Some Chinese webpage opens all the time

Hi, nil. Start hijackthis again, click Scan, in the window that opens place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [SWFAss] c:\winnt\SYSTEM32\KIX32.exe /i c:\winnt\SWFAss.KIX
O4 - HKLM\..\Run: [45A41D] C:\WINNT\system32\B2BABE\45A41D.EXE
Good; now delete these two files and the folder B2BABE.
c:\winnt\SWFAss.KIX
C:\WINNT\system32\B2BABE\45A41D.EXE

What is Consolehookloader.dll? Search for it.; in Properties, who is listed as its provider?
And this: Service: Admin Password Scrambler (APS) - Unknown owner - C:\WINNT\System32\apss.exe - I cannot find any information about it. Check the properties of this file, C:\WINNT\System32\apss.exe and report its provider.
A big problem though is that you are running two Antivirus Services, Symantec and Avast. I don't know if you are paying for Avast, but you must remove one of them. They interfere.
Pleas run and then post a fresh hijackthis log, with your opinions.

I have screenshots for properties apss.exe. Avast is good and detects virus, but Symantac is installed by my office, so cant uninstall. I have attached fresh log. I am also attaching the chinese webpage it opens.

What is Consolehookloader.dll? Search for it.; in Properties, who is listed as its provider?
My response>>TAM E-SSO AccessAgent, IBM IBM Corporation

And this: Service: Admin Password Scrambler (APS) - Unknown owner
My response>> In my office if I know and setup adminpassword then at startup then disable, if its that... not sure

apss exe screenshot.doc

hijackthis2.txt

Hi. You MUST uninstall Avast then. I know it is good, but two AV services can open your system up to problems. Having more than one is a practice that is totally NOT recommended.
apss.exe .. it entered your sys on July 20; when did you start having this problem with the website?

I have uninstalled it, avast. My computer got formatted an installed on 20th 21st types... the problem started occuring from 27th onwards.....

Okay. I'm happy to assume then that this [Admin Password Scrambler (APS) - Unknown owner - C:\WINNT\System32\apss.exe] is something that is in-house with your company.
Do you still have that MBAM log? I would like to see it. If you do not have it, then please follow these instructions [otherwise wait till I read that MBAM log]:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : close other applications and save work, turn off your Antivirus, Antispyware and Firewall for the duration of this scan.
- to run it dclick the Combofix.exe icon and follow the prompts to start it. If you do not have it installed already, Combofix will download and install the Recovery Console on your system.
A word of caution - do not touch your mouse/keyboard until the scan has completed [your computer will restart automatically] when a log, C:\Combofix.txt , will pop onto your desktop - post that log in your next reply.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

ok will that, but can somebody help in fixing this issue, which I had posted earlier...

http://www.daniweb.com/forums/thread304933.html

I am attaching the combofix log:

ComboFix 10-08-21.06 - 1164623 08/27/2010 22:47:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1029 [GMT 5.5:30]
Running from: c:\documents and settings\1164623\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\BackUp
c:\winnt\BackUp\INSTALL.INS
c:\winnt\BackUp\KIX32.EXE
c:\winnt\BackUp\lgpo\ADM\ADMFILES.INI
c:\winnt\BackUp\lgpo\ADM\CONF.ADM
c:\winnt\BackUp\lgpo\ADM\INETRES.ADM
c:\winnt\BackUp\lgpo\ADM\SYSTEM.ADM
c:\winnt\BackUp\lgpo\ADM\WMPLAYER.ADM
c:\winnt\BackUp\lgpo\ADM\WUAU.ADM
c:\winnt\BackUp\lgpo\GPT.INI
c:\winnt\BackUp\lgpo\MACHINE\REGISTRY.POL
c:\winnt\BackUp\lgpo\USER\MICROSOFT\IEAK\BRANDING\FAVS\SCB.ICO
c:\winnt\BackUp\lgpo\USER\MICROSOFT\IEAK\INSTALL.INS
c:\winnt\BackUp\lgpo\USER\REGISTRY.POL
c:\winnt\BackUp\MACHINE.POL
c:\winnt\BackUp\OEMINFO.INI
c:\winnt\BackUp\RESTORE.REG
c:\winnt\BackUp\SCB.REG
c:\winnt\BackUp\SWF.REG
c:\winnt\BackUp\USER.POL

.
((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
.

