Antivirus System pro

Hi,

My laptop was attacked by antivirus system pro, I managed to stop the processes through task manager and then deleted the 'sysguard' and other files. Also ran the latest version of malwarebytes anti malware. After that the system is behaving normally. but when I run the malwarebytes anti malware, I keep getting 1 or two report of infection in registry entries. i remove the entries but they keep coming back. the latest malware bytes log is as below:

Malwarebytes' Anti-Malware 1.41
Database version: 3267
Windows 6.0.6000

12/8/2009 2:46:03 PM
mbam-log-2009-12-08 (14-45-49).txt

Scan type: Quick Scan
Objects scanned: 110009
Time elapsed: 8 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldocum (Trojan.Agent.U) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsucimesumiw (Trojan.Agent.U) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
==============================

The trend micro hijack this log is as below. (Not run as administrator)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:03 PM, on 12/8/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Windows\sttray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\COMMON~1\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Sajeev\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070101
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Ldocum] rundll32.exe "C:\Users\Pennu\AppData\Local\ifopozeka.dll",Startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8477 bytes

Appreciate if you can help....Thanks

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I went to the link and started downloading the file by sving the file as commy.exe. As the download is getting completed, a pop up comes up saying you need administrator privilege to copy this file. (Even though I am logged on as administrator). when I try to continue, nothing is happening and the file.

Am I doing something wrong?

I guess the malware is preventing the download of the combofix file, i tried saving it as "commy", "combo-fix" even tried "iexplore.exe", but a window pops up syaying ComboFix[1] "needs administrator permission to copy in to this file". When i click on continue, another message on user access control pops up, which then leads to nothing until I cancel the down load is there some way of getting arround this?

Please run Trend Micro Housecall online scan.

• Click Scan now.
  
• Read and put a Check next to Yes I accept the terms of use.
  
• Click the Launching HouseCall>> button.
  
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  
• Please be patient while it installs, updates, and scans your system.
  
• Once the scan is complete, it will take you to the summary page.
  
• Under Cleanup options, choose clean all detected infections automatically.
  
• Click the Clean now>> button.
  
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

Hi,

Thanks for suggesting house call, I ran the scan and it detected 3 infected items in temporary internet folders. and cleaned it. After which I was able to download combo-fix, tried running it after saving it as commy.exe on desktop and running the command "%userprofile%\desktop\commy.exe" /stepdel. But it didnot run i suppose, a blue screen came up with the message "Trying to create a restore point". It was stuck there for an hour or so, after which i rebooted the system.

But noticed that some new folders has been created in my C: drive, including commy(17mb), qoobox, 32788R22FWJFW and another similar folder with lot of alphabets.

also the commy.exe file on the desktop seem to have disappeared. Is there some thing I should do to undo the entries or folders created by the aborted run of combo-fix?

Thanx...

Please download the Kaspersky AVP Tool from Kaspersky-labs.com.

• Save it to your desktop.
  
• Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• It will by default install it to your desktop folder.Click Next.
  
• Hit ok at the prompt for scanning in Safe Mode.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked:
  
  
  • System Memory
    
  • Startup Objects
    
  • Disk Boot Sectors.
    
  • My Computer.
    
  • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
  
• It will automatically Neutralize any objects found.
  
• If some objects are left un-neutralized then click the button that says Neutralize all
  
• If it says it cannot be Neutralized then chooose The delete option when prompted.
  
• After that is done click on the reports button at the bottom and save it to file name it Kas.
  
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Hi...

I ran the AVP tool in safe mode and followed instructions today......the tool found quite a few infected items, please see the log below. The system seem to be working fine now, please review the log and let me know if any further steps are required.

