Solve : How can I get rid of sality.nba virus ??

1.	Solve : How can I get rid of sality.nba virus ??
Answer» what should I do now ?Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure. Close any open windows and double click ComboFix.exe to run it. You will see the following image: Click I Agree to start the program. ComboFix will then extract the necessary files and you will see this: As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7 It will allow you to boot up into a special recovery/repair mode that will allow us to more easily HELP you should your computer have a problem after an attempted removal of malware. If you did not have it installed, you will see the prompt below. Choose YES. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt). Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so. Note: Please Do NOT** mouseclick combofix's window while its running because it may cause it to stall.ComboFix 12-03-27.03 - Saeid 03/27/2012 23:59:08.2.4 - x86 Microsoft Windows 7 Ultimate 6.1.7601.1.1256.981.1033.18.3063.1710 [GMT 4.5:30] Running from: c:\users\Saeid\Desktop\ComboFix.exe AV: Kaspersky Anti-Virus Disabled/Updated {2EAA32A5-1EE1-1B22-95DA-337730C6E984} SP: Kaspersky Anti-Virus Disabled/Updated {95CBD341-38DB-14AC-AF6A-08054B41A339} SP: Windows Defender Enabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 ))))))))))))))))))))))))))))))) . . 2012-03-27 19:37 . 2012-03-27 19:37--------d-----w-c:\users\Default\AppData\Local\temp 2012-03-27 08:01 . 2012-03-27 08:01--------d-----w-C:\_OTL 2012-03-27 07:36 . 2012-03-14 02:156582328----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{54D7E092-BDA8-4721-A5D1-B16B8F591AC9}\mpengine.dll 2012-03-26 08:05 . 2012-03-26 08:05--------d-----w-c:\users\Saeid\AppData\Roaming\SUPERAntiSpyware.com 2012-03-26 08:04 . 2012-03-26 08:05--------d-----w-c:\program files\SUPERAntiSpyware 2012-03-26 08:04 . 2012-03-26 08:04--------d-----w-c:\programdata\SUPERAntiSpyware.com 2012-03-26 07:35 . 2012-03-26 07:35--------d-----w-c:\program files\CCleaner 2012-03-26 07:35 . 2012-03-26 07:35--------d-----w-c:\program files\Google 2012-03-25 07:20 . 2012-03-25 07:20--------d-----w-c:\users\Saeid\AppData\Roaming\Malwarebytes 2012-03-25 07:20 . 2012-03-25 07:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2012-03-25 07:20 . 2012-03-25 07:20--------d-----w-c:\programdata\Malwarebytes 2012-03-25 07:20 . 2011-12-10 10:5420464----a-w-c:\windows\system32\drivers\mbam.sys 2012-03-24 05:45 . 2012-03-24 05:4510920----a-w-C:\aolconnfix.exe 2012-03-23 17:58 . 2012-03-23 17:58--------d-----w-c:\program files\AOL Toolbar 2012-03-23 17:58 . 2012-03-23 17:58--------d-----w-c:\programdata\AOL Toolbar 2012-03-23 17:58 . 2012-03-23 17:58--------d-----w-c:\program files\Common Files\Software Update Utility 2012-03-23 17:57 . 2012-03-23 22:01--------d-----w-c:\program files\AOL 9.5 2012-03-23 17:57 . 2012-03-23 17:59--------d-----w-c:\program files\Common Files\aol 2012-03-19 19:06 . 2012-03-19 19:09--------d-----w-c:\users\Saeid\AppData\Local\Facebook 2012-03-18 21:59 . 2012-03-18 21:592106216----a-w-c:\program files\Mozilla Firefox\D3DCompiler_43.dll 2012-03-18 21:59 . 2012-03-18 21:591998168----a-w-c:\program files\Mozilla Firefox\d3dx9_43.dll 2012-03-18 21:59 . 2012-03-18 21:59592824----a-w-c:\program files\Mozilla Firefox\gkmedias.dll 2012-03-18 21:59 . 2012-03-18 21:59548864----a-w-c:\program files\Mozilla Firefox\msvcp80.dll 2012-03-18 21:59 . 2012-03-18 21:59479232----a-w-c:\program files\Mozilla Firefox\msvcm80.dll 2012-03-18 21:59 . 2012-03-18 21:5944472----a-w-c:\program files\Mozilla Firefox\mozglue.dll 2012-03-18 21:59 . 2012-03-18 21:59626688----a-w-c:\program files\Mozilla Firefox\msvcr80.dll 2012-03-15 09:45 . 2012-02-03 03:542343424----a-w-c:\windows\system32\win32k.sys 2012-03-15 09:45 . 2012-02-10 05:381077248----a-w-c:\windows\system32\DWrite.dll 2012-03-15 09:37 . 2012-01-25 05:3258880----a-w-c:\windows\system32\rdpwsx.dll 2012-03-15 09:37 . 2012-01-25 05:32129536----a-w-c:\windows\system32\rdpcorekmts.dll 2012-03-15 09:37 . 2012-01-25 05:278192----a-w-c:\windows\system32\rdrmemptylst.exe 2012-03-15 09:37 . 2012-02-17 05:34919040----a-w-c:\windows\system32\rdpcorets.dll 2012-03-15 09:37 . 2012-02-17 05:34826880----a-w-c:\windows\system32\rdpcore.dll 2012-03-15 09:37 . 2012-02-17 04:14183808----a-w-c:\windows\system32\drivers\rdpwd.sys 2012-03-15 09:37 . 2012-02-17 04:1324576----a-w-c:\windows\system32\drivers\tdtcp.sys 2012-03-04 16:16 . 2012-03-04 16:16--------d-----w-c:\users\Saeid\AppData\Local\Behnevis Common 2012-03-04 16:16 . 