hi,
my system have been attacked by virus and it showing a "virus alert" in the system tray. when i go through the net i got this "combofix.exe". i downloaded this and installed it. It gave a me a log file which i have pasted down. pls tell me what to do the next to avoid this virus alert at the system tray.
ComboFix 08-05-28.4 - Administrator 2008-05-29 18:46:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.468 [GMT 4:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free
C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Administrator\Desktop\Error Cleaner.url
C:\Documents and Settings\Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\Administrator\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\drivecleaner free\dcsm.exe
C:\WINDOWS\atfxqogp.dll
C:\WINDOWS\boqnrwdmkrs.dll
C:\WINDOWS\system32\aqwkcnql.ini
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\DMVFPqru.ini
C:\WINDOWS\system32\DMVFPqru.ini2
C:\WINDOWS\system32\lqnckwqa.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pvvmaknt.dll
C:\WINDOWS\system32\tnkamvvp.ini
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\vregfwlx.dll
C:\WINDOWS\xmpstean.exe
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.
2008-05-29 17:44 . 2008-05-29 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-05-29 17:01 . 2008-05-29 17:47 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-28 21:25 . 2008-05-28 22:09 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-28 21:25 . 2008-05-28 22:09 88,262 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 21:22 . 2008-05-28 21:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-28 21:22 . 2008-05-29 16:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-28 21:22 . 2008-05-29 17:28 249,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-28 21:22 . 2008-05-29 17:28 6,500 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-28 21:21 . 2008-05-29 17:28 8,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-28 21:21 . 2008-05-29 17:28 1,868 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-28 21:16 . 2008-05-28 21:16 323,328 --a------ C:\WINDOWS\system32\urqPFVMD.dll
2008-05-28 21:11 . 2008-05-28 21:11 32,384 --a------ C:\WINDOWS\system32\rQHAPjkJ.dll
2008-05-28 21:10 . 2008-05-26 17:23 159,744 --a------ C:\WINDOWS\edma.exe
2008-05-28 20:50 . 2008-05-28 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-28 20:42 . 2008-05-28 20:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Voipwise
2008-05-28 19:02 . 2008-05-28 19:02 <DIR> d-------- C:\Program Files\Voipwise.com
2008-05-23 15:45 . 2008-05-23 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-05-20 19:39 . 2008-05-20 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-20 19:39 . 2008-05-20 19:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-05-20 19:38 . 2008-05-20 19:38 <DIR> d-------- C:\Program Files\TVUPlayer
2008-05-20 19:38 . 2008-05-20 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\LocalLow
2008-05-20 10:36 . 2008-05-20 10:36 52,736 --a------ C:\madhus resume.doc
2008-05-20 10:09 . 2008-05-20 10:09 52,736 --a------ C:\latest cv 04may08 madhu1.doc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 14:49 --------- d-----w C:\Program Files\FlashGet
2008-05-29 13:46 --------- d-----w C:\Program Files\3wPlayer
2008-05-29 13:43 --------- d-----w C:\Program Files\Symantec
2008-05-29 13:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-28 17:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-18 15:05 --------- d-----w C:\Program Files\SopCast
2008-05-09 07:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-27 15:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MegauploadToolbar
2008-04-21 16:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-20 18:39 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-19 17:31 --------- d-----w C:\Program Files\Azureus
2008-04-06 17:38 --------- d-----w C:\Program Files\Western Digital Technologies
2008-04-01 17:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\JustVoip
2008-03-29 10:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-03-29 05:49 --------- d-----w C:\Program Files\MegauploadToolbar
2008-03-23 14:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12E1AB8C-B992-4754-B0E2-2CEF956FA07C}]
2008-05-28 21:16 323328 --a------ C:\WINDOWS\system32\urqPFVMD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9}]
