0

Hello friends,

Recently my system got affected with some virus in the name Not-A-Virus.Monitor.Win32.Ardamax.ae.. When i scan my system with AVG it shows C:\windows\system32\28463\svchost.exe has been infected. It deleted the file. But it reappears immediately.

I could not access "msconfig", and "regedit".. Everytime when i restart my system, AVG anti spyware shows a pop up of this virus and asking to me to either "clean" or "ignore". But clean option doesnt make any improvement.

I am pasting here my HijackThis log file. Please tell me what can i do. Your early reply is solicited.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:25 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 10624 bytes

Thanks

4
Contributors
56
Replies
57
Views
9 Years
Discussion Span
Last Post by crunchie
0

Have Hijackhis fix these entries:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

0

Have Hijackhis fix these entries:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

Hello sir,
Thanks very much for your reply. I tried to fix the above entries. Now "msconfig" works. But even after i select Fix in HijackThis, my registry is not opening. The value is still "1" and not changing to "0".. Please tell me how to solve.

Also my Yahoo Messenger is not working. I am unable to sign in into my account. This also happened after the attack of the above virus.. Please help me.


Thankss !!!

0

I have some other problems also because of this spyware/malware "Ardamax"

1. Since my yahoo messenger didnt work, I uninstalled and tried to reinstall. But it is not getting installed. It is not able to connect for web install.

2. I use AVG antivirus and AVG antispyware. Both cannot update via internet. It is saying "Update server connection failed".

3. So i thought of running online scans. I tried F-secure, Kaspersky and Panda. But while starting the scan all the above scanners are trying to install ActiveX. But there is a failure in installing ActiveX.

4. Still my Registry Editor does not work. I tried changing the value from "1" to "0" . But it shows a warning message saying "Cannot edit DisplayRegistryTools: Error writing the value's new contents."

I am totally helpless. Please someone help me to come out of this problem. :'(

0

Sorry I didnt get to you sooner, Ardamax is a keylogger that records your keystrokes and sends them to its owner, I would suggest to not enter any personel info{credit card #s Ect,} while you still have the infection, download Spybot S&D from here,

http://www.safer-networking.org/en/mirrors/index.html

After you download it, have it scan and then fix any malware it finds.

0

Sorry I didnt get to you sooner, Ardamax is a keylogger that records your keystrokes and sends them to its owner, I would suggest to not enter any personel info{credit card #s Ect,} while you still have the infection, download Spybot S&D from here,

http://www.safer-networking.org/en/mirrors/index.html

After you download it, have it scan and then fix any malware it finds.

Hi.. Thanks for the reply. I downloaded the spyboot. But its not getting installed. Its showing some error saying "Error sending request. A connection with the server could not be established"

What can i do? Plese tel me

I am sending you the recent hijackthis log ..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:20 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 10697 bytes

THANKS !!!!

0

Have hijackthis fix these entries and then try to download it again:

F2 - REG:system.ini: Shell=

O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/acti...wareScanner.ocx

Hi.. Thanks for the reply. I tried to fix those entries. The 2nd one got fixed. But the 1st entry (F2 - REG:system.ini: Shell=) could not be fixed. Its coming again and again. Still I am not able to connect to the server for spybot installation. My AVG antivirus also cannot connect to the server for virus update.

This is my recent HJT log file. Please let me know wat can be done next !!

Thanks very much.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:28 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 10461 bytes

0

Can you please do the following.

Scan with HijackThis and then place a check next to all the following, if present:

 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank  
 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =   

 O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file) 

 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE 

 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1  
    ...(Unless you've restricted the use of registry editing, have HiJackThis fix this.)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

Search for...

ALCMTR.EXE

using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're "in use", try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.
  • Select the first option to run Windows in Safe Mode hit enter.

-

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by mike_2000_17: Fixed formatting

0

Hii. Thanks for the reply. I followed the procedure you have mentioned. I fixed all the above said 5 entried. But I am not sure it is successful. Because already I fixed "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1" but there was no change. Then here is the log from combofix.