2012-03-22 17:32--------d-----w-c:\program files\Behnevis for MS Word 2012-03-04 16:15 . 2012-03-04 16:15--------d-----w-c:\program files\Conduit 2012-03-04 16:15 . 2012-03-04 16:15--------d-----w-c:\users\Saeid\AppData\Local\Conduit . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-02-29 14:50 . 2011-11-15 18:04414368----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl 2012-02-23 04:48 . 2011-11-15 16:44237072------w-c:\windows\system32\MpSigStub.exe 2012-01-17 13:33 . 2011-12-06 12:55189248----a-w-c:\windows\system32\PnkBstrB.exe 2012-01-17 13:33 . 2011-12-06 12:5475136----a-w-c:\windows\system32\PnkBstrA.exe 2012-03-18 21:59 . 2011-11-15 18:0497208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension] @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}" [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}] 2011-05-30 14:5021864----a-w-c:\program files\Internet Download Manager\IDMShellExt.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Nimbuzz"="c:\program files\Nimbuzz\Nimbuzz.exe" [2011-12-01 11713024] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424] "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-11-14 3437976] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-23 1594664] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-01 98304] "RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336] "PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352] "IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696] "HostManager"="c:\program files\Common Files\AOL\1332525462\ee\AOLSoftware.exe" [2009-07-20 41264] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5249024] "BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-02-28 75048] "Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2011-08-22 3265136] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] . c:\users\Saeid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 795936] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54551296----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP] 2011-04-24 19:45202296----a-w-c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_32;Microsoft .NET FRAMEWORK NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-12-01 197224] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-01-12 257568] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys R3 SysProtDrv.sys;SysProtDrv.sys;c:\users\Saeid\Desktop\SysProt\SysProtDrv.sys [2012-03-26 44288] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-22 1343400] R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520] R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128] R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-29 239336] R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-29 366936] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-12-18 721904] S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352] S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 23856] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608] S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/11/15 19:17];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-02-28 16:10 87536] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-01 176128] S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-06-08 13336] S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2011-07-06 89376] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360] S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 14808] S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-03 2320920] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-06-01 5586432] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-01 209920] S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl32.sys [2010-02-02 17144] S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 45352] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 29472] S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 132480] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336] . . Contents of the 'Scheduled Tasks' folder . 2012-03-27 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 01a8d408-7896-4588-a444-c4f59eb8fffb.job - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52] . 