2010-08-27 17:05 . 2010-08-27 17:07 -------- d-----w- c:\documents and settings\1164623\Application Data\vlc
2010-08-27 17:03 . 2010-08-27 17:03 -------- d-----w- c:\program files\VideoLAN
2010-08-27 05:41 . 2010-08-27 05:41 2 ----a-w- C:\sms.dat
2010-08-27 05:41 . 2010-08-27 05:41 2 ----a-w- C:\pbook.dat
2010-08-27 05:40 . 2010-08-27 05:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-27 04:25 . 2010-08-27 04:25 -------- d-----w- c:\winnt\ms
2010-08-17 17:00 . 2010-08-19 15:12 -------- d-----w- c:\documents and settings\1164623\Local Settings\Application Data\Microsoft Help
2010-08-17 09:42 . 2010-08-17 09:42 60800 ----a-w- c:\winnt\system32\S32EVNT1.DLL
2010-08-17 09:42 . 2010-08-17 09:42 123952 ----a-w- c:\winnt\system32\drivers\SYMEVENT.SYS
2010-08-17 09:40 . 2010-08-17 09:40 -------- d-----w- c:\program files\Symantec Client Security
2010-08-12 07:36 . 2010-08-12 07:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-12 05:49 . 2010-08-12 05:49 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-08-12 05:46 . 2010-08-12 05:51 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 05:45 . 2010-08-12 05:45 -------- d-----w- c:\program files\Microsoft.NET
2010-08-12 05:41 . 2010-08-12 05:42 -------- d-----w- c:\winnt\SHELLNEW
2010-08-12 05:40 . 2010-08-26 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-12 05:39 . 2010-08-12 05:39 -------- d-----r- C:\MSOCache
2010-08-11 12:12 . 2010-05-06 10:41 743424 -c----w- c:\winnt\system32\dllcache\iedvtool.dll
2010-08-11 12:03 . 2010-05-06 10:41 599040 -c----w- c:\winnt\system32\dllcache\msfeeds.dll
2010-08-11 12:03 . 2010-05-06 10:41 55296 -c----w- c:\winnt\system32\dllcache\msfeedsbs.dll
2010-08-11 12:03 . 2010-05-06 10:41 12800 -c----w- c:\winnt\system32\dllcache\xpshims.dll
2010-08-11 12:03 . 2010-05-06 10:41 247808 -c----w- c:\winnt\system32\dllcache\ieproxy.dll
2010-08-11 12:03 . 2010-05-06 10:41 1985536 -c----w- c:\winnt\system32\dllcache\iertutil.dll
2010-08-11 07:05 . 2010-08-11 07:05 -------- d--h--w- c:\winnt\PIF
2010-08-11 06:29 . 2010-08-11 06:29 -------- d-----w- c:\documents and settings\1164623\Application Data\AdobeUM
2010-08-10 12:08 . 2010-08-10 12:09 -------- d-----w- C:\New Folder
2010-08-09 07:07 . 2010-08-09 07:10 2605008 ----a-w- c:\documents and settings\1164623\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-08-08 19:26 . 2010-08-08 19:26 -------- d-----w- c:\program files\Alwil Software
2010-08-08 19:26 . 2010-08-08 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-08 09:33 . 2010-08-08 10:26 -------- d-----w- c:\program files\Animated GIF Creator
2010-08-08 09:20 . 2010-08-08 09:20 -------- d-----w- c:\documents and settings\abc\Tracing
2010-08-08 09:18 . 2010-08-08 09:18 -------- d-sh--w- c:\documents and settings\abc\IETldCache
2010-08-06 10:12 . 2010-08-06 10:12 -------- d-----w- c:\documents and settings\1164623\.javaws
2010-08-02 15:31 . 2010-07-13 03:51 543744 ----a-w- c:\winnt\system32\mscc.dll
2010-08-02 15:31 . 2010-08-02 15:31 -------- d-----w- c:\program files\Screen Movie Studio
2010-08-02 15:21 . 2010-08-02 15:21 -------- d-----w- c:\documents and settings\1164623\Application Data\Malwarebytes
2010-08-02 15:20 . 2010-04-29 10:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-08-02 15:20 . 2010-08-08 19:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-02 15:20 . 2010-08-02 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-02 15:20 . 2010-04-29 10:09 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-08-02 09:28 . 2010-08-02 09:28 56 ---ha-w- c:\winnt\system32\ezsidmv.dat
2010-08-02 09:22 . 2010-08-10 07:54 -------- d-----w- c:\documents and settings\o.1329225\Tracing
2010-08-02 09:20 . 2010-08-02 09:20 -------- d-sh--w- c:\documents and settings\o.1329225\IETldCache
2010-07-28 22:49 . 2010-06-25 10:43 -------- d---a-w- c:\documents and settings\o.1329225\QUICK
2010-07-28 22:49 . 2010-08-10 07:57 -------- d-----w- c:\documents and settings\o.1329225