ComboFix 08-03-13.4 - computer 2008-03-14 17:35:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.462 [GMT 5.5:30]
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\system32\vfl1h75.dll
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\svchost .exe
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\regsvr.exe
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 11:51 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2008-01-15 17:31 --------- d-----w C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-15 17:29 --------- d-----w C:\Program Files\DIFX
2008-01-15 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-12-16 17:58 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.

<pre>
--sha-r           616,609 2008-01-30 19:16:02  C:\WINDOWS\system32\svchost .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Crammer"="C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server

R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-14 11:30:00 C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job"
- c:\docume~1\computer\applic~1\chicproc\Acid the idol.exe
"2008-03-01 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-12 02:38:21 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 17:36:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-14 17:36:42
ComboFix-quarantined-files.txt 2008-03-14 12:06:40
.
2008-02-13 18:30:05 --- E O F ---


Thanks

0

Please save that log to post in your next reply along with a fresh HJT log[/b]

Please do that too next time.

==

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RENV::
--sha-r 616,609 2008-01-30 19:16:02 C:\WINDOWS\system32\svchost .exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Hey Guys,

The first HJT log shows the following baddie:
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe

This is probably responsible for the initial issues and may well be stealthed and still active....

Just a "heads up" in case you didn't look back that far.

-- Also, be advised that you have been exposed to an infected USB drive somewhere along the way. You may want to check your portable storage devices. If memory serves, sUBs has a "cleaner" for these....

PP :)

0

Hi. Im sending you the Hijackthis log and combofix log as attachments. Please look at those. What can be done for the baddies mentioned by PhilliePhan in the previous post. One more thing is whenever i run the combofix, it looks as if all my problems are getting solved. But after I restart my system twice the same problems exist. Except the registry is now working. But the connection to the servers keep failing.

ComboFix 08-03-13.4 - computer 2008-03-15 9:17:23.3 - NTFSx86

Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\svchost .exe
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\regsvr.exe
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 03:14 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2008-01-15 17:31 --------- d-----w C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-15 17:29 --------- d-----w C:\Program Files\DIFX
2008-01-15 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.

<pre>
--sha-r           616,609 2008-01-30 19:16:02  C:\WINDOWS\system32\svchost .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Crammer"="C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server

R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job"
- c:\docume~1\computer\applic~1\chicproc\Acid the idol.exe
"2008-03-01 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 09:21:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
.
**************************************************************************
.
Completion time: 2008-03-15 9:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 03:53:33
ComboFix2.txt 2008-03-14 19:14:38
ComboFix3.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---


==============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:34 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 10131 bytes

Attachments
ComboFix 08-03-13.4 - computer 2008-03-15  9:17:23.3 - NTFSx86

Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-02-15 to 2008-03-15  )))))))))))))))))))))))))))))))
.

2008-03-13 20:09 . 2008-03-13 20:18	<DIR>	d--------	C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03	<DIR>	d--------	C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42	<DIR>	d--------	C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42	<DIR>	d--------	C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06	1,495,552	--a------	C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50	170,408	--a------	C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50	72,264	--a------	C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50	64,360	--a------	C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50	52,136	--a------	C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50	34,152	--a------	C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06	280	--a------	C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20	1,409	--a------	C:\WINDOWS\QTFont.for
2008-03-10 20:13 . 2008-01-31 00:46	616,609	-rahs----	C:\WINDOWS\system32\svchost .exe
2008-03-10 20:13 . 2008-01-31 00:46	616,609	-rahs----	C:\WINDOWS\system32\regsvr.exe
2008-03-10 19:34 . 1998-06-19 12:23	270,848	--a------	C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18	<DIR>	d--------	C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12	1,045	--a------	C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12	55	--a------	C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41	719,872	--a------	C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14	308,224	--a------	C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43	163,496	--a------	C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41	80	--a------	C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47	<DIR>	d--------	C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32	<DIR>	d--------	C:\divx
2008-03-01 03:44 . 2008-03-05 00:25	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45	42,612	--ah-----	C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52	<DIR>	d--------	C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45	129,784	---------	C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45	118,520	---------	C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45	116,472	---------	C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45	2,560	---------	C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45	2,432	---------	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\PDFcreator

