Solved newly file added to pendrive keep continue being deleted

I'm not so certain about this but what I know all my outlook files will be placed in this path i.e D:\Data\Documents and Settings_Fairuz Azmi\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst

If I start with a fresh one, do I need to delete Personal Folders(1).pst but then if I do so, I will no longer able to access those files.

 

If that is the current mail cache, you do not want to delete it, else as you said, they will be gone. Update your antivirus definitions and scan that drive.

Did you run ComboFix as recommended above yet?

 

ComboFix 08-12-16.03 - Fairuz Azmi 2008-12-17 16:06:37.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1209 [GMT 8:00]
Running from: c:\documents and settings\Fairuz Azmi\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-17 16:05 . 2008-12-17 16:05 <DIR> d-------- C:\32788R22FWJFW
2008-12-11 12:46 . 2008-12-11 12:46 <DIR> d-------- c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP
2008-12-10 07:20 . 2008-12-10 07:20 <DIR> d--hs---- c:\documents and settings\Fairuz Azmi\UserData
2008-12-05 17:04 . 2008-12-05 17:07 <DIR> d-------- C:\rsit
2008-12-05 17:04 . 2008-12-05 17:07 <DIR> d-------- c:\program files\trend micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 08:06 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\uTorrent
2008-12-14 17:15 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\Orbit
2008-12-07 15:56 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\AdobeUM
2008-11-30 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-11-16 07:57 --------- d-----w c:\documents and settings\ingres\Application Data\AVGTOOLBAR
2008-11-16 07:55 --------- d--h--r c:\documents and settings\ingres\Application Data\yahoo!
2008-11-12 05:47 --------- d-----w c:\program files\MetaTrader - FXOpen
2008-11-02 15:21 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\LimeWire
2008-10-25 08:52 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-25 08:28 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\AVGTOOLBAR
2008-10-25 08:25 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-25 08:25 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-17 07:53 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\Yahoo!
2007-12-04 02:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-11 01:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_16.52.54.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-16 07:59:45 36,864 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseClrHost.exe
+ 2008-12-11 04:46:29 36,864 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseClrHost.exe
- 2008-11-16 07:59:45 122,595 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla.dll
+ 2008-12-11 04:46:29 122,595 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla.dll
- 2008-11-16 07:59:45 126,976 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla1.dll
+ 2008-12-11 04:46:29 126,976 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla1.dll
- 2008-11-16 07:59:45 13,312 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseDotNetStub.exe
+ 2008-12-11 04:46:29 13,312 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseDotNetStub.exe
- 2008-11-16 07:59:31 7,680 ----a-r c:\windows\Installer\{9B12DDD3-F1BE-4FB6-9FD2-308549244609}\IconD36260BC.exe
+ 2008-12-11 04:46:08 7,680 ----a-r c:\windows\Installer\{9B12DDD3-F1BE-4FB6-9FD2-308549244609}\IconD36260BC.exe
- 2008-12-09 08:49:31 231,166 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-17 00:47:36 231,168 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"uTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2008-01-05 219952]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"Search Protection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig "= "c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"OrderReminder "= "c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-21 98304]
"pdfFactory Pro Dispatcher v2 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-05-31 483328]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Easy-PrintToolBox "= "c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"nwiz "= "nwiz.exe" [2007-05-11 c:\windows\system32\nwiz.exe]
"NVHotkey "= "nvHotkey.dll" [2007-05-11 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp "= "stsystra.exe" [2007-05-06 c:\windows\stsystra.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Fairuz Azmi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Ingres Visual Manager [ II ].lnk - c:\windows\system32\ingwrap.exe [2003-05-14 19:32:18 20480]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-16 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Oracle\\Ora92\\Apache\\Apache\\Apache.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe "=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"12741:TCP "= 12741:TCP:utorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-25 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-25 231704]
R2 Ingres_Database_II;Ingres Intelligent Database [II]; "c:\ingresii\ingres\bin\servproc.exe" [2003-05-14 19:03:48 24576]
R2 LogWatch;Event Log Watch; "c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2002-09-20 53248]
R2 OracleServiceFAMPS;OracleServiceFAMPS;c:\oracle\ora92\bin\ORACLE.EXE FAMPS []
S2 OracleOraHome92Agent;OracleOraHome92Agent;c:\oracle\Ora92\bin\agntsrvc.exe [2002-04-26 28944]
S3 ADEListener;ADEListener;c:\windows\system32\ADEListener.exe [2006-04-05 28672]
S3 adiusbae;ADSL USB MODEM LAN ADAPTER;c:\windows\system32\DRIVERS\adiusbae.sys []
S3 AMPS Email Processor;AMPS Email Processor;c:\windows\system32\emailprocessor.exe [2007-03-06 45056]
S3 CA_LIC_CLNT;CA License Client; "c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2002-09-20 77824]
S3 CA_LIC_SRVR;CA License Server; "c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe" [2002-09-20 77824]
S3 FSDFileWatcher;FSDFileWatcher;c:\windows\system32\fsdfilewatcher.exe [2005-11-07 49152]
S3 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer; "c:\oracle\Ora92\Apache\Apache\apache.exe" --ntservice [2002-04-18 4096]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;c:\oracle\Ora92\BIN\ENCSVC.EXE [2002-02-13 187392]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;c:\oracle\Ora92\BIN\AGNTSVC.EXE [2002-02-13 254464]
S3 SCAMS_FileWatcher;SCAMS_FileWatcher;c:\windows\system32\SCAMS_FileWatcher.exe [2007-11-05 69632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e94b57-dddc-11dc-94af-001c26f066af}]
\Shell\AutoRun\command - photos.zip.exe %1
\Shell\Explore\command - photos.zip.exe %1
\Shell\Open\command - photos.zip.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1835b71-8ba1-11dc-93c8-001c239b40f5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Mc~.vbe
.
Contents of the 'Scheduled Tasks' folder