2012-03-26 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task f88d71fa-faee-4ea3-9250-22371e658c90.job - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.aol.com mStart Page = about:blank uInternet Settings,ProxyOverride = local uInternet Settings,ProxyServer = 127.0.0.1:11536 IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{EB069C30-DB0F-4DAE-83D4-466F9A5FEFE4}: NameServer = 8.4.4.8,3.2.2.3 FF - ProfilePath - c:\users\Saeid\AppData\Roaming\Mozilla\Firefox\Profiles\qaurd1x0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555 FF - prefs.js: browser.search.selectedEngine - DAEMON Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com FF - prefs.js: network.proxy.ftp - 127.0.0.1 FF - prefs.js: network.proxy.ftp_port - 11536 FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 11536 FF - prefs.js: network.proxy.socks - 127.0.0.1 FF - prefs.js: network.proxy.socks_port - 11536 FF - prefs.js: network.proxy.ssl - 127.0.0.1 FF - prefs.js: network.proxy.ssl_port - 11536 FF - prefs.js: network.proxy.type - 0 FF - user.js: protocol-handler.warn-external.dnUpdate - false . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\{B154377D-700F-42cc-9474-23858FBDF4BD}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY] "??"=hex:21,88,68,61,66,d5,35,e4,b7,c5,6a,2f,15,55,a4,7a,45,55,3b,d5,75,31,69, cc,2d,4a,31,52,d8,3e,6e,cf,5b,5f,0c,2e,c9,48,50,70,5a,49,98,2a,26,be,a6,e6,\ "??"=hex:fe,94,16,33,a2,f0,68,4b,6b,9d,81,d8,7c,85,bb,9d . [HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000_Classes\CLSID\{01680c4a-b31f-45d3-8be1-b859b4623e35}] @Denied: (Full) (Everyone) @Allowed: (Read) (RestrictedCode) "Model"=dword:00000028 "Therad"=dword:00000015 "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ . [HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):1b,d8,92,eb,22,77,b1,b4,34,91,07,25,ff,2e,77,3c,bb,80,33,ab,b8, d7,2f,07,46,07,e5,b1,19,39,ef,99,67,03,07,de,17,77,9b,1a,00,00,00,00,00,00,\ . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(3148) c:\program files\Babylon\Babylon-Pro\Captlib.dll c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll . Completion time: 2012-03-28 00:10:17 ComboFix-quarantined-files.txt 2012-03-27 19:40 ComboFix2.txt 2012-03-27 19:14 . Pre-Run: 49,012,285,440 bytes free Post-Run: 48,951,115,776 bytes free . - - End Of File - - 68D5ADAE3F7FD65BAE8430E4B9A21E2C pardon me, in drive (C), I click on Documents and Settings folder and show an error that say is not accessible and there is a lock on it and also in drive (D) system volume information folder, it has a same problem otherwise in drive (C) I had this problem and it seems that has been fixed now Is it normal ?Download HostsXpert •Unzip HostXpert* to your Desktop •Open up the HostXpert program. •Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled. •Click Create Back Up •Then click on Restore Microsoft's Host Files •Close the HostXpert program ***************************************** Quote pardon me, in drive (C), I click on Documents and Settings folder and show an error that say is not accessible and there is a lock on it and also in drive (D) system volume information folder, it has a same problem otherwise in drive (C) I had this problem and it seems that has been fixed now Is it normal ? It was probably caused by an infection. SysProt Antirootkit Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop. Double click Sysprot.exe to start the program. Click on the Log tab. In the Write to log box select the following items. Process << Selected Kernel Modules << Selected SSDT << Selected Kernel Hooks << Selected IRP Hooks << NOT Selected Ports << NOT Selected Hidden Files << Selected At the bottom of the page Hidden Objects Only << Selected Click on the Create Log button on the bottom right. After a few seconds a new window should appear. Select Scan Root Drive. Click on the Start button. When it is complete a new window will appear to indicate that the scan is finished. The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here. here has remained one question, there is an error here in SysProt, it says that : error scaning SSDT hooks, then I click on ok and it runs of course and follow the structures . Is this error normal ?SysProt AntiRootkit v1.0.1.0 by swatkat ************************************************************************************** ************************************************************************************** No Hidden Processes found ************************************************************************************** ************************************************************************************** Kernel Modules: Module Name: \SystemRoot\System32\Drivers\sprf.sys Service Name: --- Module Base: 84AB6000 Module End: 84BB7000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\a26x65ir.SYS Service Name: --- Module Base: 96F9B000 Module End: 96FD3000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys Service