AVP log:

Autoscan: completed 3 minutes ago (events: 141, objects: 988491, time: 05:59:07)
12/19/2009 2:28:30 AM Task started
12/19/2009 2:41:22 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\NAOCZ1.dll
12/19/2009 2:41:22 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\NAOCZ1.dll Postponed
12/19/2009 2:42:10 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 2:42:10 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 2:44:03 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\Temp\c.exe
12/19/2009 2:44:03 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\Temp\c.exe Postponed
12/19/2009 2:45:51 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 2:45:51 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 2:47:06 AM Detected: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 2:47:06 AM Untreated: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 2:48:48 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\NAOCZ1.dll
12/19/2009 2:48:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\NAOCZ1.dll Postponed
12/19/2009 2:49:45 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 2:49:45 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 2:50:50 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\Temp\c.exe
12/19/2009 2:50:50 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\Temp\c.exe Postponed
12/19/2009 2:51:57 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 2:51:57 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 2:53:12 AM Detected: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 2:53:12 AM Untreated: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 2:56:59 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 2:56:59 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 3:02:25 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 3:02:25 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 3:05:54 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 3:05:54 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 3:09:11 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 3:09:11 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 3:14:01 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 3:14:01 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 3:14:18 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 3:14:18 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 3:51:05 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\NAOCZ1.dll
12/19/2009 3:51:05 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\NAOCZ1.dll Postponed
12/19/2009 3:52:05 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 3:52:05 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 3:53:08 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\Temp\c.exe
12/19/2009 3:53:08 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\Temp\c.exe Postponed
12/19/2009 3:54:19 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 3:54:19 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 3:55:31 AM Detected: Trojan.JS.Gord.a C:\Users\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 3:55:31 AM Untreated: Trojan.JS.Gord.a C:\Users\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 3:57:13 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\NAOCZ1.dll
12/19/2009 3:57:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\NAOCZ1.dll Postponed
12/19/2009 3:58:11 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 3:58:11 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 3:59:15 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\Temp\c.exe
12/19/2009 3:59:15 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\Temp\c.exe Postponed
12/19/2009 4:00:24 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 4:00:24 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 4:01:37 AM Detected: Trojan.JS.Gord.a C:\Users\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 4:01:37 AM Untreated: Trojan.JS.Gord.a C:\Users\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 4:04:47 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 4:04:47 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 4:09:42 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 4:09:42 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 4:12:33 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 4:12:33 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 4:15:45 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 4:15:45 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 4:20:37 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 4:20:37 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 4:20:55 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 4:20:55 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 4:50:35 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 4:50:35 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 4:58:44 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\NAOCZ1.dll
12/19/2009 4:58:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\NAOCZ1.dll Postponed
12/19/2009 4:59:44 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 4:59:44 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 5:00:48 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\Temp\c.exe
12/19/2009 5:00:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\Temp\c.exe Postponed
12/19/2009 5:01:59 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 5:01:59 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 5:03:13 AM Detected: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 5:03:13 AM Untreated: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 5:04:56 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\NAOCZ1.dll
12/19/2009 5:04:56 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\NAOCZ1.dll Postponed
12/19/2009 5:05:55 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 5:05:55 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 5:07:00 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\Temp\c.exe
12/19/2009 5:07:00 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\Local Settings\Temp\c.exe Postponed
12/19/2009 5:08:10 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 5:08:10 AM Untreated: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 5:09:24 AM Detected: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 5:09:24 AM Untreated: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 5:12:34 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 5:12:34 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 5:17:31 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 5:17:31 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 5:20:40 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 5:20:40 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 5:23:56 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 5:23:56 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 5:28:50 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 5:28:50 AM Untreated: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 5:29:08 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 5:29:08 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 5:54:27 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\NAOCZ1.dll
12/19/2009 5:54:27 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\NAOCZ1.dll Postponed
12/19/2009 5:55:27 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 5:55:27 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 5:56:30 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\Temp\c.exe
12/19/2009 5:56:30 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\AppData\Local\Temp\c.exe Postponed
12/19/2009 5:57:39 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 5:57:39 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\AppData\Local\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 5:58:52 AM Detected: Trojan.JS.Gord.a C:\Users\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 5:58:52 AM Untreated: Trojan.JS.Gord.a C:\Users\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 6:00:35 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\NAOCZ1.dll
12/19/2009 6:00:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\NAOCZ1.dll Postponed
12/19/2009 6:01:35 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 6:01:35 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 6:02:39 AM Detected: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\Temp\c.exe
12/19/2009 6:02:39 AM Untreated: HEUR:Trojan.Win32.Generic C:\Users\Pennu\Local Settings\Temp\c.exe Postponed
12/19/2009 6:03:49 AM Detected: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 6:03:49 AM Untreated: HEUR:Exploit.Script.Generic C:\Users\Pennu\Local Settings\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000 Postponed
12/19/2009 6:05:03 AM Detected: Trojan.JS.Gord.a C:\Users\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 6:05:03 AM Untreated: Trojan.JS.Gord.a C:\Users\Pennu\Local Settings\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul Postponed
12/19/2009 6:08:14 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 6:08:14 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 6:13:08 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 6:13:08 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\AppData\Local\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 6:16:27 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 6:16:27 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 6:19:40 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 6:19:40 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 6:24:34 AM Detected: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 6:24:34 AM Untreated: Exploit.JS.Pdfka.al C:\Users\Sajeev\Local Settings\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm Postponed
12/19/2009 6:24:52 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 6:24:52 AM Untreated: not-a-virus:AdWare.Win32.ShowBehind.a C:\Users\Sajeev\My Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact Postponed
12/19/2009 6:49:03 AM Detected: HEUR:Exploit.Script.Generic C:\Documents and Settings\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05QD50ZV\gout88[1].pdf/data0000
12/19/2009 8:26:11 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\NAOCZ1.dll
12/19/2009 8:26:25 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\Pennu\AppData\Local\Temp\c.exe
12/19/2009 8:26:35 AM Detected: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 8:26:49 AM Deleted: Trojan.JS.Gord.a C:\Documents and Settings\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}\chrome\content\overlay.xul
12/19/2009 8:26:49 AM Detected: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 8:27:07 AM Deleted: Exploit.JS.Pdfka.al C:\Documents and Settings\Sajeev\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XN8MHALM\count[1].htm
12/19/2009 8:27:07 AM Detected: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe/data/PECompact
12/19/2009 8:27:37 AM Deleted: not-a-virus:AdWare.Win32.ShowBehind.a C:\Documents and Settings\Sajeev\Documents\pennu\Games\southpm2.zip/southpm2.exe
12/19/2009 8:27:37 AM Task completed