2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://imis-203/amps/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\csoex_aib.ocx
O16 -: {1FAF427B-1EE5-43D3-A023-3009142AFCDF}
hxxp://download.excelforce.com.my/aib/cab/csoex_aib.cab
c:\windows\Downloaded Program Files\csoex_aib.inf

c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\cswx.ocx
O16 -: {B9B2EE1A-E314-4338-A305-BE845EACB112}
hxxp://download.excelforce.com.my/aib/cab/cswx.cab
c:\windows\Downloaded Program Files\cswx.inf
FF - ProfilePath - c:\documents and settings\Fairuz Azmi\Application Data\Mozilla\Firefox\Profiles\p14w3m3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 16:11:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\OracleOraHome92PagingServer]
"ImagePath "= "c:\oracle\Ora92/bin/pagntsrv.exe "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\OracleOraHome92TNSListener]
"ImagePath "= "c:\oracle\Ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(1072)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-17 16:12:15
ComboFix-quarantined-files.txt 2008-12-17 08:11:43
ComboFix2.txt 2008-12-10 09:31:07
ComboFix3.txt 2008-12-10 06:05:59

Pre-Run: 23.882.399.744 bytes free
Post-Run: 24,034,869,248 bytes free

203 --- E O F --- 2008-08-10 14:54:54

 

Please re-read post #18 and run ComboFix again with the CFScript as instructed. I've got to get some sleep now, so I'll check it after work.

 

Ok will do later..anyway thank you for help.