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-27 17:14 . 2010-06-26 06:49 40 ----a-w- c:\winnt\system32\profile.dat
2010-08-27 05:46 . 2010-07-26 19:26 -------- d-----w- c:\documents and settings\1164623\Application Data\Skype
2010-08-27 04:21 . 2010-07-26 19:27 -------- d-----w- c:\documents and settings\1164623\Application Data\skypePM
2010-08-27 04:12 . 2010-07-19 20:00 12 ----a-w- c:\winnt\bthservsdp.dat
2010-08-26 18:40 . 2010-07-22 15:19 60 ----a-w- c:\winnt\wpd99.drv
2010-08-26 18:40 . 2010-07-22 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-08-22 18:31 . 2010-06-26 07:18 -------- d-----w- c:\program files\Encentuate
2010-08-22 18:31 . 2010-06-25 05:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-17 09:42 . 2010-06-25 05:36 -------- d-----w- c:\program files\Symantec
2010-08-17 09:42 . 2010-08-17 09:42 805 ----a-w- c:\winnt\system32\drivers\SYMEVENT.INF
2010-08-17 09:42 . 2010-08-17 09:42 10671 ----a-w- c:\winnt\system32\drivers\SYMEVENT.CAT
2010-08-17 09:40 . 2010-06-25 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-12 06:32 . 2010-07-19 15:01 69160 ----a-w- c:\documents and settings\1164623\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-27 16:00 . 2010-07-27 16:00 79367 ----a-w- c:\documents and settings\1164623\Application Data\Google\Google Talk\uninstall.exe
2010-07-26 19:26 . 2010-07-26 19:26 371272 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
2010-07-26 19:25 . 2010-07-26 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-25 23:14 . 2010-07-25 23:14 -------- d-----w- c:\program files\Yahoo!
2010-07-22 15:27 . 2010-07-22 15:27 -------- d-----w- c:\documents and settings\1164623\Application Data\pdf995
2010-07-22 15:19 . 2010-07-22 15:19 51716 ----a-w- c:\winnt\system32\pdf995mon.dll
2010-07-22 15:19 . 2010-07-22 15:19 249856 ----a-w- c:\winnt\system32\pdfmona.dll
2010-07-22 15:17 . 2010-07-22 15:17 -------- d-----w- c:\program files\pdf995
2010-07-21 07:57 . 2010-07-19 21:34 -------- d-----w- c:\documents and settings\1164623\Application Data\Toshiba
2010-07-20 10:11 . 2010-07-20 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\1E
2010-07-20 08:50 . 2010-07-20 08:50 -------- d-----w- c:\program files\1E
2010-07-19 21:23 . 2010-07-19 21:23 -------- d-----w- c:\program files\BlueTooth
2010-07-19 21:17 . 2010-07-19 21:17 -------- d-----w- c:\program files\Toshiba
2010-07-19 21:08 . 2010-07-19 21:08 -------- d-----w- c:\program files\My Company Name
2010-07-19 21:07 . 2010-07-19 21:07 -------- d-----w- c:\documents and settings\1164623\Application Data\InstallShield
2010-07-19 21:04 . 2010-07-19 21:04 -------- d-----w- c:\winnt\system32\config\systemprofile\Application Data\Intel
2010-07-19 21:04 . 2010-07-19 21:04 -------- d-----w- c:\documents and settings\1164623\Application Data\Intel
2010-07-19 21:03 . 2010-07-19 21:03 -------- d-----w- c:\program files\Common Files\Intel
2010-07-19 21:03 . 2010-07-19 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2010-07-19 21:03 . 2010-06-26 09:01 -------- d-----w- c:\program files\Intel
