 16:38 . 2009-02-23 16:38 <DIR> d-------- C:\$WIN_NT$.~BT 2009-02-23 16:38 . 2008-04-14 13:34 480,367 -ra------ C:\txtsetup.sif 2009-02-23 16:38 . 2008-04-14 06:02 260,288 -ra------ C:\$LDR$ 2009-02-23 00:03 . 2009-02-23 00:03 <DIR> d-------- c:\windows\USB Vibration 2009-02-22 21:39 . 2009-02-22 21:39 36 --a------ c:\windows\PatchSettings.cfg 2009-02-22 21:22 . 2009-02-22 21:22 <DIR> d-------- c:\program files\USB Vibration 2009-02-19 21:33 . 2009-03-07 17:22 <DIR> d---s---- C:\malabar 2009-02-19 21:29 . 2009-02-19 21:29 <DIR> d-------- c:\program files\Microsoft Expression 2009-02-19 15:20 . 2009-02-19 15:20 <DIR> d-------- c:\program files\Mufid 2009-02-07 22:25 . 2009-02-07 22:26 <DIR> d-------- C:\web 2009-02-07 18:02 . 2009-02-07 18:02 <DIR> d-------- c:\program files\subtitles 2009-02-06 23:49 . 2009-02-06 23:49 <DIR> d-------- c:\program files\Xider 2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- c:\program files\Sierra On-Line 2009-02-06 22:14 . 2009-02-06 22:14 <DIR> d-------- C:\Papyrus 2009-02-06 22:14 . 26747-11-29 11:30 2,016 --a------ c:\windows\system32\drivers\papycpu2.sys 2009-02-06 22:14 . 26747-11-29 11:30 1,888 --a------ c:\windows\system32\drivers\papyjoy.sys 2009-02-06 22:13 . 2009-02-06 22:13 <DIR> d-------- c:\documents and settings\Hisham\WINDOWS 2009-02-06 22:13 . 2009-02-06 22:14 230 --a------ c:\windows\SIERRA.INI 2009-02-04 21:48 . 2009-02-04 21:48 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment 2009-02-01 22:16 . 2009-02-05 12:50 <DIR> d-------- c:\program files\Talisman 3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-31 13:49 --------- d-----w c:\documents and settings\Hisham\Application Data\Orbit 2009-03-31 13:31 --------- d-----w c:\documents and settings\Hisham\Application Data\Skype 2009-03-31 13:30 --------- d-----w c:\documents and settings\Hisham\Application Data\skypePM 2009-03-28 18:10 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin 2009-03-26 15:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-03-24 04:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-19 13:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-03-18 01:26 --------- d-----w c:\program files\DigiCel 2009-03-07 09:18 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-07 06:52 --------- d-----w c:\program files\Orbitdownloader 2009-02-28 18:35 --------- d-----w c:\program files\Corel 2009-02-28 18:17 --------- d-----w c:\program files\Democracy 2009-02-28 13:39 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2009-02-19 22:32 --------- d-----w c:\documents and settings\Hisham\Application Data\AVGTOOLBAR 2009-01-20 05:24 103,714,297 ----a-w C:\New WinRAR ZIP archive.zip 2009-01-20 05:24 103,714,297 ----a-w C:\Copy of New WinRAR ZIP archive.zip 2008-12-27 17:51 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2008-12-26 11:51 728,858 ----a-w c:\program files\Common Files\unins000.exe 2008-12-26 11:51 2,523 ----a-w c:\program files\Common Files\unins000.dat 2008-12-18 12:37 737,280 ----a-w c:\windows\iun6002.exe 2008-12-10 16:14 8 --sh--r c:\documents and settings\All Users\Application Data\C3A29D82A6.sys 2008-03-08 23:25 236 ---ha-w c:\program files\Common Files\dx.reg . ((((((((((((((((((((((((((((( SnapShot@2009-03-30_14.30.48.14 ))))))))))))))))))))))))))))))))))))))))) . - 2009-03-30 06:04:51 71,454 ----a-w c:\windows\system32\perfc009.dat + 2009-03-31 13:33:45 71,454 ----a-w c:\windows\system32\perfc009.dat - 2009-03-30 06:04:51 441,514 ----a-w c:\windows\system32\perfh009.dat + 2009-03-31 13:33:45 441,514 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-03-07 1130496] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Dewan Eja Pro"="c:\program files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe" [2005-05-30 119296] "L08AXLRD_43890296"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-07 21686568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-06-25 5625344] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-10-23 380928] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "Dewan Eja Pro Config"="c:\progra~1\THENAM~1\DEWANE~1\deconfig.exe" [2005-05-26 147456] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "RamDrive"="c:\program files\Farstone\VirtualHardDrive\RdTask.exe" [2007-03-02 135168] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2006-08-04 462336] "RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-11-17 1690824] PhoneMidServerUI.lnk - c:\program files\voip\voip platform\Bin\PhoneMIdServerUI.exe [2008-12-28 315497] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-01-27 11:22 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll "VIDC.NTN1"= nuvision.ax [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"= "e:\\worm\\WORMS 4 MAYHEM.