Name: --- Module Base: 91216000 Module End: 913CB000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys Service Name: --- Module Base: 9654B000 Module End: 9655C000 Hidden: Yes ************************************************************************************** ************************************************************************************** No SSDT Hooks found ************************************************************************************** ************************************************************************************** No Kernel Hooks found ************************************************************************************** ************************************************************************************** Hidden files/folders: Object: C:\Qoobox\BackEnv\AppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cache.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cookies.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Desktop.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Favorites.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\History.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Music.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\NetHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Personal.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Pictures.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\PrintHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Programs.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Recent.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SendTo.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SetPath.bat Status: Access denied Object: C:\Qoobox\BackEnv\StartMenu.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\StartUp.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SysPath.dat Status: Access denied Object: C:\Qoobox\BackEnv\Templates.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\VikPev00 Status: Access denied Object: C:\System Volume Information\WindowsImageBackup\Catalog\BackupGlobalCatalog Status: Access denied Object: C:\System Volume Information\WindowsImageBackup\Catalog\GlobalCatalog Status: Access denied Object: C:\System Volume Information\WindowsImageBackup\Catalog Status: Access denied Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache\{07cef2ff-c079-4635-a68e-99dc61f91b6f} Status: Access denied Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache Status: Access denied Object: C:\Windows\CSC\v2.0.6\namespace Status: Access denied Object: C:\Windows\CSC\v2.0.6\pq Status: Access denied Object: C:\Windows\CSC\v2.0.6\sm Status: Access denied Object: C:\Windows\CSC\v2.0.6\temp Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl Status: Access denied Please download SystemLook from one of the links below and save it to your desktop. Link # 1 Link # 2 Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double-click SystemLook.exe to run it. Copy the contents of the following codebox into the main textfield. Code: [Select]:filefind a26x65ir.SYS Click the Look button to start the scan. Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer). When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt *************************************** I'd like to scan your machine with ESET OnlineScan •Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan •Click the button. •For alternate browsers only: (Microsoft Internet Explorer users can skip these STEPS) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. •Check •Click the button. •Accept any security warnings from your browser. •Check •Push the Start button. •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. •When the scan completes, push •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. •Push the button. •Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt SystemLook 30.07.11 by jpshortstuff Log created at 11:07 on 29/03/2012 by Saeid Administrator - Elevation successful ========== filefind ========== Searching for "a26x65ir.SYS" No files found. -= EOF =-[emailprotected] as downloader log: all ok esets_scanner_update returned -1 esets_gle=36882 # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=a71137f0d49da94288a404b30554ff76 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-03-29 11:21:52 # local_time=2012-03-29 03:51:52 (+0330, Iran Daylight Time) # country="United States" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=1280 16777215 100 0 11646693 11646693 0 0 # compatibility_mode=5893 16776573 100 94 180509 84641902 0 0 # compatibility_mode=8192 67108863 