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 03:14	---------	d-----w	C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18	---------	d-----w	C:\Program Files\Yahoo!
2008-03-12 16:02	---------	d-----w	C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48	---------	d-----w	C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00	---------	d-----w	C:\Program Files\ANSYS Inc
2008-03-02 08:05	---------	d-----w	C:\Program Files\Windows Media Connect 2
2008-03-01 05:45	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-29 21:51	---------	d-----w	C:\Program Files\Picasa2
2008-02-27 09:33	---------	d-----w	C:\Program Files\Nokia
2008-02-27 03:37	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15	---------	d-----w	C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03	---------	d-----w	C:\Program Files\DivX
2008-02-20 21:49	---------	d-----w	C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56	---------	d-----w	C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35	---------	d-----w	C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52	---------	d-----w	C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50	---------	d-----w	C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-16 16:43	---------	d-----w	C:\Program Files\IVT Corporation
2008-01-15 17:31	---------	d-----w	C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29	---------	d-----w	C:\Program Files\PC Connectivity Solution
2008-01-15 17:29	---------	d-----w	C:\Program Files\DIFX
2008-01-15 17:28	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47	32,232	----a-w	C:\license.dat
2007-09-23 12:59	52,768	----a-w	C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.
[code]<pre>
--sha-r           616,609 2008-01-30 19:16:02  C:\WINDOWS\system32\svchost .exe
</pre>[/code]


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Crammer"="C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:34 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 10131 bytes
0

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

File::
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
RENV::
C:\WINDOWS\system32\svchost .exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Crammer"=-Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==============

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.Once the files are downloaded click on Next
Click on Scan Settings and configure as follows: Scan using the following Anti-Virus database:Extended

Scan Options:Scan Archives
Scan Mail Bases


Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on:Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Attachments CFScript.gif 27.09 KB Kas-SaveReport-1.gif 40.15 KB Kas-Savetxt.gif 2.56 KB
0

Hi.. Thanks again. I carried out all the scans. I am sending the scan report here.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 15, 2008 10:06:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 631406
-------------------------------------------------------------------------------


Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true


Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\


Scan Statistics:
Total number of scanned objects: 126067
Number of viruses found: 4
Number of infected objects: 69
Number of suspicious objects: 0
Duration of the scan process: 01:53:22


Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_VIBHAR.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_VIBHAR.log   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt   Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked    skipped
C:\Documents and Settings\computer\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\History\History.IE5\index.dat Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat    Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Temp\IMG11.tmp    Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Temp\IMG3.tmp Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_4f0.dat Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_c10.dat Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat    Object is locked    skipped
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\computer\NTUSER.DAT   Object is locked    skipped
C:\Documents and Settings\computer\ntuser.dat.LOG   Object is locked    skipped
C:\Documents and Settings\LocalService\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked    skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked    skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked    skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked    skipped
C:\Program Files\ANSYS Inc\Shared Files\Licensing\license.log   Object is locked    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir  Embedded: infected - 1  skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir  ASPack: infected - 1    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir    Embedded: infected - 1  skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir    ASPack: infected - 1    skipped
C:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe/C:\svchost.exe   Infected: not-a-virus:Monitor.Win32.Ardamax.ae  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe  Embedded: infected - 1  skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe  ASPack: infected - 1    skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log    Object is locked    skipped
C:\WINDOWS\CSC\00000001 Object is locked    skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked    skipped
C:\WINDOWS\SchedLgU.Txt Object is locked    skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked    skipped
C:\WINDOWS\Sti_Trace.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\edb.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb    Object is locked    skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\default  Object is locked    skipped
C:\WINDOWS\system32\config\default.LOG  Object is locked    skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked    skipped
C:\WINDOWS\system32\config\SAM  Object is locked    skipped
C:\WINDOWS\system32\config\SAM.LOG  Object is locked    skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked    skipped
C:\WINDOWS\system32\config\software Object is locked    skipped
C:\WINDOWS\system32\config\software.LOG Object is locked    skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\system   Object is locked    skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked    skipped
C:\WINDOWS\system32\h323log.txt Object is locked    skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked    skipped
C:\WINDOWS\wiadebug.log Object is locked    skipped
C:\WINDOWS\wiaservc.log Object is locked    skipped
C:\WINDOWS\WindowsUpdate.log    Object is locked    skipped
D:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
D:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log    Object is locked    skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe/file02   Infected: not-a-virus:AdWare.Win32.Lop.bo   skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe/file13   Infected: Trojan.Win32.Obfuscated.en    skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe  Inno: infected - 2  skipped
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar/Keygen/KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe  Infected: not-a-virus:PSWTool.Win32.GetPass.h   skipped
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar RAR: infected - 1   skipped
E:\Softwares setups\DivX.Pro.UI\Keygen\KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe  Infected: not-a-virus:PSWTool.Win32.GetPass.h   skipped
E:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
E:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log    Object is locked    skipped