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi,

I already had Mbam installed, did an update and ran the full scan, lease see the log below:

Malwarebytes' Anti-Malware 1.42
Database version: 3406
Windows 6.0.6000
Internet Explorer 7.0.6000.16945

12/21/2009 5:04:30 PM
mbam-log-2009-12-21 (17-04-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 284620
Time elapsed: 1 hour(s), 35 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Pennu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XCDIHAD\get[2].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.


After this was deleted, I ran the mbam once again and it came clean. the system has been behaving normally. I have another quesion, should I install sp1 and 2 for vista, will that help make my system more secure or will you adivse against doing that?

regards...

Not clean yet. No updates yet. There are a few exploits that were not taken care of in the Kaspersky AVP log.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I downloaded Combofix and saved it as commy and then after disabling my antivirus software(mcafee), I ran the command as advised. Combofix started running and gave a message that norton internet security may be active and I should disable it. I had uninstalled norton 2 years back and dont have any norton application left to uninstall, also checked the folders there is nothing by the name norton internet security. so clicked ok and continued to run combofix. It opened a blue screen window titled administrator and now is stuck displaying the message "attempting to create a new system restore point" for past 20 minutes or so. Not sure if combo fix is running , should I re-boot the system or try running it again.
Please advise....

Go ahead and reboot.

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\commy.exe" /killall

See if ComboFix will run now.

I ran the command with "killall" as instructed. it killed the previously open cmd window where combofix was stuck and opened a new cmd window. but along with that a windows msg popped up saying "new update is available for combo fix" download yes or no. I got suspicious and killed the msg using task manager. ran the command again using "killall". this time again the new cmd window popped up saying Combofix is preparing to run, the reg files got backed up but nothing else is happening. its stuck after that step with the cmd window showing "ComboFix is preparing to run" and then cursor stuck linking on the next line for last 30 minutes or so.

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi...

After Combofix was not running well, I ran the full scan using Mbam after updating the database. please see the results below. it came off saying no infections, but I dont think the infection is cleared.

