Thanxs alot marc57 for the reply and followed the steps you have mentioned, but unfortunately still im able to see 320 files infected with the viruses i had mentioned in my earlier post.
After disabling systemrestore and scanned with rootkit buster, it showed no viruses and when scanned with Malwarebytes antimalware software it showed one file infected and below is the log file with details
Malwarebytes’ Anti-Malware 1.26
Database version: 1112
Windows 5.1.2600 Service Pack 2
9/4/2008 9:27:04 PM
mbam-log-2008-09-04 (21-27-00).txt
Scan type: Full Scan (C:|D:|E:|F:|)
Objects scanned: 70065
Time elapsed: 24 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\suresh\My Documents\Downloads\Documents\A0005413.exe (Backdoor.Bot) → No action taken.
Also posting the log file got from combofix
ComboFix Log File :
ComboFix 08-09-01.05 - suresh 2008-09-03 21:02:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT 5.5:30]
Running from: C:\Documents and Settings\suresh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\suresh\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
- Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.
2008-09-03 20:25 . 2008-09-03 20:25 d-------- C:\Program Files\MSXML 4.0
2008-09-03 19:52 . 2008-09-03 19:52 d-------- C:\Program Files\Google
2008-09-03 19:51 . 2008-09-03 19:51 d-------- C:\Program Files\Java
2008-09-03 19:51 . 2008-09-03 19:51 d-------- C:\Program Files\Common Files\Java
2008-09-03 19:51 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-03 19:49 . 2008-09-03 19:49 d-------- C:\WINDOWS\system32\bits
2008-09-03 19:49 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-09-03 19:48 . 2007-03-29 18:26 7,168 -----c— C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-09-03 19:48 . 2007-03-29 18:26 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-09-03 12:14 . 2008-06-13 18:40 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-09-03 12:14 . 2008-06-13 18:40 272,128 -----c— C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-03 11:26 . 2008-09-03 20:28 d–h----- C:\WINDOWS$hf_mig$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 08:34 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-07-25 08:34 683,520 ----a-w C:\WINDOWS\system32\divx.dll
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
------- Sigcheck -------
2002-08-31 20:29 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” [2005-11-24 94208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe” [2008-09-03 162744]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2004-08-10 59392]
“QlbCtrl”=“C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2007-05-07 159744]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 155648]
“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 159744]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2002-08-10 155648]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2001-07-27 94208]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2001-07-27 282624]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-11-27 98304]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-11-27 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-11-27 118784]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BlueSoleil VoIP Plugin.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe [2006-02-17 148992]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-04-28 1441792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme
“DisableStatusMessages”= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12”= yv12vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=“Service”
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“UpdatesDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{08adf6ad-af8e-11d6-877b-0006c990021d}]
\shell\explore\command - explorer.exe
\shell\open\Command - explorer.exe
Newly Created Service - CATCHME
Newly Created Service - PROCEXP90
.
Notify-NavLogon - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
.
.
------- File Associations (Beta) -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 21:03:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
C:\DOCUME~1\suresh\LOCALS~1\Temp\RGI1.tmp
scan completed successfully
hidden files: 1
.
Completion time: 2008-09-03 21:04:56
ComboFix-quarantined-files.txt 2008-09-03 15:34:52
Pre-Run: 16,269,099,008 bytes free
Post-Run: 16,255,094,784 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Windows XP Media Center Edition” /noexecute=optin /fastdetect
118 — E O F — 2008-09-03 14:59:02
can anyone pls help me out in removing these viruses …
Thanks in advance
Sid