100 0 10863 10863 0 0 # scanned=148384 # found=4 # cleaned=4 # scan_time=7601 C:\Program Files\Babylon\Babylon-Pro\Utils\MyBabylonTB.exea variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C C:\Program Files\Babylon\BabylonToolbar\1.4.19.5\BabylonToolbarApp.dlla variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined)00000000000000000000000000000000C C:\Program Files\Babylon\BabylonToolbar\1.4.19.5\BabylonToolbarsrv.exeprobably a variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined)00000000000000000000000000000000C D:\Software\Nero 9.4.13.2b.rarprobably a variant of Win32/Agent.KQNXJLO trojan (deleted - quarantined)00000000000000000000000000000000C [emailprotected] as downloader log: all ok esets_scanner_update returned -1 esets_gle=53251 # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=a71137f0d49da94288a404b30554ff76 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-03-29 03:21:11 # local_time=2012-03-29 07:51:11 (+0330, Iran Daylight Time) # country="United States" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=1280 16777215 100 0 11655368 11655368 0 0 # compatibility_mode=5893 16776573 100 94 189184 84650577 0 0 # compatibility_mode=8192 67108863 100 0 19538 19538 0 0 # scanned=216225 # found=8 # cleaned=8 # scan_time=13285 H:\english file aminuuuu\base\video learning, babylon-maccaro, picture dictionary\AutoPlay\Docs\5\babylon-Maccro\01-Babylon Pro v8.0.10 (r16)\Babylon8_setup.exea variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C H:\Programs\cnet_fences_public_exe.exea variant of Win32/InstallCore.D application (cleaned by deleting - quarantined)00000000000000000000000000000000C H:\Programs\SweetImSetup.exea variant of Win32/SweetIM.B application (cleaned by deleting - quarantined)00000000000000000000000000000000C H:\Programs\Babylon Pro\Babylon9 Setup www.FDL.ir.exea variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C H:\SAEID-PC\Backup Set 2011-11-27 222550\Backup Files 2011-11-27 222550\Backup files 1.zipa variant of Win32/Adware.MediaFinder.A application (deleted - quarantined)00000000000000000000000000000000C H:\SAEID-PC\Backup Set 2011-11-27 222550\Backup Files 2011-11-27 222550\Backup files 8.zipa variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C H:\software\BabylonPro-902(www.vatandownload.com).rara variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C H:\software\Office 2010 Activator (www.Downloadha.com).rarWin32/HackKMS.A application (deleted - quarantined)00000000000000000000000000000000C here are the logs, what should I do now? thanks alotIf there are no other issues, we can do some cleanup. To uninstall ComboFix Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane. In the field, type in ComboFix /uninstall (Note: Make sure there's a space between the word ComboFix and the forward-slash.) Then, press Enter, or click OK. This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore. ***************************************************** Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC** will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ***************************************************** To remove all of the tools we used and the files and folders they created do the following: Double click OTL.exe. Click the CleanUp button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. ************************************************ Looking over your log it seems you don't have any evidence of a third party firewall. Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors. Remember only install ONE firewall 1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one) 2) Online Armor 3) Agnitum Outpost 4) PC Tools Firewall Plus If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time. *********************************************** Use the Secunia Software Inspector to check for out of date software. •Click Start Now •Check the box next to Enable thorough system inspection. •Click Start** •Allow the scan to finish and scroll down to see if any updates are needed. •Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla BASED browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly. Safe SURFING!SuperDave, I think I have a problem, as I said in a reply, system volume information folder is not accessible in my all drives, except drive E, I still have this problem ! I don't know what's this, I have no idea these folders aren't exist before ! wow, it seems that this problem solved too, Grazie ! I truly appreciate your time and effortYou're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Answer»