Malwarebytes' Anti-Malware 1.42
Database version: 3425
Windows 6.0.6000
Internet Explorer 8.0.6001.18865

12/24/2009 4:42:14 PM
mbam-log-2009-12-24 (16-42-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 282576
Time elapsed: 1 hour(s), 34 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Hi,

Before running the root kit scanner, i tried to run the combo fix one more time and used the kill all command after it got stuck the first time. This time arround Combo fix ran successfully, rebooted my computer and produced the log. please see the log below:

ComboFix 09-12-21.02 - Sajeev 12/27/2009 13:55:12.1.2 - x86
Microsoft Windows Vista Business 6.0.6000.0.1252.1.1033.18.2046.1476 [GMT -8:00]
Running from: c:\users\Sajeev\Desktop\commy.exe
Command switches used :: /killall
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-27 22:02 . 2009-12-27 22:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-27 22:02 . 2009-12-27 22:02 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-12-27 21:53 . 2009-12-27 21:54 -------- d-----w- C:\32788R22FWJFW
2009-12-27 21:50 . 2009-12-27 21:54 -------- d-----w- C:\Commy28393C
2009-12-24 22:15 . 2009-12-24 22:31 -------- d-----w- C:\Commy29355C
2009-12-22 08:30 . 2009-12-22 08:39 -------- d-----w- C:\Commy
2009-12-20 02:36 . 2009-12-20 02:36 -------- d-----w- c:\users\Sajeev\AppData\Local\Apple Computer
2009-12-19 10:23 . 2009-12-19 10:23 -------- d-----w- c:\programdata\Kaspersky Lab
2009-12-14 08:43 . 2009-12-14 08:46 -------- d-----w- c:\programdata\RosettaStoneLtdServices
2009-12-14 08:43 . 2009-12-14 08:43 -------- d-----w- c:\program files\RosettaStoneLtdServices
2009-12-09 10:16 . 2009-11-09 13:34 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 10:16 . 2009-11-09 13:30 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 10:16 . 2009-11-09 11:17 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 02:57 . 2009-08-24 12:47 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 02:55 . 2009-10-07 12:47 232960 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 02:55 . 2009-10-07 12:47 274432 ----a-w- c:\windows\system32\raschap.dll
2009-12-08 23:50 . 2009-12-27 02:13 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Skype
2009-12-04 01:08 . 2009-12-04 01:09 -------- d-----w- c:\users\Pennu\AppData\Roaming\Winamp
2009-12-01 14:26 . 2009-12-01 14:26 -------- d-----w- c:\users\Pennu\AppData\Local\{C722E63E-9777-4F57-86F2-4773B8400214}
2009-12-01 12:57 . 2009-12-19 04:40 120 ----a-w- c:\users\Pennu\AppData\Local\Nqehil.dat
2009-12-01 12:57 . 2009-12-19 02:03 0 ----a-w- c:\users\Pennu\AppData\Local\Aqipuz.bin
2009-12-01 12:54 . 2009-12-01 12:54 -------- d-----w- c:\users\Pennu\AppData\Roaming\Malwarebytes
2009-12-01 12:15 . 2009-12-01 12:15 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Malwarebytes
2009-12-01 12:15 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 12:15 . 2009-12-09 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 12:15 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 12:15 . 2009-12-01 12:15 -------- d-----w- c:\programdata\Malwarebytes
2009-12-01 10:52 . 2009-12-01 10:52 2962 ----a-w- c:\users\Pennu\AppData\Local\arafecufica.dll
2009-12-01 09:03 . 2009-12-01 09:03 2962 ----a-w- c:\users\Pennu\AppData\Local\ikivehadaj.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 05:16 . 2007-01-01 20:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-16 15:48 . 2007-04-29 22:28 7808 ----a-w- c:\users\Sajeev\AppData\Local\d3d9caps.dat
2009-12-09 00:55 . 2009-12-09 00:55 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-07 08:34 . 2008-01-26 20:13 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-01 20:50 . 2008-01-10 17:03 7808 ----a-w- c:\users\Pennu\AppData\Local\d3d9caps.dat
2009-11-25 11:21 . 2009-01-10 01:11 -------- d-----w- c:\program files\McAfee
2009-11-21 06:40 . 2009-12-22 01:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-22 01:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-22 01:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-22 01:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-29 07:59 . 2009-11-25 11:02 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 15:01 . 2009-12-09 02:57 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2007-03-11 09:39 . 2007-03-11 09:39 88 --sha-r- c:\windows\System32\20B142885A.sys
2007-03-11 09:40 . 2007-03-11 09:39 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-01-05 20:18 . 2007-01-05 20:18 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"DellTransferAgent"="c:\programdata\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-01 26112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 497176]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 756248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-04 1394000]