Scan process completed.


--------------------------------------------------------------------------------------------------------------------------------


ComboFix 08-03-13.4 - computer 2008-03-15 19:18:34.4 - NTFSx86


Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
* Created a new restore point


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


FILE ::
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job


.
(((((((((((((((((((((((((   Files Created from 2008-02-15 to 2008-03-15  )))))))))))))))))))))))))))))))
.


2008-03-13 20:09 . 2008-03-13 20:18 <DIR>    d--------   C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR>    d--------   C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR>    d--------   C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR>    d--------   C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR>    d--------   C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR>    d--------   C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552   --a------   C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------   C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264  --a------   C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360  --a------   C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136  --a------   C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152  --a------   C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------   C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409   --a------   C:\WINDOWS\QTFont.for
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------   C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR>    d--------   C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR>    d--------   C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045   --a------   C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55  --a------   C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------   C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------   C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------   C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80  --a------   C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR>    d--------   C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR>    d--------   C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR>    d--------   C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612  --ah-----   C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR>    d--------   C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR>    d--------   C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR>    d--------   C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 ---------   C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 ---------   C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 ---------   C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560   ---------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432   ---------   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\PDFcreator


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 07:42    ---------   d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18    ---------   d-----w C:\Program Files\Yahoo!
2008-03-12 16:02    ---------   d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48    ---------   d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00    ---------   d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05    ---------   d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45    ---------   d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51    ---------   d-----w C:\Program Files\Picasa2
2008-02-27 09:33    ---------   d-----w C:\Program Files\Nokia
2008-02-27 03:37    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15    ---------   d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03    ---------   d-----w C:\Program Files\DivX
2008-02-20 21:49    ---------   d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56    ---------   d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35    ---------   d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52    ---------   d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50    ---------   d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43    ---------   d-----w C:\Program Files\IVT Corporation
2008-01-15 17:31    ---------   d-----w C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29    ---------   d-----w C:\Program Files\PC Connectivity Solution
2008-01-15 17:29    ---------   d-----w C:\Program Files\DIFX
2008-01-15 17:28    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47    32,232  ----a-w C:\license.dat
2007-09-23 12:59    52,768  ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup


[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server


R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 19:22:24
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-03-15 19:23:52 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-15 13:53:49
ComboFix2.txt  2008-03-15 03:53:36
ComboFix3.txt  2008-03-14 19:14:38
ComboFix4.txt  2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---


------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:25 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE


--
End of file - 9695 bytes

Edited by happygeek: fixed formatting

Attachments
ComboFix 08-03-13.4 - computer 2008-03-15 19:18:34.4 - NTFSx86

Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job

.
(((((((((((((((((((((((((   Files Created from 2008-02-15 to 2008-03-15  )))))))))))))))))))))))))))))))
.

2008-03-13 20:09 . 2008-03-13 20:18	<DIR>	d--------	C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03	<DIR>	d--------	C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42	<DIR>	d--------	C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42	<DIR>	d--------	C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06	1,495,552	--a------	C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50	170,408	--a------	C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50	72,264	--a------	C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50	64,360	--a------	C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50	52,136	--a------	C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50	34,152	--a------	C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06	280	--a------	C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20	1,409	--a------	C:\WINDOWS\QTFont.for
2008-03-10 19:34 . 1998-06-19 12:23	270,848	--a------	C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18	<DIR>	d--------	C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12	1,045	--a------	C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12	55	--a------	C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41	719,872	--a------	C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14	308,224	--a------	C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43	163,496	--a------	C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41	80	--a------	C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47	<DIR>	d--------	C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32	<DIR>	d--------	C:\divx
2008-03-01 03:44 . 2008-03-05 00:25	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45	42,612	--ah-----	C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52	<DIR>	d--------	C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44	<DIR>	d--------	C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45	129,784	---------	C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45	118,520	---------	C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45	116,472	---------	C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45	2,560	---------	C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45	2,432	---------	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\PDFcreator

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 07:42	---------	d-----w	C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18	---------	d-----w	C:\Program Files\Yahoo!
2008-03-12 16:02	---------	d-----w	C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48	---------	d-----w	C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00	---------	d-----w	C:\Program Files\ANSYS Inc
2008-03-02 08:05	---------	d-----w	C:\Program Files\Windows Media Connect 2
2008-03-01 05:45	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-29 21:51	---------	d-----w	C:\Program Files\Picasa2
2008-02-27 09:33	---------	d-----w	C:\Program Files\Nokia
2008-02-27 03:37	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15	---------	d-----w	C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03	---------	d-----w	C:\Program Files\DivX
2008-02-20 21:49	---------	d-----w	C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56	---------	d-----w	C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35	---------	d-----w	C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52	---------	d-----w	C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50	---------	d-----w	C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-16 16:43	---------	d-----w	C:\Program Files\IVT Corporation
2008-01-15 17:31	---------	d-----w	C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29	---------	d-----w	C:\Program Files\PC Connectivity Solution
2008-01-15 17:29	---------	d-----w	C:\Program Files\DIFX
2008-01-15 17:28	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47	32,232	----a-w	C:\license.dat
2007-09-23 12:59	52,768	----a-w	C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:25 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 9695 bytes
-------------------------------------------------------------------------------

 KASPERSKY ONLINE SCANNER REPORT

 Saturday, March 15, 2008 10:06:11 PM

 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

 Kaspersky Online Scanner version: 5.0.98.0

 Kaspersky Anti-Virus database last update: 15/03/2008

 Kaspersky Anti-Virus database records: 631406

-------------------------------------------------------------------------------



Scan Settings:

	Scan using the following antivirus database: extended

	Scan Archives: true

	Scan Mail Bases: true



Scan Target - My Computer:

	A:\

	C:\

	D:\

	E:\

	F:\

	G:\



Scan Statistics:

	Total number of scanned objects: 126067

	Number of viruses found: 4

	Number of infected objects: 69

	Number of suspicious objects: 0

	Duration of the scan process: 01:53:22



Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_VIBHAR.log	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_VIBHAR.log	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped

C:\Documents and Settings\computer\Cookies\index.dat	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\History\History.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Temp\IMG11.tmp	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Temp\IMG3.tmp	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_4f0.dat	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_c10.dat	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat	Object is locked	skipped

C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\computer\NTUSER.DAT	Object is locked	skipped

C:\Documents and Settings\computer\ntuser.dat.LOG	Object is locked	skipped

C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped

C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped

C:\Program Files\ANSYS Inc\Shared Files\Licensing\license.log	Object is locked	skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir/C:\svchost.exe	Infected: not-a-virus:Monitor.Win32.Ardamax.ae	skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir	Embedded: infected - 1	skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir	ASPack: infected - 1	skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir/C:\svchost.exe	Infected: not-a-virus:Monitor.Win32.Ardamax.ae	skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir	Embedde
0

I can see a couple of reasons there of why you are infected: P2P software and Key Generators. Keygens will get you almost every time.

==

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

==

Is your "E" Drive removeable? If not, do the following:

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

Folder::
E:\Softwares setups\002
E:\Softwares setups\DivX.Pro.UINote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==

If it is, you need to clean the crap off it. A good format should do it.

Attachments CFScript.gif 27.09 KB
0

Hi. Here is the recent log files of ComboFix and HJT. Now I have uninstalled the P2P software that was installed already in my system. Hope this is OK. !!!

-----------------------------------------------------------------------------------------------------

ComboFix 08-03-13.4 - computer 2008-03-16 10:50:36.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT 5.5:30]
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Softwares setups\002
E:\Softwares setups\002\AVG_Anti-Virus_plus_Firewall_pro7.5.503_Build_1205__by_shanu.rar
E:\Softwares setups\DivX.Pro.UI
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar
E:\Softwares setups\DivX.Pro.UI\DivXInstaller.exe
E:\Softwares setups\DivX.Pro.UI\Keygen\KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe
E:\Softwares setups\DivX.Pro.UI\Keygen\READ.TXT

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-15 19:50 . 2008-03-15 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 04:29 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-12-16 17:58 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-03-14_17.36.30.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 06:57:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 10:17:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 10:19:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server

R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 14:54:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 10:55:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-16 10:57:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 05:27:46
ComboFix2.txt 2008-03-15 03:53:36
ComboFix3.txt 2008-03-14 19:14:38
ComboFix4.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---

--------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:07 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 10278 bytes

-------------------------------------------------------------------------------------------------------

Thanks !!!

0

Hi. Now I understand that I am getting this problem only because of USB pen drive. Once i run the ComboFix with the given scripts the server is getting connected. But unknowingly I used the Pen drive again and hence i got the problem again. After the last scan by ComboFix, I am able to update my AVG and even my ActiveX is getting installed (so only I was able to run Kaspersky online scan). Please review my recent log files for any possible fixes to be done for the virus.

Since this problem is connected to Pen Drive usage, can I get any suggestion to write protect it. I have Transcend 2GB pen drive and I didnt get any software for that.

I also understand that this is another topic which is to be posted separately. Since the spyware/malware/virus in this topic is in connection with USB drive I am posting here.

Thanks !!!

0

If you right click on the drive in question you should get an option to format it. I would choose that one.
Your latest logs look ok. Maybe you should think about purchasing those software programs rather than risk getting infected?

0

If you right click on the drive in question you should get an option to format it. I would choose that one.
Your latest logs look ok. Maybe you should think about purchasing those software programs rather than risk getting infected?

Hi .. Yeah I formated the USB drive. But I am afraid about the infecting virus. Because I heard that it saves all the keystrokes, saves as log file and sends to someone. (I could not use credit card numbers, etc.). If that be the case, is it safe to continue or I have to do some changes in settings.? Do you think formatting the hard disk can solve the problem. But I am not at all interested in formatting. Else I would have done that before posting here :)

0

If you have formatted the pen drive, then that should be the end of it provided it has not re-infected your hard drive. I see no evidence of that in your logs.
The minimum you need to do is to alter all your passwords on all your internet accounts just to be safe.

0

If you have formatted the pen drive, then that should be the end of it provided it has not re-infected your hard drive. I see no evidence of that in your logs.
The minimum you need to do is to alter all your passwords on all your internet accounts just to be safe.

Hi Thanks for your continuous support AND prompt response. Now I feel happy that my system is free from infections. Hope I can use my credit cards now. As u instructed I wil change my passwords. Can I mark this thread as "Solved". If i get any further problem regarding this I will Post next. Is it possible to bring back the thread after it has been marked "Solved" ?

THANKS CRUNCHIE. THANKS A LOT FOR ALL YOUR EFFORTS
:icon_razz:

0

Is it possible to bring back the thread after it has been marked "Solved" ?

THANKS CRUNCHIE. THANKS A LOT FOR ALL YOUR EFFORTS
:icon_razz:

You can either continue with this thread if required in the near future, or start another one if some time has gone by :).

You are welcome.

0

Hi.

It looks my system is free from any virus. But after the infection and removal of this Ardamax keylogger, my system seems to work little slow. I dont know why? Is this because of its infection. System boot is also slow. I have 1GB RAM and Core 2 Duo Processor. Eventhough Im facing this prob. No other problem specifically.

Thanks

0

Try this;

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

0

Hi. Now my system is pretty ok. But very often my yahoo messenger is not working. Whenever I try to sign in, I am getting a message saying "There was a problem signing into yahoo messenger. Please try again a little bit later" This problem comes often after its infection only. Im totally blank why im getting series of problems. Before I used to run combofix when i get such a problem in messenger. Then once i restart my system, it will work and I was able to sign in. But this also does not work out. Please help me. Hereby I paste the recent HJT log and combofix log. Kindly review and resolve this problem.