what should I do now ?Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily HELP you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.ComboFix 12-03-27.03 - Saeid 03/27/2012 23:59:08.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1256.981.1033.18.3063.1710 [GMT 4.5:30]
Running from: c:\users\Saeid\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Anti-Virus *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
.
.
2012-03-27 19:37 . 2012-03-27 19:37--------d-----w-c:\users\Default\AppData\Local\temp
2012-03-27 08:01 . 2012-03-27 08:01--------d-----w-C:\_OTL
2012-03-27 07:36 . 2012-03-14 02:156582328----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{54D7E092-BDA8-4721-A5D1-B16B8F591AC9}\mpengine.dll
2012-03-26 08:05 . 2012-03-26 08:05--------d-----w-c:\users\Saeid\AppData\Roaming\SUPERAntiSpyware.com
2012-03-26 08:04 . 2012-03-26 08:05--------d-----w-c:\program files\SUPERAntiSpyware
2012-03-26 08:04 . 2012-03-26 08:04--------d-----w-c:\programdata\SUPERAntiSpyware.com
2012-03-26 07:35 . 2012-03-26 07:35--------d-----w-c:\program files\CCleaner
2012-03-26 07:35 . 2012-03-26 07:35--------d-----w-c:\program files\Google
2012-03-25 07:20 . 2012-03-25 07:20--------d-----w-c:\users\Saeid\AppData\Roaming\Malwarebytes
2012-03-25 07:20 . 2012-03-25 07:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-03-25 07:20 . 2012-03-25 07:20--------d-----w-c:\programdata\Malwarebytes
2012-03-25 07:20 . 2011-12-10 10:5420464----a-w-c:\windows\system32\drivers\mbam.sys
2012-03-24 05:45 . 2012-03-24 05:4510920----a-w-C:\aolconnfix.exe
2012-03-23 17:58 . 2012-03-23 17:58--------d-----w-c:\program files\AOL Toolbar
2012-03-23 17:58 . 2012-03-23 17:58--------d-----w-c:\programdata\AOL Toolbar
2012-03-23 17:58 . 2012-03-23 17:58--------d-----w-c:\program files\Common Files\Software Update Utility
2012-03-23 17:57 . 2012-03-23 22:01--------d-----w-c:\program files\AOL 9.5
2012-03-23 17:57 . 2012-03-23 17:59--------d-----w-c:\program files\Common Files\aol
2012-03-19 19:06 . 2012-03-19 19:09--------d-----w-c:\users\Saeid\AppData\Local\Facebook
2012-03-18 21:59 . 2012-03-18 21:592106216----a-w-c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-03-18 21:59 . 2012-03-18 21:591998168----a-w-c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-03-18 21:59 . 2012-03-18 21:59592824----a-w-c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-18 21:59 . 2012-03-18 21:59548864----a-w-c:\program files\Mozilla Firefox\msvcp80.dll
2012-03-18 21:59 . 2012-03-18 21:59479232----a-w-c:\program files\Mozilla Firefox\msvcm80.dll
2012-03-18 21:59 . 2012-03-18 21:5944472----a-w-c:\program files\Mozilla Firefox\mozglue.dll
2012-03-18 21:59 . 2012-03-18 21:59626688----a-w-c:\program files\Mozilla Firefox\msvcr80.dll
2012-03-15 09:45 . 2012-02-03 03:542343424----a-w-c:\windows\system32\win32k.sys
2012-03-15 09:45 . 2012-02-10 05:381077248----a-w-c:\windows\system32\DWrite.dll
2012-03-15 09:37 . 2012-01-25 05:3258880----a-w-c:\windows\system32\rdpwsx.dll
2012-03-15 09:37 . 2012-01-25 05:32129536----a-w-c:\windows\system32\rdpcorekmts.dll
2012-03-15 09:37 . 2012-01-25 05:278192----a-w-c:\windows\system32\rdrmemptylst.exe
2012-03-15 09:37 . 2012-02-17 05:34919040----a-w-c:\windows\system32\rdpcorets.dll
2012-03-15 09:37 . 2012-02-17 05:34826880----a-w-c:\windows\system32\rdpcore.dll
2012-03-15 09:37 . 2012-02-17 04:14183808----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-03-15 09:37 . 2012-02-17 04:1324576----a-w-c:\windows\system32\drivers\tdtcp.sys
2012-03-04 16:16 . 2012-03-04 16:16--------d-----w-c:\users\Saeid\AppData\Local\Behnevis Common
2012-03-04 16:16 . 2012-03-22 17:32--------d-----w-c:\program files\Behnevis for MS Word
2012-03-04 16:15 . 2012-03-04 16:15--------d-----w-c:\program files\Conduit
2012-03-04 16:15 . 2012-03-04 16:15--------d-----w-c:\users\Saeid\AppData\Local\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-29 14:50 . 2011-11-15 18:04414368----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 04:48 . 2011-11-15 16:44237072------w-c:\windows\system32\MpSigStub.exe
2012-01-17 13:33 . 2011-12-06 12:55189248----a-w-c:\windows\system32\PnkBstrB.exe
2012-01-17 13:33 . 2011-12-06 12:5475136----a-w-c:\windows\system32\PnkBstrA.exe
2012-03-18 21:59 . 2011-11-15 18:0497208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 14:5021864----a-w-c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nimbuzz"="c:\program files\Nimbuzz\Nimbuzz.exe" [2011-12-01 11713024]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-11-14 3437976]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-23 1594664]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-01 98304]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
"HostManager"="c:\program files\Common Files\AOL\1332525462\ee\AOLSoftware.exe" [2009-07-20 41264]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5249024]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-02-28 75048]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2011-08-22 3265136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\users\Saeid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54551296----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
2011-04-24 19:45202296----a-w-c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET FRAMEWORK NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-12-01 197224]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-01-12 257568]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys

R3 SysProtDrv.sys;SysProtDrv.sys;c:\users\Saeid\Desktop\SysProt\SysProtDrv.sys [2012-03-26 44288]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-22 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-29 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-29 366936]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-12-18 721904]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 23856]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/11/15 19:17];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-02-28 16:10 87536]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-01 176128]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-06-08 13336]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2011-07-06 89376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 14808]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-06-01 5586432]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-01 209920]
S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl32.sys [2010-02-02 17144]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 45352]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 29472]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 132480]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-27 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 01a8d408-7896-4588-a444-c4f59eb8fffb.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-03-26 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task f88d71fa-faee-4ea3-9250-22371e658c90.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:11536
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{EB069C30-DB0F-4DAE-83D4-466F9A5FEFE4}: NameServer = 8.4.4.8,3.2.2.3
FF - ProfilePath - c:\users\Saeid\AppData\Roaming\Mozilla\Firefox\Profiles\qaurd1x0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=55555
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 11536
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 11536
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 11536
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 11536
FF - prefs.js: network.proxy.type - 0
FF - user.js: protocol-handler.warn-external.dnUpdate - false
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:21,88,68,61,66,d5,35,e4,b7,c5,6a,2f,15,55,a4,7a,45,55,3b,d5,75,31,69,
cc,2d,4a,31,52,d8,3e,6e,cf,5b,5f,0c,2e,c9,48,50,70,5a,49,98,2a,26,be,a6,e6,\
"??"=hex:fe,94,16,33,a2,f0,68,4b,6b,9d,81,d8,7c,85,bb,9d
.
[HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000_Classes\CLSID\{01680c4a-b31f-45d3-8be1-b859b4623e35}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000028
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-1338443668-846065355-974167902-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1b,d8,92,eb,22,77,b1,b4,34,91,07,25,ff,2e,77,3c,bb,80,33,ab,b8,
d7,2f,07,46,07,e5,b1,19,39,ef,99,67,03,07,de,17,77,9b,1a,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3148)
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
.
Completion time: 2012-03-28 00:10:17
ComboFix-quarantined-files.txt 2012-03-27 19:40
ComboFix2.txt 2012-03-27 19:14
.
Pre-Run: 49,012,285,440 bytes free
Post-Run: 48,951,115,776 bytes free
.
- - End Of File - - 68D5ADAE3F7FD65BAE8430E4B9A21E2C
pardon me, in drive (C), I click on Documents and Settings folder and show an error that say is not accessible and there is a lock on it
and also in drive (D) system volume information folder, it has a same problem otherwise in drive (C) I had this problem and it seems that has been fixed now