c:\users\Sajeev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-1-1 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-6 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickSet.lnk - c:\windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-4-6 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070101
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SetupWizard - D:\SetupWizard.exe
ActiveSetup-ccc-core-static - msiexec



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 14:09
Windows 6.0.6000 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\ProgID]
@Denied: (A) (Everyone)
@="{130DD502-9E74-4187-839C-C35B3164EAB6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\Version]
@Denied: (A) (Everyone)
@="{130DD502-9E74-4187-839C-C35B3164EAB6}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(8988)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-12-27 14:14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 22:14

Pre-Run: 30,236,528,640 bytes free
Post-Run: 31,695,314,944 bytes free

- - End Of File - - A119BD1C7FBC0757A00C145833749197

Try to run GMER and post a log please.

Hi,

I tried running Gmer multiple times over last week or so, but its not running completely. it gets stuck at some point and then the computer gets restarted. It did run completely once , it didnot give any messages, but when I tried to 'save' the log. The system froze and I had to restart. So the bottom line is Gmer runs have not been successful. please let me know alternate ways to clean up the system. Also have the combo fix log in my previous post ok?

cheers!

PS: Wish u a happy new year

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.



Save it into the gmer folder as File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

Hi,

thanks for the prompt response.

I executed the command file for Gmer as instructed, but pretty much the same result. After starting the scan, it went on for few minutes and as it started scanning the stuff in users/username/appdata/windows/temporary internet files/macromed/flash......... the scan froze and after some time got a blue screen saying page fault at 'uridsys'( or something like that) not sure if I got the page fault message right.

I dont know if the issue is adobe flash player related.. Earlier with house call, 2-3 infections were detected in the temp internet files folder for the same user....they were cleaned/quarntined.

please let me know what could be the next steps...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
uridsys
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Hi...

Please find below the log from systemlook.

=======================
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:49 on 07/01/2010 by Sajeev (Administrator - Elevation successful)

========== filefind ==========

Searching for "uridsys"
No files found.

Searching for "scecli.dll"
C:\i386\scecli.dll --a--- 180224 bytes [04:24 17/01/2007] [11:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\Windows\ERDNT\cache\scecli.dll --a--- 176640 bytes [22:13 27/12/2009] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [21:35 15/09/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\System32\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61

Searching for "netlogon.dll"
C:\i386\netlogon.dll --a--- 407040 bytes [04:23 17/01/2007] [11:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\Windows\ERDNT\cache\netlogon.dll --a--- 559616 bytes [22:13 27/12/2009] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [21:37 15/09/2008] [07:35 19/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\Windows\System32\netlogon.dll --a--- 559616 bytes [08:45 02/11/2006] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B
C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll --a--- 559616 bytes [08:45 02/11/2006] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--- 55808 bytes [04:20 17/01/2007] [11:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78

Searching for "winlogon.exe"
C:\i386\winlogon.exe --a--- 502272 bytes [04:25 17/01/2007] [11:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\Sajeev\Malwarebytes_Anti-Malware_1.41\winlogon.exe --a--- 4045528 bytes [12:13 01/12/2009] [12:13 01/12/2009] 866E72C78E98CA4919CD16724A3BD4C1
C:\Windows\ERDNT\cache\winlogon.exe --a--- 308224 bytes [22:13 27/12/2009] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a--- 314880 bytes [21:36 15/09/2008] [07:33 19/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
C:\Windows\System32\winlogon.exe --a--- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe --a--- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD

Searching for "comres.dll"
C:\i386\comres.dll --a--- 792064 bytes [04:17 17/01/2007] [11:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [21:35 15/09/2008] [05:48 19/01/2008] 4211249955AF9133E2E357CC92B54DFD
C:\Windows\System32\comres.dll --a--- 1236992 bytes [07:29 02/11/2006] [08:50 02/11/2006] 4843A1784BA6434DFF80F841DDC592C6
C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6000.16386_none_2a7a18dbe946c84f\comres.dll --a--- 1236992 bytes [07:29 02/11/2006] [08:50 02/11/2006] 4843A1784BA6434DFF80F841DDC592C6

Searching for "crypt32.dll"
C:\i386\crypt32.dll --a--- 597504 bytes [04:19 17/01/2007] [11:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\crypt32.dll --a--- 977408 bytes [21:36 15/09/2008] [07:34 19/01/2008] D4D86075510C02F887528207D8E0D713
C:\Windows\System32\crypt32.dll --a--- 974336 bytes [08:43 02/11/2006] [09:46 02/11/2006] 360191D2A50180C3E0673BAB7F5529E0
C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6000.16386_none_5938ffdfe0e8b606\crypt32.dll --a--- 974336 bytes [08:43 02/11/2006] [09:46 02/11/2006] 360191D2A50180C3E0673BAB7F5529E0

Searching for "gpedit.dll"
C:\i386\gpedit.dll --a--- 566784 bytes [04:20 17/01/2007] [11:00 04/08/2004] C4EE648B2474D84CF081C3FE0DC578DA
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_ce322c9564e76885\gpedit.dll --a--- 936960 bytes [21:35 15/09/2008] [07:34 19/01/2008] E3DDEB38C6303086F79C6B7E83C372C8
C:\Windows\System32\gpedit.dll --a--- 935936 bytes [08:46 02/11/2006] [09:46 02/11/2006] 1C2761A389791C98E8A11A1539D6BB71
C:\Windows\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6000.16386_none_cbfb6a9967fc57b1\gpedit.dll --a--- 935936 bytes [08:46 02/11/2006] [09:46 02/11/2006] 1C2761A389791C98E8A11A1539D6BB71

Searching for "rundll32.exe"
C:\i386\rundll32.exe --a--- 33280 bytes [04:24 17/01/2007] [11:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\Windows\System32\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A
C:\Windows\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_d5ce8f93adff8210\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A

Searching for "sfc.dll"
C:\i386\sfc.dll --a--- 5120 bytes [04:24 17/01/2007] [11:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\Windows\ERDNT\cache\sfc.dll --a--- 4608 bytes [22:13 27/12/2009] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\System32\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6000.16386_none_a4ff01505f4694a4\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_a735c34c5c31a578\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8

Searching for "svchost.exe"
C:\i386\svchost.exe --a--- 14336 bytes [04:25 17/01/2007] [11:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\Windows\ERDNT\cache\svchost.exe --a--- 22016 bytes [22:13 27/12/2009] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe --a--- 21504 bytes [21:34 15/09/2008] [07:33 19/01/2008] 3794B461C45882E06856F282EEF025AF
C:\Windows\System32\svchost.exe --a--- 22016 bytes [08:35 02/11/2006] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe --a--- 22016 bytes [08:35 02/11/2006] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09

Searching for "cngaudit.dll"
C:\Windows\ERDNT\cache\cngaudit.dll --a--- 11776 bytes [22:13 27/12/2009] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\Windows\System32\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

Searching for "beep.sys"
C:\i386\beep.sys --a--- 4224 bytes [04:20 17/01/2007] [11:00 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\Windows\ERDNT\cache\beep.sys --a--- 6144 bytes [22:13 27/12/2009] [08:51 02/11/2006] AC3DD1708B22761EBD7CBE14DCC3B5D7
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys --a--- 6144 bytes [21:33 15/09/2008] [05:49 19/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6
C:\Windows\System32\drivers\beep.sys --a--- 6144 bytes [08:51 02/11/2006] [08:51 02/11/2006] AC3DD1708B22761EBD7CBE14DCC3B5D7
C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6000.16386_none_c1e9df570ab23787\beep.sys --a--- 6144 bytes [08:51 02/11/2006] [08:51 02/11/2006] AC3DD1708B22761EBD7CBE14DCC3B5D7