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"= "c:\\Program Files\\HeidiSQL\\heidisql.exe"= "f:\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Xider\\EsR\\Game.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Microsoft Expression\\Web 2\\WebDesigner\\EXPRWD.EXE"= "c:\\Program Files\\Ubisoft\\Prince of Persia\\Prince of Persia.exe"= "c:\\Program Files\\Ubisoft\\Prince of Persia\\PrinceOfPersia_Launcher.exe"= "f:\\Islam\\batch\\URL2FILE.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "22176:TCP"= 22176:TCP:127.0.0.1/255.255.255.255:Enabled:Dewan Eja Pro Http Daemon R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 903960] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 298264] R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864] S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 133104] S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-03-19 25600] S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-03-08 260144] . Contents of the 'Scheduled Tasks' folder 2009-03-31 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 19:12] 2009-03-31 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 18:38] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.orbitdownloader.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/http://www.yahoo.com IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204 IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202 IE: Download by FlashDownloader - c:\program files\FlashDownloader\IntQd.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Open and Translate in Word FF - ProfilePath - c:\documents and settings\Hisham\Application Data\Mozilla\Firefox\Profiles\kcy65f8s.default\ FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll . ************************************************************************ catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-31 21:49:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(812) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\scardsvr.exe c:\windows\ATKKBService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\program files\The Name Technology\Dewan Eja Pro\DEProNetDetect.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************ . Completion time: 2009-03-31 21:52:28 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-31 13:52:25 ComboFix2.txt 2009-03-30 12:19:14 ComboFix3.txt 2009-03-30 11:57:09 ComboFix4.txt 2009-03-30 07:00:50 Pre-Run: 142,701,895,680 bytes free Post-Run: 142,691,946,496 bytes free 285 --- E O F --- 2009-03-21 18:12:38 Last edited by HishamK; 03-31-2009 at 08:58 AM. Reason: accidentally entered a link that may be possible cause of a trojan infestation

03-31-2009, 01:27 PM	#8 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Attacked by a trojan ? Generic13.KUA We still have some more work to do on your computer, but good to hear that the pop-ups have stopped. Step # 1: Download and Run ATF Cleaner Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Double-click ATF Cleaner.exe to open it. Under Main choose: Windows Temp Current User Temp All Users Temp Temporary Internet Files Prefetch Java Cache The other boxes are optional Then click the Empty Selected button. Firefox: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Opera: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. Step # 2 Download and Run Malwarebytes' Anti-Malware Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available. Next click the Scanner tab and select Perform Quick Scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. You can also access the log by doing the following: Click on the Malwarebytes' Anti-Malware icon to launch the program. Click on the Logs tab. Click on the log at the bottom of those listed to highlight it. Click Open. Post the MalwareBytes' Log in your next post. __________________ Member of ASAP

03-31-2009, 06:42 PM	#9 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA Done!! Here is the report from Malwarebytes' log Malwarebytes' Anti-Malware 1.35 Database version: 1904 Windows 5.1.2600 Service Pack 3 4/1/09 8:38:12 AM mbam-log-2009-04-01 (08-38-12).txt Scan type: Quick Scan Objects scanned: 71368 Time elapsed: 4 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) BTW Are there any programs I can run on a regular basis to spring clean the system... HishamK