Is it normal ?Download HostsXpert

•Unzip HostXpert to your Desktop

•Open up the HostXpert program.

•Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.

•Click Create Back Up

•Then click on Restore Microsoft's Host Files

•Close the HostXpert program
*******************************************
Quote

pardon me, in drive (C), I click on Documents and Settings folder and show an error that say is not accessible and there is a lock on it
and also in drive (D) system volume information folder, it has a same problem otherwise in drive (C) I had this problem and it seems that has been fixed now
Is it normal ?

It was probably caused by an infection.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

here has remained one question, there is an error here in SysProt, it says that : error scaning SSDT hooks, then I click on ok and it runs of course and follow the structures .

Is this error normal ?SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\sprf.sys
Service Name: ---
Module Base: 84AB6000
Module End: 84BB7000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\a26x65ir.SYS
Service Name: ---
Module Base: 96F9B000
Module End: 96FD3000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 91216000
Module End: 913CB000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 9654B000
Module End: 9655C000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog\BackupGlobalCatalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog\GlobalCatalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\Catalog
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache\{07cef2ff-c079-4635-a68e-99dc61f91b6f}
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied
Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.
Code: [Select]:filefind
a26x65ir.SYS

Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
*******************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these STEPS)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
SystemLook 30.07.11 by jpshortstuff
Log created at 11:07 on 29/03/2012 by Saeid
Administrator - Elevation successful

========== filefind ==========

Searching for "a26x65ir.SYS"
No files found.

-= EOF =-[emailprotected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=36882
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a71137f0d49da94288a404b30554ff76
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-29 11:21:52
# local_time=2012-03-29 03:51:52 (+0330, Iran Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1280 16777215 100 0 11646693 11646693 0 0
# compatibility_mode=5893 16776573 100 94 180509 84641902 0 0
# compatibility_mode=8192 67108863 100 0 10863 10863 0 0
# scanned=148384
# found=4
# cleaned=4
# scan_time=7601
C:\Program Files\Babylon\Babylon-Pro\Utils\MyBabylonTB.exea variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C
C:\Program Files\Babylon\BabylonToolbar\1.4.19.5\BabylonToolbarApp.dlla variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\Program Files\Babylon\BabylonToolbar\1.4.19.5\BabylonToolbarsrv.exeprobably a variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined)00000000000000000000000000000000C
D:\Software\Nero 9.4.13.2b.rarprobably a variant of Win32/Agent.KQNXJLO trojan (deleted - quarantined)00000000000000000000000000000000C
[emailprotected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a71137f0d49da94288a404b30554ff76
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-29 03:21:11
# local_time=2012-03-29 07:51:11 (+0330, Iran Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1280 16777215 100 0 11655368 11655368 0 0
# compatibility_mode=5893 16776573 100 94 189184 84650577 0 0
# compatibility_mode=8192 67108863 100 0 19538 19538 0 0
# scanned=216225
# found=8
# cleaned=8
# scan_time=13285
H:\english file aminuuuu\base\video learning, babylon-maccaro, picture dictionary\AutoPlay\Docs\5\babylon-Maccro\01-Babylon Pro v8.0.10 (r16)\Babylon8_setup.exea variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C
H:\Programs\cnet_fences_public_exe.exea variant of Win32/InstallCore.D application (cleaned by deleting - quarantined)00000000000000000000000000000000C
H:\Programs\SweetImSetup.exea variant of Win32/SweetIM.B application (cleaned by deleting - quarantined)00000000000000000000000000000000C
H:\Programs\Babylon Pro\Babylon9 Setup www.FDL.ir.exea variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C
H:\SAEID-PC\Backup Set 2011-11-27 222550\Backup Files 2011-11-27 222550\Backup files 1.zipa variant of Win32/Adware.MediaFinder.A application (deleted - quarantined)00000000000000000000000000000000C
H:\SAEID-PC\Backup Set 2011-11-27 222550\Backup Files 2011-11-27 222550\Backup files 8.zipa variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C
H:\software\BabylonPro-902(www.vatandownload.com).rara variant of Win32/Toolbar.Babylon application (deleted - quarantined)00000000000000000000000000000000C
H:\software\Office 2010 Activator (www.Downloadha.com).rarWin32/HackKMS.A application (deleted - quarantined)00000000000000000000000000000000C
here are the logs, what should I do now? thanks alotIf there are no other issues, we can do some cleanup.

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*********************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*******************************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

Click the CleanUp button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
****************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
***************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla BASED browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe SURFING!SuperDave, I think I have a problem, as I said in a reply, system volume information folder is not accessible in my all drives,
except drive E, I still have this problem !

I don't know what's this, I have no idea these folders aren't exist before !

wow, it seems that this problem solved too, Grazie !
I truly appreciate your time and effortYou're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Solve : How can I get rid of sality.nba virus ??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment