CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb] virus, cant detect by KAV 6 Options

[RedDraco]

hi mods.. plz help me.. my laptop has been attacked by this virus.. known as

CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb] virus

- copied V3-Force.exe in system32 folder..
- blocked all administration task
- popup with Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!! x100 words during startup
etc.

ive scanned using KAV 6 and used online scanner to scan the V3-Force.exe file but cant detect anything..


thx in advance..

[Lucian Bara]

hello
send the v3-force executable to newvirus@kaspersky.com: http://forum.kaspersky.com/index.php?showtopic=13881
and psot a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

[RedDraco]

hello
send the v3-force executable to newvirus@kaspersky.com: http://forum.kaspersky.com/index.php?showtopic=13881
and psot a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

i've sent the email.. but not sure the file is correctly attached or not since the files is disappear.. and cant set to view hidden files..

i know the existance of the files from the HijackThis log..

and this combofix log

------------------------

ComboFix 08-01-16.4 - POO 2008-01-16 21:46:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1680 [GMT 8:00]
Running from: C:\Documents and Settings\POO\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Nokia Software\Nokia Selection\game\_desktop.ini
C:\Nokia Software\Nokia Selection\game\EA Games NEED FOR SPEED UNDERGROUND 3D\_desktop.ini
C:\Nokia Software\Nokia Selection\game\Foto Quest Fishing\_desktop.ini
C:\Nokia Software\Nokia Selection\game\Game Of Life\_desktop.ini
C:\Nokia Software\Nokia Selection\game\Sonic the Hedgehog Part 1\_desktop.ini
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 21:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 20:41 . 2008-01-16 20:41 <DIR> drahs---- C:\WINDOWS\system32\setupNT
2008-01-16 20:41 . 2008-01-16 20:41 <DIR> d-------- C:\WINDOWS\system32\download
2008-01-16 20:41 . 2008-01-11 16:50 1,616,384 -rahs---- C:\WINDOWS\system32\V3-Force.exe
2008-01-16 20:41 . 2008-01-16 18:00 20,184 --ahs---- C:\WINDOWS\system32\cipaplu.exe
2008-01-16 20:41 . 2008-01-16 20:43 1,948 --ahs---- C:\WINDOWS\system32\mirc.ini
2008-01-16 20:41 . 2008-01-16 20:41 1,077 --a------ C:\WINDOWS\system32\mycaption.reg
2008-01-16 20:41 . 2008-01-16 20:41 348 --ahs---- C:\WINDOWS\system32\butuhlu.bat
2008-01-16 20:41 . 2008-01-16 20:41 165 --a------ C:\WINDOWS\system32\forattrib.bat
2008-01-16 20:41 . 2008-01-16 20:41 34 --a------ C:\WINDOWS\system32\remote.ini
2008-01-16 20:41 . 2008-01-16 20:41 21 --a------ C:\WINDOWS\system32\makedir.bat
2008-01-16 17:32 . 2008-01-16 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 12:40 . 2008-01-15 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 20:59 . 2008-01-14 20:59 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-01-14 20:59 . 2008-01-16 17:24 <DIR> d-------- C:\Downloads
2008-01-14 20:59 . 2008-01-16 17:27 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Orbit
2008-01-14 11:36 . 2008-01-15 19:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-14 00:13 . 2008-01-14 00:13 78,415 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-01-14 00:03 . 2008-01-14 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-13 19:34 . 2008-01-13 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-01-13 19:34 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-13 19:33 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-13 19:33 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-13 19:26 . 2006-08-29 22:56 32,377 --a------ C:\WINDOWS\system32\drivers\prodigy.sys
2008-01-13 19:25 . 2008-01-13 19:26 <DIR> d-------- C:\Program Files\NSS
2008-01-13 13:00 . 2008-01-14 11:19 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-13 05:47 . 2008-01-13 05:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-12 13:09 . 2008-01-12 13:09 <DIR> d---s---- C:\Documents and Settings\POO\UserData
2008-01-11 22:02 . 2008-01-11 22:02 <DIR> d-------- C:\Program Files\HPQ
2008-01-11 22:02 . 2006-04-18 13:23 47,104 --a------ C:\WINDOWS\system32\WACntlPnl.cpl
2008-01-11 21:25 . 2008-01-11 21:25 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia Multimedia Player
2008-01-11 21:17 . 2008-01-11 21:21 <DIR> d-------- C:\Documents and Settings\POO\Phone Browser
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-01-11 21:15 . 2008-01-13 19:31 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-01-11 21:15 . 2008-01-13 18:16 <DIR> d-------- C:\Documents and Settings\POO\Application Data\PC Suite
2008-01-11 21:15 . 2008-01-13 16:49 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-11 21:14 . 2008-01-13 19:33 <DIR> d-------- C:\Program Files\Nokia
2008-01-11 21:14 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-11 21:13 . 2008-01-13 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-12-24 11:43 . 2007-12-24 11:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-24 09:48 . 2008-01-16 00:40 <DIR> d-------- C:\Nokia Software
2007-12-22 13:29 . 2007-12-22 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-21 15:48 . 2007-12-21 15:58 992,520 --a------ C:\WINDOWS\Condition Zero Uninstaller.exe
2007-12-21 08:21 . 2007-12-21 08:21 33,800 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 08:20 . 2007-12-21 08:20 30,216 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 08:19 . 2007-12-21 08:19 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-12-19 12:13 . 2007-12-19 12:13 <DIR> d-------- C:\Program Files\YouTube Downloader
2007-12-16 16:33 . 2007-12-16 16:33 <DIR> d-------- C:\Documents and Settings\POO\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 10:15 --------- d-----w C:\Program Files\ViStart
2008-01-16 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 14:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 13:15 --------- d-----w C:\Program Files\DIFX
2007-12-16 08:34 --------- d-----w C:\Program Files\AMD
2007-12-10 04:59 --------- d-----w C:\Program Files\Stardock
2007-12-10 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-03 06:27 --------- d-----w C:\Program Files\AVI MPEG ASF WMV Splitter
2007-12-03 04:30 --------- d-----w C:\Documents and Settings\POO\Application Data\Nero
2007-12-03 04:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-03 02:44 --------- d-----w C:\Documents and Settings\POO\Application Data\Ahead
2007-11-29 05:54 --------- d-----w C:\Documents and Settings\POO\Application Data\U3
2007-11-27 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-26 07:04 --------- d-----w C:\Program Files\Nero
2007-11-26 07:04 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-25 02:07 --------- d-----w C:\Documents and Settings\POO\Application Data\My Games
2007-11-25 02:05 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-23 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-23 00:18 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-11-23 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-23 00:14 --------- d-----w C:\Program Files\Foxit Reader
2007-11-19 13:47 --------- d-----w C:\Program Files\XAMPP 1.6.0a
2007-11-19 00:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-11-19 00:20 --------- d-----w C:\Documents and Settings\POO\Application Data\Leadertech
2007-11-19 00:16 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-19 00:10 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-18 13:57 --------- d-----w C:\Program Files\Keyword Cloud Generator
2007-11-18 13:41 --------- d-----w C:\Documents and Settings\POO\Application Data\Good Keywords v2
2007-11-18 13:40 --------- d-----w C:\Program Files\Softnik Technologies
2007-11-17 22:50 --------- d-----w C:\Documents and Settings\POO\Application Data\Media Player Classic
2007-11-17 16:38 --------- d-----w C:\Program Files\Microsoft Works
2007-11-17 16:29 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-17 16:28 --------- d-----w C:\Program Files\Macromedia
2007-11-17 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-17 16:26 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-17 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-17 16:07 --------- d-----w C:\Program Files\Vista Sidebar
2007-11-17 16:02 --------- d-----w C:\Documents and Settings\POO\Application Data\ViStart
2007-11-17 15:57 --------- d-----w C:\Program Files\ViOrb
2007-11-17 15:57 --------- d-----w C:\Program Files\Styler
2007-11-17 15:57 --------- d-----w C:\Program Files\LClock
2007-11-17 15:45 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-17 15:38 --------- d-----w C:\Program Files\WIDCOMM
2007-11-17 15:35 --------- d-----w C:\Program Files\Broadcom
2007-11-17 15:30 --------- d-----w C:\Program Files\NetWaiting
2007-11-17 15:30 --------- d-----w C:\Program Files\CONEXANT
2007-11-17 14:59 --------- d-----w C:\Program Files\CCleaner
2007-11-17 12:56 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 02:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-06-25 23:28 163840]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27 65536]
"Vista Sidebar"="C:\Program Files\Vista Sidebar\sidebar.exe" [2007-06-21 17:04 524288]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-06-21 23:41 581632]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-14 19:02 7573504]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 11:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 14:58 458752]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Winlogon"= c:\windows\system32\V3-Force.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"disallowrun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= mwav.exe
"2"= cav-0.94.exe
"3"= portable.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 13:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0588b8d4-a64c-11dc-96b4-001a6b84f88d}]
\Shell\AutoRun\command - I:\g2p3s.exe
\Shell\explore\Command - I:\g2p3s.exe
\Shell\open\Command - I:\g2p3s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0588b8d5-a64c-11dc-96b4-001a6b84f88d}]
\Shell\AutoRun\command - J:\g2p3s.exe
\Shell\explore\Command - J:\g2p3s.exe
\Shell\open\Command - J:\g2p3s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{155faafe-a6b4-11dc-a45d-0016d3a7e17a}]
\Shell\AutoRun\command - G:\g2p3s.exe
\Shell\explore\Command - G:\g2p3s.exe
\Shell\open\Command - G:\g2p3s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f1f2ae5-9c3f-11dc-99e5-806d6172696f}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3276e023-a90c-11dc-a462-001a6b84f88d}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{343eaa89-9bb0-11dc-a117-0016d3a7e17a}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36b6cc68-9634-11dc-ab44-0016d3a7e17a}]
\Shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5558fa80-a846-11dc-a460-0016d3a7e17a}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8596a609-9e0b-11dc-8594-806d6172696f}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8596a916-9e0b-11dc-8594-0016d3a7e17a}]
\Shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8596a917-9e0b-11dc-8594-0016d3a7e17a}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a400d2cb-a390-11dc-8d0f-0016d3a7e17a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - Flash.10.Setup.exe
\Shell\Open\command - Flash.10.Setup.exe
\Shell\Scan for Viruses\command - Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5c480e3-9b06-11dc-8525-0016d3a7e17a}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf7abc8-c104-11dc-a4b2-0016d3a7e17a}]
\Shell\AutoRun\command - G:\g2p3s.exe
\Shell\explore\Command - G:\g2p3s.exe
\Shell\open\Command - G:\g2p3s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8723f89-9cdd-11dc-8bee-0016d3a7e17a}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb19e5ba-bcb4-11dc-a4a2-0016d3a7e17a}]
\Shell\AutoRun\command - G:\g2p3s.exe
\Shell\explore\Command - G:\g2p3s.exe
\Shell\open\Command - G:\g2p3s.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f609fa7c-9c7b-11dc-a11a-0016d3a7e17a}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8f8d890-c415-11dc-a4be-001a6b84f88d}]
\Shell\Auto\command - G:\fucking.bat
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fucking.bat
\Shell\Option1\Command - G:\FuCkiNG.bat
\Shell\Option2\Command - G:\FuCkiNG.bat