Searching for "wscntfy.exe"
C:\i386\wscntfy.exe --a--- 13824 bytes [04:26 17/01/2007] [11:00 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297

Searching for "atapi.sys"
C:\$WINDOWS.~Q\DATA\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--- 95360 bytes [20:25 01/01/2007] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\i386\atapi.sys --a--- 95360 bytes [04:19 17/01/2007] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Windows\ERDNT\cache\atapi.sys --a--- 19048 bytes [22:13 27/12/2009] [20:18 05/01/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [21:35 15/09/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys --a--- 19048 bytes [20:18 05/01/2007] [20:18 05/01/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\drivers\atapi.sys --a--- 19048 bytes [08:51 02/11/2006] [20:18 05/01/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys --a--- 19048 bytes [20:18 05/01/2007] [20:18 05/01/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys --a--- 19048 bytes [20:18 05/01/2007] [20:18 05/01/2007] 5653737BAD8C6C10136451C195C19881

-=End Of File=-

Let's redo part of this for SystemLook.

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
*uridsys*
* .exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

==

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   FCopy::
   C:\i386\eventlog.dll | C:\windows\system32\eventlog.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

Hi,

I ran the system look again as per the code provided, Also ran the Combofix with the CFscript. But something peculiar happened before combofix ran, it gave a message saying combofix needs to be updated, then it connected to some server, updated itself and then ran producing a log. is this normal?

Anyways please find the logs below for system look and combofix.

1. System look:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:56 on 08/01/2010 by Sajeev (Administrator - Elevation successful)

========== filefind ==========

Searching for "*uridsys*"
No files found.

Searching for "* .exe"
No files found.

-=End Of File=-

2. Combofix(commy) ran with the CFScript provided- Log:

ComboFix 10-01-04.01 - Sajeev 01/08/2010 13:09:09.2.2 - x86
Microsoft Windows Vista Business 6.0.6000.0.1252.1.1033.18.2046.1008 [GMT -8:00]
Running from: c:\users\Sajeev\Desktop\Commy.exe
Command switches used :: c:\users\Sajeev\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 21:14 . 2010-01-08 21:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-08 21:14 . 2010-01-08 21:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-08 21:14 . 2010-01-08 21:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-08 21:09 . 2004-08-04 11:00 55808 ----a-w- c:\windows\system32\eventlog.dll
2010-01-08 21:06 . 2010-01-08 21:07 -------- d-----w- C:\32788R22FWJFW
2010-01-05 09:57 . 2010-01-05 09:57 144160 ----a-w- c:\users\Sajeev\AppData\Roaming\Move Networks\uninstall.exe
2010-01-05 09:57 . 2010-01-05 09:57 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Move Networks
2009-12-27 21:50 . 2009-12-27 21:54 -------- d-----w- C:\Commy28393C
2009-12-24 22:15 . 2009-12-24 22:31 -------- d-----w- C:\Commy29355C
2009-12-22 08:30 . 2009-12-22 08:39 -------- d-----w- C:\Commy
2009-12-20 02:36 . 2009-12-20 02:36 -------- d-----w- c:\users\Sajeev\AppData\Local\Apple Computer
2009-12-19 10:23 . 2009-12-19 10:23 -------- d-----w- c:\programdata\Kaspersky Lab
2009-12-14 08:43 . 2009-12-14 08:46 -------- d-----w- c:\programdata\RosettaStoneLtdServices
2009-12-14 08:43 . 2009-12-14 08:43 -------- d-----w- c:\program files\RosettaStoneLtdServices