04-01-2009, 03:33 PM	#11 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA sorry for the late reply as the karpesky scan took a long time to download and run. I have changed to a new version of adobe reader and installed JRE 6 before running the online scan. I can only run it on IE as firefox keep coming up with the message that the necessary plugin is not installed. The are still bugs in this PC.. AVG poped op another message and similarly when i ran the malwarebyte after anoher latest update it detected and killed twh o other bug. Teh online scan also picked up one or two things .. here are the findings The malwarebytes' log Malwarebytes' Anti-Malware 1.35 Database version: 1927 Windows 5.1.2600 Service Pack 3 4/1/09 7:16:22 PM mbam-log-2009-04-01 (19-16-22).txt Scan type: Quick Scan Objects scanned: 72368 Time elapsed: 3 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\quranviewer2.dochostuihandler (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{3f2bbc05-40df-11d2-9455-00104bc936ff} (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------------------------------------------ After that the karpersky report -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, April 2, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, April 01, 2009 15:45:07 Records in database: 1993026 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics: Files scanned: 157124 Threat name: 1 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 02:26:38 File name / Threat name / Threats count C:\Documents and Settings\Hisham\My Documents\URL2File.zip Infected: not-a-virus:Downloader.Win32.Url2File.a 1 F:\Islam\batch\URL2FILE.EXE Infected: not-a-virus:Downloader.Win32.Url2File.a 1 The selected area was scanned. and the dds.txt DDS (Ver_09-03-16.01) - NTFSx86 Run by Hisham at 18:48:44.68 on Sun 03/29/09 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2138 [GMT 8:00] AV: AVG Anti-Virus Free On-access scanning enabled (Updated) ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATKKBService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Farstone\VirtualHardDrive\RdTask.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe C:\WINDOWS\pluscri.exe J:\install.exe C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe C:\WINDOWS\javas.exe C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\The Name Technology\Dewan Eja Pro\DEProNetDetect.exe C:\Program Files\The Name Technology\Dewan Eja Pro\components\XEN\DEProHttpD.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\Program Files\voip\voip platform\Bin\PhoneMIdServerUI.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Hisham\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://search.orbitdownloader.com uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/http://www.yahoo.com uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/http://www.yahoo.com/search/ie.html uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: IECatcher Class: {0682e46a-7040-4049-a6fd-0bcfbc673ad8} - c:\program files\flashdownloader\IntQd.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll EB: {FC3C24D3-4B56-4D13-BC64-EF3CCA1498BE} - No File uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Dewan Eja Pro] c:\program files\the name technology\dewan eja pro\DewanEjaPro.exe uRun: [L08AXLRD_43890296] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [Dewan Eja Pro Config] c:\progra~1\thenam~1\dewane~1\deconfig.exe mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [RamDrive] c:\program files\farstone\virtualharddrive\RdTask.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe mRun: [3DNADesktop] "c:\program files\3dna\resources\3dnasys.exe" -open mRun: [pluscri] c:\windows\pluscri.exe mRun: [cssrs] c:\windows\cssrs.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phonem~1.lnk - c:\program files\voip\voip platform\bin\PhoneMIdServerUI.exe IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204 IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202 IE: Download by FlashDownloader - c:\program files\flashdownloader\IntQd.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Open and Translate in Word IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\hisham\applic~1\mozilla\firefox\profiles\kcy65f8s.default\ FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-16 27656] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272] R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-11-16 12288] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-16 903960] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-16 298264] R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864] R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-11-16 10752] S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\google\update\GoogleUpdate.exe [2009-3-6 133104] S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-3-19 25600] S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-3-8 260144] =============== Created Last 30 ================ 2009-03-28 16:36 <DIR> --d----- c:\docume~1\hisham\applic~1\SYSTRAN 2009-03-27 18:33 <DIR> --d----- c:\windows\system32\Lang 2009-03-26 20:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-03-26 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-03-26 08:03 286,720 ----h--- C:\install.exe 2009-03-26 08:03 163 ----h--- C:\autorun.inf 2009-03-25 07:45 184,320 ----h--- c:\windows\cssrs.exe 2009-03-25 07:45 229,376 a------- c:\windows\pksamto17samto17.bak 2009-03-25 07:45 229,376 ----h--- c:\windows\pluscri.exe 2009-03-25 07:45 286,720 ----h--- c:\windows\javas.exe 2009-03-24 14:07 <DIR> --d----- C:\statistics 2009-03-20 00:06 <DIR> --d----- c:\program files\PTTSB 2009-03-19 19:13 <DIR> --d----- c:\windows\system32\URTTEMP 2009-03-19 17:08 <DIR> --d----- C:\mycard integtrator 2009-03-19 16:32 25,600 a------- c:\windows\system32\drivers\irisuxp.sys 2009-03-19 16:32 81,920 a------- c:\windows\system32\forinst.dll 2009-03-19 16:32 40,960 a------- c:\windows\system32\regdelete.exe 2009-03-19 16:32 40,960 a------- c:\windows\system32\infremove.exe 2009-03-18 10:22 <DIR> --d----- c:\program files\MyWay 2009-03-18 10:21 <DIR> --d----- c:\program files\DAMN NFO Viewer 2009-03-18 09:57 <DIR> --d----- c:\program files\Foxit Software 2009-03-17 22:46 54,156 a---h--- c:\windows\QTFont.qfn 2009-03-17 22:46 1,409 a------- c:\windows\QTFont.for 2009-03-17 11:28 <DIR> --d----- c:\program files\MultiExtractor 2009-03-17 11:23 <DIR> --d----- c:\docume~1\hisham\applic~1\MultiExtractor 2009-03-15 00:44 <DIR> --d----- c:\docume~1\hisham\applic~1\Fabulous Finds 2009-03-15 00:43 <DIR> --d----- c:\program files\LeeGTs Games 2009-03-14 11:00 110 a------- c:\windows\system32\test.aok 2009-03-08 11:09 2,950 a------- c:\windows\vtplus32.ini 2009-03-08 11:09 <DIR> --d----- c:\program files\vtplus 2009-03-08 11:08 89,600 a------- c:\windows\system32\MSCAL.OCX 2009-03-08 11:08 65,536 a------- c:\windows\system32\dmcrypto.dll 2009-03-08 11:08 53,312 a------- c:\windows\system32\CHSUITE.OCX 2009-03-08 11:08 110,592 a------- c:\windows\system32\hcwsched.ocx 2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwsched.dll 2009-03-08 11:08 77,824 a------- c:\windows\system32\hcwsplit.ax 2009-03-08 11:08 69,632 a------- c:\windows\system32\hcwfread.ax 2009-03-08 11:08 53,248 a------- c:\windows\system32\MDCustomPanels.ocx 2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwfwrit.ax 2009-03-08 11:08 <DIR> --d----- c:\windows\system32\hauppauge 2009-03-08 11:08 569 a------- c:\windows\HCWPNP.INI 2009-03-08 11:08 <DIR> --d----- c:\program files\WinTV 2009-03-07 17:18 <DIR> --d----- c:\program files\WS_FTP 2009-03-07 16:41 <DIR> --d----- c:\program files\phpDesigner 2009-03-07 16:41 <DIR> --d----- c:\docume~1\hisham\applic~1\phpDesigner 2009-03-07 14:58 <DIR> --d----- c:\program files\Pinecoast 2009-03-07 14:40 <DIR> --d----- c:\program files\ParallelGraphics 2009-03-07 14:40 <DIR> --d----- c:\program files\common files\ParallelGraphics 2009-03-07 12:08 <DIR> --d----- c:\program files\IMSI 2009-03-07 11:05 <DIR> --d----- c:\program files\Sweet Home 3D 2009-03-06 18:37 <DIR> --d----- C:\speech1 2009-03-06 17:03 <DIR> --d----- c:\program files\Microsoft Speech SDK 5.1 2009-03-06 17:02 <DIR> --d----- C:\speech 2009-03-01 02:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel 2009-03-01 02:34 <DIR> --d----- c:\program files\common files\Corel 2009-03-01 02:33 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys 2009-03-01 02:33 88 ---shr-- c:\windows\system32\C3A29D82A6.sys 2009-03-01 02:17 <DIR> --d----- c:\windows\system32\appmgmt 2009-02-28 21:04 <DIR> --d----- c:\program files\Zeallsoft ==================== Find3M ==================== 2009-03-29 02:10 196,608 a------- c:\windows\system32\drivers\nStandard.bin 2009-02-28 21:39 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-02-09 19:13 1,846,784 -------- c:\windows\system32\win32k.sys 2009-01-27 11:22 10,520 a------- c:\windows\system32\avgrsstx.dll 2009-01-20 13:24 103,714,297 a------- C:\New WinRAR ZIP archive.zip 2009-01-20 13:24 103,714,297 a------- C:\Copy of New WinRAR ZIP archive.zip 2008-12-28 01:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat 2008-12-26 19:51 2,523 a------- c:\program files\common files\unins000.dat 2008-12-26 19:51 728,858 a------- c:\program files\common files\unins000.exe 2008-12-11 00:14 8 ---shr-- c:\docume~1\alluse~1\applic~1\C3A29D82A6.sys 2008-03-09 07:25 236 a---h--- c:\program files\common files\dx.reg 2006-06-25 06:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe ============= FINISH: 18:49:05.81 =============== shall i delete the location where url to file files are found or should we dispose it in some other way...?