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 21:48:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 21:48:34
ComboFix-quarantined-files.txt 2008-01-16 13:48:32

[Lucian Bara]

download avenger: http://swandog46.geekstogo.com/avenger.zip
unpack and execute, choose input script manually, press the magnifier and input:
Files to delete:
C:\WINDOWS\system32\V3-Force.exe
C:\WINDOWS\system32\cipaplu.exe
C:\WINDOWS\system32\mycaption.reg
C:\WINDOWS\system32\butuhlu.bat
C:\WINDOWS\system32\forattrib.bat
C:\WINDOWS\system32\makedir.bat


press done and press the green lamp button, confirm the reboot. after the reboot delete the following registry key: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\


afterwards send c:\avenger for analysis as well and post a fresh combofix log.

This post has been edited by Lucian Bara: 16.01.2008 20:22

[RedDraco]

- the registry deleted

- Avenger log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kdtdvear

*******************

Script file located at: nayh^bky

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

- Virus activity spotted .. yellow "51" icon in systray


NOTE: I dont have any mirc32 installed in my laptop.

- combofix log

ComboFix 08-01-16.4 - POO 2008-01-17 6:57:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1861 [GMT 8:00]
Running from: C:\Documents and Settings\POO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 21:54 . 2008-01-16 21:54 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-16 21:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 20:41 . 2008-01-16 20:41 <DIR> drahs---- C:\WINDOWS\system32\setupNT
2008-01-16 20:41 . 2008-01-16 20:41 <DIR> d-------- C:\WINDOWS\system32\download
2008-01-16 20:41 . 2008-01-11 16:50 1,616,384 -rahs---- C:\WINDOWS\system32\V3-Force.exe
2008-01-16 20:41 . 2008-01-16 18:00 20,184 --ahs---- C:\WINDOWS\system32\cipaplu.exe
2008-01-16 20:41 . 2008-01-17 06:51 1,948 --ahs---- C:\WINDOWS\system32\mirc.ini
2008-01-16 20:41 . 2008-01-16 20:41 1,077 --a------ C:\WINDOWS\system32\mycaption.reg
2008-01-16 20:41 . 2008-01-16 20:41 348 --ahs---- C:\WINDOWS\system32\butuhlu.bat
2008-01-16 20:41 . 2008-01-16 20:41 165 --a------ C:\WINDOWS\system32\forattrib.bat
2008-01-16 20:41 . 2008-01-16 20:41 34 --a------ C:\WINDOWS\system32\remote.ini
2008-01-16 20:41 . 2008-01-16 20:41 21 --a------ C:\WINDOWS\system32\makedir.bat
2008-01-16 17:32 . 2008-01-16 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 12:40 . 2008-01-15 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 20:59 . 2008-01-14 20:59 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-01-14 20:59 . 2008-01-16 17:24 <DIR> d-------- C:\Downloads
2008-01-14 20:59 . 2008-01-16 17:27 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Orbit
2008-01-14 11:36 . 2008-01-15 19:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-14 00:13 . 2008-01-14 00:13 78,415 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-01-14 00:03 . 2008-01-14 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-13 19:34 . 2008-01-13 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-01-13 19:34 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-13 19:33 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-13 19:33 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-13 19:26 . 2006-08-29 22:56 32,377 --a------ C:\WINDOWS\system32\drivers\prodigy.sys
2008-01-13 19:25 . 2008-01-13 19:26 <DIR> d-------- C:\Program Files\NSS
2008-01-13 13:00 . 2008-01-14 11:19 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-13 05:47 . 2008-01-13 05:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-12 13:09 . 2008-01-12 13:09 <DIR> d---s---- C:\Documents and Settings\POO\UserData
2008-01-11 22:02 . 2008-01-11 22:02 <DIR> d-------- C:\Program Files\HPQ
2008-01-11 22:02 . 2006-04-18 13:23 47,104 --a------ C:\WINDOWS\system32\WACntlPnl.cpl
2008-01-11 21:25 . 2008-01-11 21:25 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia Multimedia Player
2008-01-11 21:17 . 2008-01-11 21:21 <DIR> d-------- C:\Documents and Settings\POO\Phone Browser
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-01-11 21:15 . 2008-01-13 19:31 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-01-11 21:15 . 2008-01-13 18:16 <DIR> d-------- C:\Documents and Settings\POO\Application Data\PC Suite
2008-01-11 21:15 . 2008-01-13 16:49 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-11 21:14 . 2008-01-13 19:33 <DIR> d-------- C:\Program Files\Nokia
2008-01-11 21:14 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-11 21:13 . 2008-01-13 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-12-24 11:43 . 2007-12-24 11:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-24 09:48 . 2008-01-16 00:40 <DIR> d-------- C:\Nokia Software
2007-12-22 13:29 . 2007-12-22 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-21 15:48 . 2007-12-21 15:58 992,520 --a------ C:\WINDOWS\Condition Zero Uninstaller.exe