 

ComboFix 08-12-16.03 - Fairuz Azmi 2008-12-17 16:48:07.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1196 [GMT 8:00]
Running from: c:\documents and settings\Fairuz Azmi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fairuz Azmi\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\Mc~.vbe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
D:\Mc~.vbe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_CA_LIC_CLNT
-------\Service_CA_LIC_SRVR


((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-11 12:46 . 2008-12-11 12:46 <DIR> d-------- c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP
2008-12-10 07:20 . 2008-12-10 07:20 <DIR> d--hs---- c:\documents and settings\Fairuz Azmi\UserData
2008-12-05 17:04 . 2008-12-05 17:07 <DIR> d-------- C:\rsit
2008-12-05 17:04 . 2008-12-05 17:07 <DIR> d-------- c:\program files\trend micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 08:36 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\uTorrent
2008-12-14 17:15 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\Orbit
2008-12-07 15:56 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\AdobeUM
2008-11-30 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-11-16 07:57 --------- d-----w c:\documents and settings\ingres\Application Data\AVGTOOLBAR
2008-11-16 07:55 --------- d--h--r c:\documents and settings\ingres\Application Data\yahoo!
2008-11-12 05:47 --------- d-----w c:\program files\MetaTrader - FXOpen
2008-11-02 15:21 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\LimeWire
2008-10-25 08:52 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-25 08:28 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\AVGTOOLBAR
2008-10-25 08:25 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-17 07:53 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\Yahoo!
2007-12-04 02:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-11 01:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_16.52.54.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-16 07:59:45 36,864 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseClrHost.exe
+ 2008-12-11 04:46:29 36,864 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseClrHost.exe
- 2008-11-16 07:59:45 122,595 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla.dll
+ 2008-12-11 04:46:29 122,595 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla.dll
- 2008-11-16 07:59:45 126,976 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla1.dll
+ 2008-12-11 04:46:29 126,976 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseCustomCalla1.dll
- 2008-11-16 07:59:45 13,312 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseDotNetStub.exe
+ 2008-12-11 04:46:29 13,312 ----a-w c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP\WiseDotNetStub.exe
- 2008-11-16 07:59:31 7,680 ----a-r c:\windows\Installer\{9B12DDD3-F1BE-4FB6-9FD2-308549244609}\IconD36260BC.exe
+ 2008-12-11 04:46:08 7,680 ----a-r c:\windows\Installer\{9B12DDD3-F1BE-4FB6-9FD2-308549244609}\IconD36260BC.exe
- 2008-12-09 08:49:31 231,166 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-17 08:51:26 231,163 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"uTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2008-01-05 219952]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"Search Protection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig "= "c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"OrderReminder "= "c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-21 98304]
"pdfFactory Pro Dispatcher v2 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-05-31 483328]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Easy-PrintToolBox "= "c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"nwiz "= "nwiz.exe" [2007-05-11 c:\windows\system32\nwiz.exe]
"NVHotkey "= "nvHotkey.dll" [2007-05-11 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp "= "stsystra.exe" [2007-05-06 c:\windows\stsystra.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Fairuz Azmi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Ingres Visual Manager [ II ].lnk - c:\windows\system32\ingwrap.exe [2003-05-14 19:32:18 20480]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-16 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Oracle\\Ora92\\Apache\\Apache\\Apache.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe "=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"12741:TCP "= 12741:TCP:utorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-25 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-25 231704]
R2 Ingres_Database_II;Ingres Intelligent Database [II]; "c:\ingresii\ingres\bin\servproc.exe" [2003-05-14 19:03:48 24576]
R2 LogWatch;Event Log Watch; "c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2002-09-20 53248]
R2 OracleOraHome92Agent;OracleOraHome92Agent;c:\oracle\Ora92\bin\agntsrvc.exe [2002-04-26 28944]
R2 OracleServiceFAMPS;OracleServiceFAMPS;c:\oracle\ora92\bin\ORACLE.EXE FAMPS []
S3 ADEListener;ADEListener;c:\windows\system32\ADEListener.exe [2006-04-05 28672]
S3 adiusbae;ADSL USB MODEM LAN ADAPTER;c:\windows\system32\DRIVERS\adiusbae.sys []
S3 AMPS Email Processor;AMPS Email Processor;c:\windows\system32\emailprocessor.exe [2007-03-06 45056]
S3 FSDFileWatcher;FSDFileWatcher;c:\windows\system32\fsdfilewatcher.exe [2005-11-07 49152]
S3 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer; "c:\oracle\Ora92\Apache\Apache\apache.exe" --ntservice [2002-04-18 4096]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;c:\oracle\Ora92\BIN\ENCSVC.EXE [2002-02-13 187392]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;c:\oracle\Ora92\BIN\AGNTSVC.EXE [2002-02-13 254464]
S3 SCAMS_FileWatcher;SCAMS_FileWatcher;c:\windows\system32\SCAMS_FileWatcher.exe [2007-11-05 69632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e94b57-dddc-11dc-94af-001c26f066af}]
\Shell\AutoRun\command - photos.zip.exe %1
\Shell\Explore\command - photos.zip.exe %1
\Shell\Open\command - photos.zip.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1835b71-8ba1-11dc-93c8-001c239b40f5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Mc~.vbe
.
Contents of the 'Scheduled Tasks' folder