2008-05-28 21:11 32384 --a------ C:\WINDOWS\system32\rQHAPjkJ.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C48F0939-992C-45C8-A9C2-B97A22D9B4BD}"= "C:\WINDOWS\atfxqogp.dll" [ ]
[HKEY_CLASSES_ROOT\clsid\{c48f0939-992c-45c8-a9c2-b97a22d9b4bd}]
[HKEY_CLASSES_ROOT\atfxqogp.1]
[HKEY_CLASSES_ROOT\TypeLib\{146DFDF9-CFC8-46AA-9706-250AFF6AB9B3}]
[HKEY_CLASSES_ROOT\atfxqogp]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 15:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-14 17:17 185896]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9}"= C:\WINDOWS\system32\rQHAPjkJ.dll [2008-05-28 21:11 32384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rQHAPjkJ]
rQHAPjkJ.dll 2008-05-28 21:11 32384 C:\WINDOWS\system32\rQHAPjkJ.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Rediff Bol 7.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Rediff Bol 7.0.lnk
backup=C:\WINDOWS\pss\Rediff Bol 7.0.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3wPlayer Service]
C:\Program Files\3wPlayer\wakeservice.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
C:\Program Files\BearFlix\bearflix.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
--a------ 2007-01-14 20:26 5417472 C:\Program Files\BearShare Pro\Bearshare.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--a------ 2005-12-06 13:08 20480 C:\WINDOWS\CameraFixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dcsm]
C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 01:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JustVoip]
--a------ 2008-02-25 19:38 8770864 C:\Program Files\JustVoip.com\JustVoip\JustVoip.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 15:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 16:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-14 17:17 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
e:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Tally\\tally72.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"E:\\Windows.old\\Program Files\\Rediff Bol\\RediffMessenger.exe"=
"C:\\Program Files\\BearShare Pro\\Bearshare.exe"=
"C:\\Program Files\\Zapu\\Zapu\\wDivi.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Rediff Bol\\RediffMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\peerme\\SoftPhone\\SoftPhone.exe"=
"C:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\WebEye\\WebEye.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9595:TCP"= 9595:TCP:BitComet 9595 TCP
"9595:UDP"= 9595:UDP:BitComet 9595 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
S2 P1100B_CT_CDI;Creative PD1100B HAL Service;C:\WINDOWS\system32\DRIVERS\P1100bCd.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ntphyy.com
\Shell\explore\Command - G:\ntphyy.com
\Shell\open\Command - G:\ntphyy.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\WD_Windows_Tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{178a0a78-f027-11db-bee1-0050fcc9366e}]
\Shell\AutoRun\command - G:\ntphyy.com
\Shell\explore\Command - G:\ntphyy.com
\Shell\open\Command - G:\ntphyy.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a030bf7-dac1-11dc-bf97-0050fcc9366e}]
\Shell\AutoRun\command - G:\ntphyy.com
\Shell\explore\Command - G:\ntphyy.com
\Shell\open\Command - G:\ntphyy.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{482ff741-302f-11dc-befb-0050fcc9366e}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{482ff742-302f-11dc-befb-0050fcc9366e}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{687fc9ed-dec7-11db-bed2-0050fcc9366e}]
\Shell\AutoRun\command - H:\ntphyy.com
\Shell\explore\Command - H:\ntphyy.com
\Shell\open\Command - H:\ntphyy.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74530b00-8713-11dc-bf36-0050fcc9366e}]
\Shell\AutoRun\command - H:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b63c1007-0915-11dc-beec-0050fcc9366e}]
\Shell\AutoRun\command - ntphyy.com
\Shell\explore\Command - ntphyy.com
\Shell\open\Command - ntphyy.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd77b3ae-7bda-11dc-bf2b-0050fcc9366e}]
\Shell\Auto\command - sal.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
\Shell\explore\Command - H:\WindowsXP.exe
\Shell\open\Command - H:\WindowsXP.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 18:51:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rQHAPjkJ.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-05-29 18:55:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 14:55:25
Pre-Run: 12,840,112,128 bytes free
Post-Run: 12,864,905,216 bytes free
249 --- E O F --- 2008-05-27 23:00:45