2007-12-21 08:21 . 2007-12-21 08:21 33,800 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 08:20 . 2007-12-21 08:20 30,216 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 08:19 . 2007-12-21 08:19 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-12-19 12:13 . 2007-12-19 12:13 <DIR> d-------- C:\Program Files\YouTube Downloader
2007-12-16 16:33 . 2007-12-16 16:33 <DIR> d-------- C:\Documents and Settings\POO\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 22:50 --------- d-----w C:\Program Files\ViStart
2008-01-16 22:49 442 ----a-w C:\Program Files\xbmeigad.txt
2008-01-16 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 14:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 13:15 --------- d-----w C:\Program Files\DIFX
2007-12-16 08:34 --------- d-----w C:\Program Files\AMD
2007-12-10 04:59 --------- d-----w C:\Program Files\Stardock
2007-12-10 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-03 06:27 --------- d-----w C:\Program Files\AVI MPEG ASF WMV Splitter
2007-12-03 04:30 --------- d-----w C:\Documents and Settings\POO\Application Data\Nero
2007-12-03 04:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-03 02:44 --------- d-----w C:\Documents and Settings\POO\Application Data\Ahead
2007-11-29 05:54 --------- d-----w C:\Documents and Settings\POO\Application Data\U3
2007-11-27 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-26 07:04 --------- d-----w C:\Program Files\Nero
2007-11-26 07:04 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-25 02:07 --------- d-----w C:\Documents and Settings\POO\Application Data\My Games
2007-11-25 02:05 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-23 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-23 00:18 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-11-23 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-23 00:14 --------- d-----w C:\Program Files\Foxit Reader
2007-11-19 13:47 --------- d-----w C:\Program Files\XAMPP 1.6.0a
2007-11-19 00:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-11-19 00:20 --------- d-----w C:\Documents and Settings\POO\Application Data\Leadertech
2007-11-19 00:16 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-19 00:10 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-18 13:57 --------- d-----w C:\Program Files\Keyword Cloud Generator
2007-11-18 13:41 --------- d-----w C:\Documents and Settings\POO\Application Data\Good Keywords v2
2007-11-18 13:40 --------- d-----w C:\Program Files\Softnik Technologies
2007-11-17 22:50 --------- d-----w C:\Documents and Settings\POO\Application Data\Media Player Classic
2007-11-17 16:38 --------- d-----w C:\Program Files\Microsoft Works
2007-11-17 16:29 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-17 16:28 --------- d-----w C:\Program Files\Macromedia
2007-11-17 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-17 16:26 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-17 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-17 16:07 --------- d-----w C:\Program Files\Vista Sidebar
2007-11-17 16:02 --------- d-----w C:\Documents and Settings\POO\Application Data\ViStart
2007-11-17 15:57 --------- d-----w C:\Program Files\ViOrb
2007-11-17 15:57 --------- d-----w C:\Program Files\Styler
2007-11-17 15:57 --------- d-----w C:\Program Files\LClock
2007-11-17 15:45 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-17 15:38 --------- d-----w C:\Program Files\WIDCOMM
2007-11-17 15:35 --------- d-----w C:\Program Files\Broadcom
2007-11-17 15:30 --------- d-----w C:\Program Files\NetWaiting
2007-11-17 15:30 --------- d-----w C:\Program Files\CONEXANT
2007-11-17 14:59 --------- d-----w C:\Program Files\CCleaner
2007-11-17 12:56 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 02:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-16_21.48.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-16 22:50:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-06-25 23:28 163840]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27 65536]
"Vista Sidebar"="C:\Program Files\Vista Sidebar\sidebar.exe" [2007-06-21 17:04 524288]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-06-21 23:41 581632]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-14 19:02 7573504]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 11:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 14:58 458752]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Winlogon"= c:\windows\system32\V3-Force.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"disallowrun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= mwav.exe
"2"= cav-0.94.exe
"3"= portable.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 13:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 06:59:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\Program Files\ViStart\MainHook.Dll
-> C:\Program Files\LClock\LC.dll
.
Completion time: 2008-01-17 7:00:00
ComboFix-quarantined-files.txt 2008-01-16 22:59:57
ComboFix2.txt 2008-01-16 13:48:35

