Hi!


Virus Details ; Platform: Win XP

My laptop is affected by some sort of virus, and as it destroyed my AVG 8.5 free installation, I downloaded Avira Free antivirus software. This virus didn't let me install it (It blocked out all antivirus websites) and keeps downloading small 8.50 kb files (randomly named) into this directory - C:\Documents and Settings\username\Local Settings\Temp\ - besides which, it creates a folder named "Qoobox" in C:\, and different Executables in C:\WINDOWS, namely SED.exe, NIRCMD.exe, GREP.exe, TASKMAN.exe, SWSC.exe, SWREG.exe, vfind.exe, zip.exe.

I have been fighting this virus for the past 14 hours, manually altering registry keys that were infected using a satndalone registry editor(Not the one windows provides, as both regedit and taskmgr have been disabled, and I cannot permanently set their reg keys back to 0x00). HijackThis showed two DPF's (O16) that were probably infected (I'll upload the log if you require it), apart from which it showed an O10 - unknown file in winsock LSP - : c:\windows\system32\nwprovau.dll (I have left this as I have NetBIOS installed). After taking the log, and fixing the above said, I ran ComboFix. The log showed some infected registry keys, all of which deals with infecting Removable drives. I have manually fixed these. I have attached this log as well. The striking thing to me was that the virus made ComboFix unworkable after I used it! It now gives an error message when I open it.

The virus also renders some applications useless, for eg, I cannot run some .exe files. I looked up how the process starts using Process Explorer, and found that these programs start and then are stopped suddenly, and I just can't figure out why (or how). At first it didn't let me install Avira, so I had to carry out a manual installation, which involved extracting the setup files with WinRAR and then heading out from there. Eventually, I got it running, and did a scan of my C:\ drive, and here are the results (I'm not sure of what to do with these as it lists some very important core windows files as being infected with the w32/Sality.Y variant of virus.), which are attached below. (Its way too large to be posted)

I have also scanned my whole computer with Malwarebytes' Anti-Malware, but that didn't show anything. Atribune's VundoFix also returned a negative.

Could somebody help me with this?

*ANY* help is appreciated!

Thanks for your time,

Amrith

Hi!

A quick Update: I got the Task Manager and Registry Editor up and running! ... but the virus is still there :(

Update 2: Uninstalled Avira... Sorry about that, but when I restarted the computer, it sort of went haywire - It kept popping up lots of windows asking me whether I should run a certain program/process and it also was adamant that its own setup file was a W32/Sality.Y

Also, my laptop seems to be stable, but I still cannot start some applications. I've also destroyed some suspect files (including 1 autorun.exe)...

We would prefer that you copy/paste logs, not upload them. By not having to open an attached file this protects the helper or others reading the post from possibly opening an infected file.
FYI,
Your infected O16 files are legitmate files and not infections.
Your Unknown O10 listing is also legitimate Microsoft Client Services for Netware

May I ask where you got the information on the various files you list?
Qoobox is NOT created by your virus, it is the quarantine file created by Combofix. Who told you to run Combofix? It was run incorrectly by the way.
Also created by Combofix: NIRCMD.exe
You obviously have run a multitude of programs and attempted registry fixes that we know nothing about or how or why you did them.
One reason fixes won't work is you are running Spybot TeaTimer which INTERFERES with fixes attempted on many items.
I would like to see the MBA-M log and also the log containing the O16 infected files you mention since the ones in the log you have attached are NOT infections.

We would prefer that you copy/paste logs, not upload them. By not having to open an attached file this protects the helper or others reading the post from possibly opening an infected file.
FYI,
Your infected O16 files are legitmate files and not infections.
Your Unknown O10 listing is also legitimate Microsoft Client Services for Netware

May I ask where you got the information on the various files you list?
Qoobox is NOT created by your virus, it is the quarantine file created by Combofix. Who told you to run Combofix? It was run incorrectly by the way.
Also created by Combofix: NIRCMD.exe
You obviously have run a multitude of programs and attempted registry fixes that we know nothing about or how or why you did them.
One reason fixes won't work is you are running Spybot TeaTimer which INTERFERES with fixes attempted on many items.
I would like to see the MBA-M log and also the log containing the O16 infected files you mention since the ones in the log you have attached are NOT infections.

Hi!

Thanks for your reply.

The registry fixes that I had carried out are listed in the ComboFix log, as I had mentioned:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{152b27a4-b9fb-11dd-bdc2-0014381e0905}]
\Shell\AutoRun\command - H:\browsercall.exe Ursocol SR.jpg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19501a68-5f8f-11dd-bcc2-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2355968c-2321-11dd-bc55-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a8cbe-36a4-11dd-bc71-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97ef806e-ee89-11dd-be20-0014381e0905}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
\Shell\Open\command - regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abcd2c2e-5a39-11dd-bca1-0014a517c7ec}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde17f26-b88d-11dc-bba9-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce30f0ac-87bc-11dc-bb0a-0014a517c7ec}]
\Shell\auto\command - H:\SVCH0ST.EXE e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SVCH0ST.EXE e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2f779fc-29a6-11de-bee9-0014381e0905}]
\Shell\AutoRun\command - H:\loader.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2f779fd-29a6-11de-bee9-0014381e0905}]
\Shell\AutoRun\command - xwatmaf.exe
\Shell\explore\Command - xwatmaf.exe
\Shell\open\Command - xwatmaf.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f50b00c6-c73d-11dc-bbda-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

I set all the above data values (of REG_SZ type) to "" (NULL, size = 1). I did this because I was pretty sure that these would infect any removable disks I attach to my computer.