04-02-2009, 04:00 AM	#13 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA Two messages popped up saying "Trojan horse Generic13.KUA";"C:\System Volume Information\_restore{DD217265-899B-48F8-B555-8E5ED0DA8A6C}\RP4\A0001474.exe";"Infected";"4/1/09, 6:48:27 PM";"File";"C:\WINDOWS\system32\svchost.exe" and "Trojan horse Generic13.KUA";"C:\System Volume Information\_restore{DD217265-899B-48F8-B555-8E5ED0DA8A6C}\RP4\A0001474.exe";"Moved to Virus Vault";"4/1/09, 6:17:38 PM";"File";"C:\WINDOWS\system32\svchost.exe" This was just before Malwarebytes' reported 2 viruses and deleted them as ( I put up the result of its log in my last reply) I am sorry I copied the same dds result as previously. This is one I am actually supposed to post.... DDS (Ver_09-03-16.01) - NTFSx86 Run by Hisham at 5:19:38.87 on Thu 04/02/09 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2194 [GMT 8:00] AV: AVG Anti-Virus Free On-access scanning disabled (Updated) ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATKKBService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Farstone\VirtualHardDrive\RdTask.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\Program Files\voip\voip platform\Bin\PhoneMIdServerUI.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\AVG\AVG8\avgui.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Java\jre6\bin\java.exe C:\Documents and Settings\Hisham\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://search.orbitdownloader.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: IECatcher Class: {0682e46a-7040-4049-a6fd-0bcfbc673ad8} - c:\program files\flashdownloader\IntQd.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll EB: {FC3C24D3-4B56-4D13-BC64-EF3CCA1498BE} - No File uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Dewan Eja Pro] c:\program files\the name technology\dewan eja pro\DewanEjaPro.exe uRun: [L08AXLRD_43890296] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [Dewan Eja Pro Config] c:\progra~1\thenam~1\dewane~1\deconfig.exe mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [RamDrive] c:\program files\farstone\virtualharddrive\RdTask.exe mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire\Corel Photo Downloader.exe mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\hisham\startm~1\programs\startup\wordwe~1.lnk - c:\program files\wordweb\wweb32.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phonem~1.lnk - c:\program files\voip\voip platform\bin\PhoneMIdServerUI.exe IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204 IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202 IE: Download by FlashDownloader - c:\program files\flashdownloader\IntQd.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Open and Translate in Word IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\hisham\applic~1\mozilla\firefox\profiles\kcy65f8s.default\ FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 325128] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-16 27656] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 107272] R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-11-16 12288] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-16 903960] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-16 298264] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-1 179856] R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-16 36864] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-1 15504] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-1 38496] R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-11-16 10752] S2 gupdate1c99e47c47625ba;Google Update Service (gupdate1c99e47c47625ba);c:\program files\google\update\GoogleUpdate.exe [2009-3-6 133104] S3 IRISUSB;IRIS USB Smart Card Reader;c:\windows\system32\drivers\irisuxp.sys [2009-3-19 25600] S3 NuVision;Hauppauge WinTV USB Pro (PAL B/G,D/K);c:\windows\system32\drivers\NUVision.sys [2009-3-8 260144] =============== Created Last 30 ================ 2009-04-01 17:38 410,984 a------- c:\windows\system32\deploytk.dll 2009-04-01 17:38 73,728 a------- c:\windows\system32\javacpl.cpl 2009-04-01 08:16 <DIR> --d----- c:\docume~1\hisham\applic~1\Malwarebytes 2009-04-01 08:16 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-04-01 08:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-01 08:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-04-01 08:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-03-31 23:50 <DIR> --d----- c:\docume~1\hisham\applic~1\WordWeb 2009-03-31 23:50 1,291,880 a------- c:\windows\wweb32.dll 2009-03-31 23:50 <DIR> --d----- c:\program files\WordWeb 2009-03-31 21:44 <DIR> --d----- C:\ComboFix 2009-03-30 20:13 <DIR> --d----- C:\ComboFx 2009-03-30 19:50 <DIR> --d----- C:\ComboFix1 2009-03-30 14:22 <DIR> a-dshr-- C:\cmdcons 2009-03-30 14:21 161,792 a------- c:\windows\SWREG.exe 2009-03-30 14:21 98,816 a------- c:\windows\sed.exe 2009-03-28 16:36 <DIR> --d----- c:\docume~1\hisham\applic~1\SYSTRAN 2009-03-27 18:33 <DIR> --d----- c:\windows\system32\Lang 2009-03-26 20:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-03-26 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-03-24 14:07 <DIR> --d----- C:\statistics 2009-03-20 00:06 <DIR> --d----- c:\program files\PTTSB 2009-03-19 19:13 <DIR> --d----- c:\windows\system32\URTTEMP 2009-03-19 17:08 <DIR> --d----- C:\mycard integtrator 2009-03-19 16:32 25,600 a------- c:\windows\system32\drivers\irisuxp.sys 2009-03-19 16:32 81,920 a------- c:\windows\system32\forinst.dll 2009-03-19 16:32 40,960 a------- c:\windows\system32\regdelete.exe 2009-03-19 16:32 40,960 a------- c:\windows\system32\infremove.exe 2009-03-18 10:21 <DIR> --d----- c:\program files\DAMN NFO Viewer 2009-03-18 09:57 <DIR> --d----- c:\program files\Foxit Software 2009-03-17 22:46 54,156 a---h--- c:\windows\QTFont.qfn 2009-03-17 22:46 1,409 a------- c:\windows\QTFont.for 2009-03-17 11:28 <DIR> --d----- c:\program files\MultiExtractor 2009-03-17 11:23 <DIR> --d----- c:\docume~1\hisham\applic~1\MultiExtractor 2009-03-15 00:44 <DIR> --d----- c:\docume~1\hisham\applic~1\Fabulous Finds 2009-03-15 00:43 <DIR> --d----- c:\program files\LeeGTs Games 2009-03-14 11:00 110 a------- c:\windows\system32\test.aok 2009-03-08 11:09 2,950 a------- c:\windows\vtplus32.ini 2009-03-08 11:09 <DIR> --d----- c:\program files\vtplus 2009-03-08 11:08 89,600 a------- c:\windows\system32\MSCAL.OCX 2009-03-08 11:08 65,536 a------- c:\windows\system32\dmcrypto.dll 2009-03-08 11:08 53,312 a------- c:\windows\system32\CHSUITE.OCX 2009-03-08 11:08 110,592 a------- c:\windows\system32\hcwsched.ocx 2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwsched.dll 2009-03-08 11:08 77,824 a------- c:\windows\system32\hcwsplit.ax 2009-03-08 11:08 69,632 a------- c:\windows\system32\hcwfread.ax 2009-03-08 11:08 53,248 a------- c:\windows\system32\MDCustomPanels.ocx 2009-03-08 11:08 53,248 a------- c:\windows\system32\hcwfwrit.ax 2009-03-08 11:08 <DIR> --d----- c:\windows\system32\hauppauge 2009-03-08 11:08 569 a------- c:\windows\HCWPNP.INI 2009-03-08 11:08 <DIR> --d----- c:\program files\WinTV 2009-03-07 17:18 <DIR> --d----- c:\program files\WS_FTP 2009-03-07 16:41 <DIR> --d----- c:\program files\phpDesigner 2009-03-07 16:41 <DIR> --d----- c:\docume~1\hisham\applic~1\phpDesigner 2009-03-07 14:58 <DIR> --d----- c:\program files\Pinecoast 2009-03-07 14:40 <DIR> --d----- c:\program files\ParallelGraphics 2009-03-07 14:40 <DIR> --d----- c:\program files\common files\ParallelGraphics 2009-03-07 12:08 <DIR> --d----- c:\program files\IMSI 2009-03-07 11:05 <DIR> --d----- c:\program files\Sweet Home 3D 2009-03-06 18:37 <DIR> --d----- C:\speech1 2009-03-06 17:03 <DIR> --d----- c:\program files\Microsoft Speech SDK 5.1 2009-03-06 17:02 <DIR> --d----- C:\speech ==================== Find3M ==================== 2009-04-02 01:07 196,608 a------- c:\windows\system32\drivers\nStandard.bin 2009-03-29 14:59 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys 2009-02-28 21:39 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-02-09 19:13 1,846,784 -------- c:\windows\system32\win32k.sys 2009-01-27 11:22 10,520 a------- c:\windows\system32\avgrsstx.dll 2009-01-20 13:24 103,714,297 a------- C:\New WinRAR ZIP archive.zip 2009-01-20 13:24 103,714,297 a------- C:\Copy of New WinRAR ZIP archive.zip 2008-12-28 01:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat 2008-12-26 19:51 2,523 a------- c:\program files\common files\unins000.dat 2008-12-26 19:51 728,858 a------- c:\program files\common files\unins000.exe 2008-12-11 00:14 8 ---shr-- c:\docume~1\alluse~1\applic~1\C3A29D82A6.sys 2008-03-09 07:25 236 a---h--- c:\program files\common files\dx.reg 2006-06-25 06:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe ============= FINISH: 5:20:03.78 =============== --------------------------------------------------------------- I deleted both the url2file.zip and url2file.exe files without any difficulty..