[Baz^^]

It didn't carry out the script, input it again, this time making sure it is done exactly as printed.

Make sure avenger is not being run from a temp file, but from desktop or a folder.


That system icon tray suggests your computer is being remotely controlled or is part of a botnet.


The script looks like this for avenger, copy and paste it exactly into the avenger window... once it is done and rebooted, have a look at the logfile and post the contents once more.

CODE

Files to delete:
C:\WINDOWS\system32\V3-Force.exe
C:\WINDOWS\system32\cipaplu.exe
C:\WINDOWS\system32\mycaption.reg
C:\WINDOWS\system32\butuhlu.bat
C:\WINDOWS\system32\forattrib.bat
C:\WINDOWS\system32\makedir.bat

[RedDraco]

i think it success this time

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fntndjxa

*******************

Script file located at: \??\C:\WINDOWS\sribeaif.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\V3-Force.exe deleted successfully.
File C:\WINDOWS\system32\cipaplu.exe deleted successfully.
File C:\WINDOWS\system32\mycaption.reg deleted successfully.
File C:\WINDOWS\system32\butuhlu.bat deleted successfully.
File C:\WINDOWS\system32\forattrib.bat deleted successfully.
File C:\WINDOWS\system32\makedir.bat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

combofix

ComboFix 08-01-16.4 - POO 2008-01-17 10:16:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1870 [GMT 8:00]
Running from: C:\Documents and Settings\POO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 21:54 . 2008-01-16 21:54 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-16 21:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 20:41 . 2008-01-16 20:41 <DIR> drahs---- C:\WINDOWS\system32\setupNT
2008-01-16 20:41 . 2008-01-16 20:41 <DIR> d-------- C:\WINDOWS\system32\download
2008-01-16 20:41 . 2008-01-17 10:09 1,948 --ahs---- C:\WINDOWS\system32\mirc.ini
2008-01-16 20:41 . 2008-01-16 20:41 34 --a------ C:\WINDOWS\system32\remote.ini
2008-01-16 17:32 . 2008-01-16 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 12:40 . 2008-01-15 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 20:59 . 2008-01-14 20:59 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-01-14 20:59 . 2008-01-16 17:24 <DIR> d-------- C:\Downloads
2008-01-14 20:59 . 2008-01-16 17:27 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Orbit
2008-01-14 11:36 . 2008-01-15 19:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-14 00:13 . 2008-01-14 00:13 78,415 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-01-14 00:03 . 2008-01-14 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-13 19:34 . 2008-01-13 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-01-13 19:34 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-13 19:33 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-13 19:33 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-13 19:26 . 2006-08-29 22:56 32,377 --a------ C:\WINDOWS\system32\drivers\prodigy.sys
2008-01-13 19:25 . 2008-01-13 19:26 <DIR> d-------- C:\Program Files\NSS
2008-01-13 13:00 . 2008-01-14 11:19 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-13 05:47 . 2008-01-13 05:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-12 13:09 . 2008-01-12 13:09 <DIR> d---s---- C:\Documents and Settings\POO\UserData
2008-01-11 22:02 . 2008-01-11 22:02 <DIR> d-------- C:\Program Files\HPQ
2008-01-11 22:02 . 2006-04-18 13:23 47,104 --a------ C:\WINDOWS\system32\WACntlPnl.cpl
2008-01-11 21:25 . 2008-01-11 21:25 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia Multimedia Player
2008-01-11 21:17 . 2008-01-11 21:21 <DIR> d-------- C:\Documents and Settings\POO\Phone Browser
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-01-11 21:15 . 2008-01-13 19:31 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-01-11 21:15 . 2008-01-13 18:16 <DIR> d-------- C:\Documents and Settings\POO\Application Data\PC Suite
2008-01-11 21:15 . 2008-01-13 16:49 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-11 21:14 . 2008-01-13 19:33 <DIR> d-------- C:\Program Files\Nokia
2008-01-11 21:14 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-11 21:13 . 2008-01-13 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-12-24 11:43 . 2007-12-24 11:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-24 09:48 . 2008-01-16 00:40 <DIR> d-------- C:\Nokia Software
2007-12-22 13:29 . 2007-12-22 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-21 15:48 . 2007-12-21 15:58 992,520 --a------ C:\WINDOWS\Condition Zero Uninstaller.exe
2007-12-21 08:21 . 2007-12-21 08:21 33,800 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 08:20 . 2007-12-21 08:20 30,216 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 08:19 . 2007-12-21 08:19 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-12-19 12:13 . 2007-12-19 12:13 <DIR> d-------- C:\Program Files\YouTube Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 02:13 --------- d-----w C:\Program Files\ViStart