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 09:57 . 2009-12-07 01:22 5603776 ----a-w- c:\users\Sajeev\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2010-01-03 04:07 . 2009-12-01 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 04:07 . 2009-12-09 00:55 5061520 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-01 07:01 . 2008-01-26 20:13 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-30 22:55 . 2009-12-01 12:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:54 . 2009-12-01 12:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 21:16 . 2009-12-08 23:50 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Skype
2009-12-28 21:19 . 2007-04-29 22:28 7808 ----a-w- c:\users\Sajeev\AppData\Local\d3d9caps.dat
2009-12-22 05:16 . 2007-01-01 20:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-19 04:40 . 2009-12-01 12:57 120 ----a-w- c:\users\Pennu\AppData\Local\Nqehil.dat
2009-12-19 02:03 . 2009-12-01 12:57 0 ----a-w- c:\users\Pennu\AppData\Local\Aqipuz.bin
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\users\Sajeev\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 01:09 . 2009-12-04 01:08 -------- d-----w- c:\users\Pennu\AppData\Roaming\Winamp
2009-12-01 20:50 . 2008-01-10 17:03 7808 ----a-w- c:\users\Pennu\AppData\Local\d3d9caps.dat
2009-12-01 12:54 . 2009-12-01 12:54 -------- d-----w- c:\users\Pennu\AppData\Roaming\Malwarebytes
2009-12-01 12:15 . 2009-12-01 12:15 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Malwarebytes
2009-12-01 12:15 . 2009-12-01 12:15 -------- d-----w- c:\programdata\Malwarebytes
2009-12-01 10:52 . 2009-12-01 10:52 2962 ----a-w- c:\users\Pennu\AppData\Local\arafecufica.dll
2009-12-01 09:03 . 2009-12-01 09:03 2962 ----a-w- c:\users\Pennu\AppData\Local\ikivehadaj.dll
2009-11-25 11:21 . 2009-01-10 01:11 -------- d-----w- c:\program files\McAfee
2009-11-21 06:40 . 2009-12-22 01:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-22 01:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-22 01:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-22 01:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 13:34 . 2009-12-09 10:16 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-09 10:16 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-09 10:16 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-29 07:59 . 2009-11-25 11:02 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 15:01 . 2009-12-09 02:57 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2007-03-11 09:39 . 2007-03-11 09:39 88 --sha-r- c:\windows\System32\20B142885A.sys
2007-03-11 09:40 . 2007-03-11 09:39 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-01-05 20:18 . 2007-01-05 20:18 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"DellTransferAgent"="c:\programdata\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-01 26112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 497176]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 756248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]

c:\users\Sajeev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-1-1 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-6 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickSet.lnk - c:\windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-4-6 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-24 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-24 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070101
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 13:14
Windows 6.0.6000 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\ProgID]
@Denied: (A) (Everyone)
@="{130DD502-9E74-4187-839C-C35B3164EAB6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\Version]
@Denied: (A) (Everyone)
@="{130DD502-9E74-4187-839C-C35B3164EAB6}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-08 13:17:48
ComboFix-quarantined-files.txt 2010-01-08 21:17
ComboFix2.txt 2009-12-27 22:14

Pre-Run: 32,517,271,552 bytes free
Post-Run: 32,497,868,800 bytes free

- - End Of File - - E684F7D64804D944BF820AE2873872B9

Yeah, that was fine for ComboFix. I was expecting it to update soon.

How is your computer running now?

Hi,

The computer seem to be running fine now, but there are multiple folders created on the C: drive, which are related to combofix runs I guess. how do I get rid of them? also is there any other scans I need to run to ensure the computer is clean.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Hi ,

Please find below the log from security check:

Results of screen317's Security Check version 0.99.1
Windows Vista (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee SecurityCenter
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Also I ran the un install command for combofix. It ran successfuly but the folders created on the root of C: have not been deleted.

following are the folders that are now appearing on the C: root

1. $INPLACE.~TR
2. $WINDOWS.~Q
3. Boot
4. 32788R22FWJFW
5. Commy
6. Commy882c
7. Commy28393c
8. Commy29355c
9. Config.Msi
10. e8535ee0d396b26b8f

Not sure if these folders were created by repeated running of the Combo fix and Gmer or folders created due to the infection.

Dont recollect these folders being present before the antivirus system pro infection.

Also the two folders starting with '$' is not allowing me access(even though I am logged on a s Admin). its directing me to windows access control message.

Please advise if(how) I should get rid of these folders.

thanks...