------------------------------------------------------------------------------------------

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:34 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 9012 bytes

------------------------------------------------------------------------------------------

Combofix log

ComboFix 08-04-08.10 - computer 2008-04-10 17:19:17.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.551 [GMT 5.5:30]
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32\vfl1h75.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-03-27 20:51 . 2008-04-05 15:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 20:51 . 2008-03-27 20:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-26 19:28 . 2008-03-26 19:28 <DIR> d-------- C:\Program Files\KGB Archiver
2008-03-25 15:08 . 2008-03-25 15:11 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-25 14:34 . 2008-03-25 14:34 <DIR> d-------- C:\Program Files\7-Zip
2008-03-15 19:50 . 2008-03-15 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 03:35 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-04-09 17:19 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-04-09 07:27 --------- d-----w C:\Documents and Settings\computer\Application Data\dvdcss
2008-04-05 08:02 53,152 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
2008-03-25 09:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-25 08:46 --------- d-----w C:\Documents and Settings\computer\Application Data\Autodesk
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-11 12:48 --------- d-----w C:\Program Files\Macrogaming
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-06 12:33 --------- d-----w C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-03 19:17 --------- d-----w C:\Program Files\Free Video Converter
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 08:14 --------- d-----w C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 01:22 --------- d-----w C:\Program Files\PCZeitschaltuhr
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 20:31 --------- d-----w C:\Documents and Settings\LocalService\Application Data\PDFcreator
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-09 22:09 13,464 ----a-w C:\WINDOWS\system32\AcSignExtRes.dll
2008-02-09 22:08 43,160 ----a-w C:\WINDOWS\system32\AcSignIcon.dll
2008-02-09 22:08 426,136 ----a-w C:\WINDOWS\system32\AcSignOpt.exe
2008-02-09 22:08 28,312 ----a-w C:\WINDOWS\system32\AcSignExt.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-09_22.27.12.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 05:21:48 3,592,192 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
- 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 02:21:45 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 12:00:00 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 02:21:45 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-06 11:00:57 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 02:21:45 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-06 04:59:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 02:21:46 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-12-06 11:01:25 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-12-07 02:21:47 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-01 13:06:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 02:21:47 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 02:21:48 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 02:21:48 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 02:21:48 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 05:53:32 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 02:21:48 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 02:21:48 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 02:21:48 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 02:21:48 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 02:21:45 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-25 09:47:42 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-10 03:34:51 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-12-07 02:21:45 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 11:00:57 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 02:21:45 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 04:59:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 02:21:45 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 02:21:46 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-12-07 02:21:47 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-12-07 02:21:47 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 02:21:47 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 13:06:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 02:21:48 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server

R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec17a487-5c81-11dc-94e6-0019d187a3cf}]
\Shell\Auto\command - H:\auto.exe
\Shell\Autoplay\Command - H:\smss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\Explore\Command - H:\smss.exe
\Shell\Open\Command - H:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-09 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 17:20:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 17:21:09
ComboFix-quarantined-files.txt 2008-04-10 11:50:57
ComboFix2.txt 2008-03-31 08:23:07
ComboFix3.txt 2008-03-15 03:53:36
ComboFix4.txt 2008-03-14 19:14:38
ComboFix5.txt 2008-03-14 12:06:43
Pre-Run: 7,013,429,248 bytes free
Post-Run: 7,001,317,376 bytes free
.
2008-04-09 18:03:38 --- E O F ---

THANKS !!

0

Hi

I uninstalled yahoo messenger, rebooted and tried to reinstall. But unsuccessful in installation. Now I again have the problem of connecting to the server in yahoo, avg antivirus update and all. Yesterday I carried out kaspersky online scan as well. It doesn't trace out even a single virus. My system looks so clear but still Im not able to access many sites and download from rapidshare. Its saying "Cannot locate internet server or proxy server". Getting "server connection failed" message in AVG and yahoo messenger online installation not working as I mentioned above. So is there any problem with configuring my internet connection? Please help me out.:'(

Thanks

0

Hi

I followed the steps you have indicated. Now my internet connection is totally lost. Im not able to access any of the websites. Now im working on another system and internet connection. Not even a single website I can open. Please help me :( :'(

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.