2008-01-16 22:49 442 ----a-w C:\Program Files\xbmeigad.txt
2008-01-16 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 14:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 13:15 --------- d-----w C:\Program Files\DIFX
2007-12-16 08:34 --------- d-----w C:\Program Files\AMD
2007-12-16 08:33 --------- d-----w C:\Documents and Settings\POO\Application Data\InstallShield
2007-12-10 04:59 --------- d-----w C:\Program Files\Stardock
2007-12-10 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-03 06:27 --------- d-----w C:\Program Files\AVI MPEG ASF WMV Splitter
2007-12-03 04:30 --------- d-----w C:\Documents and Settings\POO\Application Data\Nero
2007-12-03 04:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-03 02:44 --------- d-----w C:\Documents and Settings\POO\Application Data\Ahead
2007-11-29 05:54 --------- d-----w C:\Documents and Settings\POO\Application Data\U3
2007-11-27 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-26 07:04 --------- d-----w C:\Program Files\Nero
2007-11-26 07:04 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-25 02:07 --------- d-----w C:\Documents and Settings\POO\Application Data\My Games
2007-11-25 02:05 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-23 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-23 00:18 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-11-23 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-23 00:14 --------- d-----w C:\Program Files\Foxit Reader
2007-11-19 13:47 --------- d-----w C:\Program Files\XAMPP 1.6.0a
2007-11-19 00:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-11-19 00:20 --------- d-----w C:\Documents and Settings\POO\Application Data\Leadertech
2007-11-19 00:16 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-19 00:10 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-18 13:57 --------- d-----w C:\Program Files\Keyword Cloud Generator
2007-11-18 13:41 --------- d-----w C:\Documents and Settings\POO\Application Data\Good Keywords v2
2007-11-18 13:40 --------- d-----w C:\Program Files\Softnik Technologies
2007-11-17 22:50 --------- d-----w C:\Documents and Settings\POO\Application Data\Media Player Classic
2007-11-17 16:38 --------- d-----w C:\Program Files\Microsoft Works
2007-11-17 16:29 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-17 16:28 --------- d-----w C:\Program Files\Macromedia
2007-11-17 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-17 16:26 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-17 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-17 16:07 --------- d-----w C:\Program Files\Vista Sidebar
2007-11-17 16:02 --------- d-----w C:\Documents and Settings\POO\Application Data\ViStart
2007-11-17 15:57 --------- d-----w C:\Program Files\ViOrb
2007-11-17 15:57 --------- d-----w C:\Program Files\Styler
2007-11-17 15:57 --------- d-----w C:\Program Files\LClock
2007-11-17 15:45 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-17 15:38 --------- d-----w C:\Program Files\WIDCOMM
2007-11-17 15:35 --------- d-----w C:\Program Files\Broadcom
2007-11-17 15:30 --------- d-----w C:\Program Files\NetWaiting
2007-11-17 15:30 --------- d-----w C:\Program Files\CONEXANT
2007-11-17 14:59 --------- d-----w C:\Program Files\CCleaner
2007-11-17 12:56 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 02:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-16_21.48.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-17 02:14:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-06-25 23:28 163840]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27 65536]
"Vista Sidebar"="C:\Program Files\Vista Sidebar\sidebar.exe" [2007-06-21 17:04 524288]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-06-21 23:41 581632]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-14 19:02 7573504]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 11:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 14:58 458752]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Winlogon"= c:\windows\system32\V3-Force.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"disallowrun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= mwav.exe
"2"= cav-0.94.exe
"3"= portable.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 13:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 10:18:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\Program Files\ViStart\MainHook.Dll
-> C:\Program Files\LClock\LC.dll
.
Completion time: 2008-01-17 10:18:54
ComboFix-quarantined-files.txt 2008-01-17 02:18:52
ComboFix2.txt 2008-01-16 23:00:01
ComboFix3.txt 2008-01-16 13:48:35

i think the bold one is the virus files/reg

[RedDraco]

and one more.. how to fix the infected thumbdrive? since my laptop is infected from my home PC via thumbdrive..