2008-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://imis-203/amps/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\csoex_aib.ocx
O16 -: {1FAF427B-1EE5-43D3-A023-3009142AFCDF}
hxxp://download.excelforce.com.my/aib/cab/csoex_aib.cab
c:\windows\Downloaded Program Files\csoex_aib.inf

c:\windows\system32\mfc42.dll - c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\cswx.ocx
O16 -: {B9B2EE1A-E314-4338-A305-BE845EACB112}
hxxp://download.excelforce.com.my/aib/cab/cswx.cab
c:\windows\Downloaded Program Files\cswx.inf
FF - ProfilePath - c:\documents and settings\Fairuz Azmi\Application Data\Mozilla\Firefox\Profiles\p14w3m3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 16:52:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome92PagingServer]
"ImagePath "= "c:\oracle\Ora92/bin/pagntsrv.exe "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome92TNSListener]
"ImagePath "= "c:\oracle\Ora92\BIN\TNSLSNR "
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\windows\system32\nvsvc32.exe
c:\oracle\Ora92\bin\omtsreco.exe
c:\oracle\Ora92\bin\TNSLSNR.EXE
c:\oracle\Ora92\bin\oracle.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\oracle\Ora92\bin\dbsnmp.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1005MC.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\ingresii\ingres\bin\iigcn.exe
c:\ingresii\ingres\bin\iigcc.exe
c:\ingresii\ingres\bin\iigworad.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\ingresii\ingres\vdba\ivm.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-12-17 16:55:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-17 08:55:31
ComboFix2.txt 2008-12-17 08:12:17
ComboFix3.txt 2008-12-10 09:31:07
ComboFix4.txt 2008-12-10 06:05:59

Pre-Run: 23.992.889.344 bytes free
Post-Run: 23,986,286,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

245 --- E O F --- 2008-08-10 14:54:54

 

Please let me know if I ran the script wrongly again.

 

Highlight and copy the contents of the code box below.

Code:

reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e94b57-dddc-11dc-94af-001c26f066af} /f
reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1835b71-8ba1-11dc-93c8-001c239b40f5} /f
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.


Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.


That should wrap things up. Any other issues?

 

It has been done as you've instructed. Previously my Task Manager has been disabled unknowingly but it get fixed by itself during the process. Thank you for your help and I appreciated it so much.

By the way, in what way my machine could get affected with such virus? If from somebody else machine, there is possibility to get the virus again rite?I'm using AVG Anti-Virus Free and the virus definition files is up-todate but it seem like it has not detected this kind of virus automatically.

 

Good possibilty you were infected from using P2P file sharing, uTorrent, Limewire, etc. I'm not passing judgment on file-sharing as a concept. However, I will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.


Glad I could help.

 

Thank you again for your time and advise.

 

You're welcome. Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!