04-02-2009, 12:39 PM	#14 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Attacked by a trojan ? Generic13.KUA Your DDS log looks good. What AVG found were two infected System Restore points. They harmless where they are. Shortly, I will be showing how to remove them and set a new, clean one. Any other problems? __________________ Member of ASAP

04-02-2009, 03:57 PM	#15 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA Things look OK. The firefox that I use to browse does not seem to run some javascripts properly (eg. the "check all' in yahoo mail website for instance does not work). Don't know if it is related or it is just some server side related problem. checked for firefox websites for updates but none available though. Otherwise things are running smoothly..

04-03-2009, 12:43 AM	#16 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Attacked by a trojan ? Generic13.KUA You can try reinstalling Firefox or Java or both to see if that fixes it. If it happens on certain websites and not others, you can try contacting those websites and letting them know about the problem. Since you report no more malware problems, you are good to go. You can delete dds.pif To remove ComboFix, do the following: Go to Start > Run - type in ComboFix /u & click OK Empty your Recycle Bin. Please take the time to read my All Clean Post. Please follow these simple steps in order to keep your computer clean and secure: This is a good time to clear your existing system restore points and establish a new clean restore point Go to Start > All Programs > Accessories > System Tools > System Restore Select Create a restore point, and Ok it. Next, go to Start > Run and type in cleanmgr Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK. Select the More options tab Choose the option to clean up system restore and OK it. This will remove all restore points except the new one you just created. . Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware. Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button. If it asks you if you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Set correct settings for files that should be hidden in Windows XP Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab. Under "Hidden files and folders" if necessary select Do not show hidden files and folders. If unchecked please checkHide protected operating system files (Recommended) If necessary check "Display content of system folders" If necessary Uncheck Hide file extensions for known file types. Click OK Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out. Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here: Computer Safety on line Anti Malware Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps: Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok.. Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Please read Tony Klein's excellent article: How I got Infected in the First Place Please read Understanding Spyware, Browser Hijackers, and Dialers Please read Simple and easy ways to keep your computer safe and secure on the Internet If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or Opera. If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice. Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back. Follow these steps and your potential for being infected again will reduce dramatically. Here's a good website to read about Malware prevention: http://users.telenet.be/bluepatchy/m...revention.html If your computer is running slow, click here for instructions on how to help speed up your computer. Good luck! Please reply one last time so that I know you have read my post and this thread can be closed. __________________ Member of ASAP

04-04-2009, 10:43 PM	#17 (permalink)
HishamK Registered User Join Date: Mar 2009 Posts: 9 OS: xp	Re: Attacked by a trojan ? Generic13.KUA Thank you... will make the necessary changes could not reply earlier as i was getting error from this website while doing so. The problems are all settled. Thank you again Hisham

04-04-2009, 11:34 PM	#18 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Attacked by a trojan ? Generic13.KUA You're welcome. I'm glad I was able to help you out. Good luck and safe surfing. __________________ Member of ASAP