[Lucian Bara]

those ini's are harmless by themselves, they are not the main cause. if you want you can delete them, but thy are leftovers.
the registry things aren't solved because you deleted the files, you need to solve them too.
download this, unpack, execute and press yes. that should take care of them.
to solve your thumbdrive roblem you need to open it with right click>open and delete the executable and autorun.inf that doesn't belong there.

 clean1.zip ( 233bytes ) Number of downloads: 66

you can disable autorun on flash drives with tweakui.

[RedDraco]

just run the clean1.reg and CCleaner

also deleted 4 files n folders in system32: setupNT, download, mirc.ini and remote.ini

please hav a look on my latest ComboFix log whether still got any unwanted files or infections

ComboFix 08-01-16.4 - POO 2008-01-17 17:10:41.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1786 [GMT 8:00]
Running from: C:\Documents and Settings\POO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 21:54 . 2008-01-16 21:54 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-16 21:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 17:32 . 2008-01-16 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-15 12:41 . 2008-01-15 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 12:40 . 2008-01-15 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 20:59 . 2008-01-14 20:59 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-01-14 20:59 . 2008-01-17 14:37 <DIR> d-------- C:\Downloads
2008-01-14 20:59 . 2008-01-17 16:55 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Orbit
2008-01-14 11:36 . 2008-01-15 19:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-14 00:13 . 2008-01-14 00:13 78,415 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-01-14 00:03 . 2008-01-14 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-13 19:34 . 2008-01-13 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-13 19:34 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-01-13 19:34 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-13 19:33 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-13 19:33 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-13 19:26 . 2006-08-29 22:56 32,377 --a------ C:\WINDOWS\system32\drivers\prodigy.sys
2008-01-13 19:25 . 2008-01-13 19:26 <DIR> d-------- C:\Program Files\NSS
2008-01-13 13:00 . 2008-01-14 11:19 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-13 05:47 . 2008-01-13 05:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-12 13:09 . 2008-01-12 13:09 <DIR> d---s---- C:\Documents and Settings\POO\UserData
2008-01-11 22:02 . 2008-01-11 22:02 <DIR> d-------- C:\Program Files\HPQ
2008-01-11 22:02 . 2006-04-18 13:23 47,104 --a------ C:\WINDOWS\system32\WACntlPnl.cpl
2008-01-11 21:25 . 2008-01-11 21:25 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia Multimedia Player
2008-01-11 21:17 . 2008-01-11 21:21 <DIR> d-------- C:\Documents and Settings\POO\Phone Browser
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-01-11 21:15 . 2008-01-13 19:31 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-01-11 21:15 . 2008-01-13 18:16 <DIR> d-------- C:\Documents and Settings\POO\Application Data\PC Suite
2008-01-11 21:15 . 2008-01-13 16:49 <DIR> d-------- C:\Documents and Settings\POO\Application Data\Nokia
2008-01-11 21:15 . 2008-01-11 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-11 21:14 . 2008-01-13 19:33 <DIR> d-------- C:\Program Files\Nokia
2008-01-11 21:14 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-11 21:13 . 2008-01-13 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-12-24 11:43 . 2007-12-24 11:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-24 09:48 . 2008-01-16 00:40 <DIR> d-------- C:\Nokia Software
2007-12-22 13:29 . 2007-12-22 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-21 15:48 . 2007-12-21 15:58 992,520 --a------ C:\WINDOWS\Condition Zero Uninstaller.exe
2007-12-21 08:21 . 2007-12-21 08:21 33,800 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 08:20 . 2007-12-21 08:20 30,216 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 08:19 . 2007-12-21 08:19 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-12-19 12:13 . 2007-12-19 12:13 <DIR> d-------- C:\Program Files\YouTube Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 02:13 --------- d-----w C:\Program Files\ViStart
2008-01-16 22:49 442 ----a-w C:\Program Files\xbmeigad.txt
2008-01-16 09:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 14:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 13:15 --------- d-----w C:\Program Files\DIFX
2007-12-16 08:34 --------- d-----w C:\Program Files\AMD
2007-12-16 08:33 --------- d-----w C:\Documents and Settings\POO\Application Data\InstallShield
2007-12-10 04:59 --------- d-----w C:\Program Files\Stardock
2007-12-10 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-03 06:27 --------- d-----w C:\Program Files\AVI MPEG ASF WMV Splitter
2007-12-03 04:30 --------- d-----w C:\Documents and Settings\POO\Application Data\Nero
2007-12-03 04:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-03 02:44 --------- d-----w C:\Documents and Settings\POO\Application Data\Ahead
2007-11-29 05:54 --------- d-----w C:\Documents and Settings\POO\Application Data\U3
2007-11-27 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-26 07:04 --------- d-----w C:\Program Files\Nero
2007-11-26 07:04 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-25 02:07 --------- d-----w C:\Documents and Settings\POO\Application Data\My Games
2007-11-25 02:05 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-23 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-23 00:18 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-11-23 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-23 00:14 --------- d-----w C:\Program Files\Foxit Reader
2007-11-19 13:47 --------- d-----w C:\Program Files\XAMPP 1.6.0a
2007-11-19 00:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-11-19 00:20 --------- d-----w C:\Documents and Settings\POO\Application Data\Leadertech
2007-11-19 00:16 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-19 00:10 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-18 13:57 --------- d-----w C:\Program Files\Keyword Cloud Generator
2007-11-18 13:41 --------- d-----w C:\Documents and Settings\POO\Application Data\Good Keywords v2
2007-11-18 13:40 --------- d-----w C:\Program Files\Softnik Technologies
2007-11-17 22:50 --------- d-----w C:\Documents and Settings\POO\Application Data\Media Player Classic
2007-11-17 16:38 --------- d-----w C:\Program Files\Microsoft Works
2007-11-17 16:29 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-17 16:28 --------- d-----w C:\Program Files\Macromedia
2007-11-17 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-17 16:26 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-17 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-17 16:07 --------- d-----w C:\Program Files\Vista Sidebar
2007-11-17 16:02 --------- d-----w C:\Documents and Settings\POO\Application Data\ViStart
2007-11-17 15:57 --------- d-----w C:\Program Files\ViOrb
2007-11-17 15:57 --------- d-----w C:\Program Files\Styler
2007-11-17 15:57 --------- d-----w C:\Program Files\LClock
2007-11-17 15:45 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-17 15:38 --------- d-----w C:\Program Files\WIDCOMM
2007-11-17 15:35 --------- d-----w C:\Program Files\Broadcom
2007-11-17 15:30 --------- d-----w C:\Program Files\NetWaiting
2007-11-17 15:30 --------- d-----w C:\Program Files\CONEXANT
2007-11-17 14:59 --------- d-----w C:\Program Files\CCleaner
2007-11-17 12:56 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-25 02:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-16_21.48.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-17 02:14:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-06-25 23:28 163840]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27 65536]
"Vista Sidebar"="C:\Program Files\Vista Sidebar\sidebar.exe" [2007-06-21 17:04 524288]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-06-21 23:41 581632]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-14 19:02 7573504]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 11:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 14:58 458752]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"disallowrun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= mwav.exe
"2"= cav-0.94.exe
"3"= portable.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 13:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 17:11:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\Program Files\ViStart\MainHook.Dll
-> C:\Program Files\LClock\LC.dll
.
Completion time: 2008-01-17 17:11:31
ComboFix-quarantined-files.txt 2008-01-17 09:11:29
ComboFix2.txt 2008-01-17 09:03:45
ComboFix3.txt 2008-01-17 08:58:35
ComboFix4.txt 2008-01-17 02:18:55
ComboFix5.txt 2008-01-16 23:00:01

[RedDraco]

hi Lucian.. about another infected PC.. i try to run the same method but during executing the ComboFix.exe, there is a popup msg appeared:

"The registry32 file is missing. Please copy from another machine."

I tried to copy from my laptop.. but while i paste the file there, theres popup asking me to replace the original one.. ive made a backup of original file and paste the copy version there.. but the problem still happened.. the combofix.exe cant be executed..

[Lucian Bara]

place the xp cd in your drive open start>run and type in sfc /scannow. wait for it to finish and reboot your pc. does combofix work then?

[RedDraco]

OMG i cant do that since no XP CD with me..

n im going back to place where i work tonite

[khang hung]

halo 'Lucian Bara'

need ur help pls.....

i'm also afffected wiv dis virus and i've followed ur instructions to remove the virus dy.....
the problem is how to restore all the icons at the notification area or system tray?

i means those icons wiv the time, date, connectivity, windows live messenger, volume.....

thanks for help

[lalazhai]

Lucian Bara,can u help me plz??

i downloaded ur avenger and run it successfully...it deleted all the copied files...
but i still cannot on my task manager..they said ''This operation has been cancelled due to restriction in effect of this computer.
Please contact your system administrator''
How can i fix this??

help me plz..

thank u,

[lalazhai]

WOWOW

the virus HAVE BEEN DELETED !

ok la... i help u ppl out there...

1st step : Go and run ur SYSTEM RESTORE... restore ur com where u can still use ur task manager and stuff...

2nd step : Download the file tat LUCIAN post...

3rd step : Follow LUCIAN's step then can already lor...


p/s : if its a bit confuse or maybe i gt bad english i dunno...add me in msn dead_skunk94@hotmail.com