I am aware that O10 and O16 entries can be legit, but the O16 entries that I had deleted were :
1) file:///G:/CDVIEWER/Cdviewer.cab - I'm pretty sure that this is some sort of malware/spyware program

2) amiviewer.cab

I left the O10 entry alone: The entry was :
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

I hadn't saved that particular HiJackThis log file, but I had a look at the backups saved on HiJackThis, and those were the changes that I had made.

I thought that I had turned off SpyBot's TeaTimer Service, but I hadn't checked it before running ComboFix (It didn't give a warning as well, so I might have overlooked this), sorry about that.

I wasn't aware that Qoobox and NIRCMD.exe was created by ComboFix, thanks for the info :)

There was also another folder with "Qoobox" that was called "32788R22FWJFW", which I had also deleted.

Thanks,

We are at a REAL disadvantage here. You have done steps prior to coming here, we cannot see those logs, the info you have given me is basically incomplete. The two O16 items you say you removed were not necessarily infected files, both refer to the AMI Picture Viewer when just searching for the NAME of the file. But that is not all we use to research, we use the full entry from the log. You have no logs.
The infected files you say were created by the virus don't show in the combofix log at all, they should have shown there. Is this the only run of combofix you did?
You have not posted a MBA-M log.
I am very hesitant to offer any suggestions, what with the registry edits and various tools you have run.

Okay, Lets start afresh:

1. I first uninstalled extra/unnecessary programs that I had installed after I noticed the virus.

2. I took a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:12 PM, on 5/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Orbitdownloader\orbitdm.exe
F:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winqfwl.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.34:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - F:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Orbit.lnk = F:\Program Files\Orbitdownloader\orbitdm.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://172.16.0.6/ami/install/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67F09C9D-70DD-42D4-A622-6ED8BC2543A2}: NameServer = 203.90.87.121
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5142 bytes

*Note*: The HijackThis Entry
C:\DOCUME~1\user\LOCALS~1\Temp\winqfwl.exe is the randomly named 8.50 kb file that keeps appearing in my Current User Temp folder, that I had made an earlier reference to.

3. I then did a m-bam scan, which found two errors, namely the registry keys that alters the visibility of Task Manager and Registry Editor. Below is the scan log:

Malwarebytes' Anti-Malware 1.33
Database version: 1720
Windows 5.1.2600 Service Pack 2

5/15/2009 9:54:00 PM
mbam-log-2009-05-15 (21-54-00).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 116455
Time elapsed: 25 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

That's about what has happened in the past 14 hours...

Could you help me out with this?

Thanks for your time,

Amrith

A quick update:

This is my HiJackThis log file after the M-BAM scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:23 PM, on 5/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Orbitdownloader\orbitdm.exe
F:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winsujox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.34:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - F:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Orbit.lnk = F:\Program Files\Orbitdownloader\orbitdm.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://172.16.0.6/ami/install/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67F09C9D-70DD-42D4-A622-6ED8BC2543A2}: NameServer = 203.90.87.121
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5125 bytes

Thanks!

Amrith

Hi!

I just checked if my M-BAM was up to date, and it turns out that it wasn't. So I did another M-BAM / HijackThis scan and here are the logs:

1. M-BAM Log

Malwarebytes' Anti-Malware 1.36
Database version: 2135
Windows 5.1.2600 Service Pack 2

5/15/2009 11:01:46 PM
mbam-log-2009-05-15 (23-01-46).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 150784
Time elapsed: 14 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2. HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:48 PM, on 5/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
F:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.34:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - F:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Orbit.lnk = F:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://172.16.0.6/ami/install/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67F09C9D-70DD-42D4-A622-6ED8BC2543A2}: NameServer = 203.90.87.121
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 4979 bytes

Thanks!

Amrith

Where are you located?

As in Geographically? In India...

Just wanted to check your geographic location before I had you fix something that wasn't needed...it wasn't. The logs look so-so...EXCEPT...you are not running an anti-virus program, nor do I see a firewall on the machine. These are ABSOLUTE MUSTS otherwise all this fixing is for absolutely nothing.
There are many good, FREE anti-virus programs and FREE firewalls out there;
Pick one of each, download, install, update, enable...AND USE THEM...
Avira Free Anti-virus

Avast Free Anti-virus

Online Armor Free Firewall

Comodo Free Firewall

then do a new HJT scan and post back here with that log.

Just wanted to check your geographic location before I had you fix something that wasn't needed...it wasn't. The logs look so-so...EXCEPT...you are not running an anti-virus program, nor do I see a firewall on the machine. These are ABSOLUTE MUSTS otherwise all this fixing is for absolutely nothing.
There are many good, FREE anti-virus programs and FREE firewalls out there;
Pick one of each, download, install, update, enable...AND USE THEM...
Avira Free Anti-virus

Avast Free Anti-virus

Online Armor Free Firewall

Comodo Free Firewall

then do a new HJT scan and post back here with that log.

Hi!

Thanks for your reply. I tried downloading BOTH antivirus software, but they do not install(I get the setup screen, and then the process suddenly disappears). The same holds true for many executables (especially antivirus software) that I have ( I should mention that I have AVG 8.5 AV Professional Edition, but even that doesn't install) On my other computers(I have two desktop PC's at home), I have AVG 8.5 installed on one and ZoneAlarm Security Suite on the other. I tried installing both these on my laptop, but both fail as well.

Any ideas on how to resolve this?

PS: I have PCTools SpyDoctor that I've stopped using on my old Desktop PC, and I tried installing that on the Laptop too, but it just doesn't seem to work :(

PPS: AVG 7.5 was installed on the Laptop before, but the virus stopped me from even opening the main screen, let alone running a scan. So that's why I uninstalled it in the first place...