2010-07-19 18:33 . 2010-07-19 18:33 -------- d-----w- c:\documents and settings\1164623\Application Data\TATA_PHOTON
2010-07-19 18:33 . 2010-07-19 18:33 -------- d-----w- c:\program files\TATA
2010-07-19 15:09 . 2010-07-19 15:09 24576 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{AF18DDC5-1CF6-C5DD-3FF6-1E687DC0BBE1}\Icon047153950CF67C54.EXE
2010-07-19 15:08 . 2010-07-19 15:08 28672 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{6F310ED0-4A2C-CBA3-05E3-E5AD46044D94}\Icon35FC33EA5BDF78E5.EXE
2010-07-19 14:38 . 2010-07-19 14:38 32768 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{2735EFD5-9C2F-C76F-39BB-EC65638C80FB}\Icon4F911834D8D8730B.EXE
2010-07-19 14:37 . 2010-06-26 06:05 -------- d-----w- c:\program files\Notes
2010-07-19 14:34 . 2010-07-19 14:34 130 ----a-w- c:\documents and settings\1164623\Local Settings\Application Data\fusioncache.dat
2010-06-26 07:32 . 2010-06-26 07:32 148336 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-26 06:57 . 2010-06-26 06:57 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-06-26 06:55 . 2010-06-26 06:55 112 ----a-w- C:\install.cmd
2010-06-26 06:55 . 2010-06-26 06:55 16384 ----a-w- c:\winnt\system32\FileOps.exe
2010-06-26 06:54 . 2010-06-26 06:54 82432 ----a-w- c:\winnt\system32\msxml4r.dll
2010-06-26 06:42 . 2010-06-26 06:42 947472 ----a-w- c:\winnt\system32\msjava.dll
2010-06-26 06:05 . 2010-06-26 06:05 53248 ----a-w- c:\winnt\system32\nwnsp32.dll
2010-06-26 05:24 . 2010-06-26 05:24 32768 ----a-w- c:\winnt\system32\netfxperf.dll
2010-06-26 05:13 . 2010-06-26 05:13 148480 ----a-w- c:\winnt\system32\config\systemprofile\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\awiml32.dll
2010-06-26 05:13 . 2010-06-26 05:13 28672 ----a-w- c:\winnt\system32\config\systemprofile\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\dvd.dll
2010-06-26 05:13 . 2010-06-26 05:13 169472 ----a-w- c:\winnt\system32\config\systemprofile\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\js32.dll
2010-06-26 05:13 . 2010-06-26 05:13 135680 ----a-w- c:\winnt\system32\config\systemprofile\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\msvcrt.dll
2010-06-26 05:13 . 2010-06-26 05:13 150528 ----a-w- c:\winnt\system32\config\systemprofile\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\vct32161.dll
2010-06-26 05:13 . 2010-06-26 05:13 839680 ----a-w- c:\winnt\system32\config\systemprofile\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\webplr.exe
2010-06-25 14:41 . 2010-06-25 14:41 20152 ----a-w- c:\winnt\system32\drivers\vpnva.sys
2010-06-25 14:40 . 2010-06-25 14:40 26800 ----a-w- c:\winnt\system32\vpnevents.dll
2010-06-25 14:31 . 2010-06-25 14:31 94208 ----a-w- c:\winnt\system32\MSSTKPRP.DLL
2010-06-25 14:31 . 2010-06-25 14:31 118784 ----a-w- c:\winnt\system32\MSSTDFMT.DLL
2010-06-25 10:55 . 2010-06-25 10:55 53248 ----a-w- c:\winnt\system32\MFC42ENU.DLL
2010-06-25 10:47 . 2010-06-25 10:47 151552 ----a-w- c:\winnt\system32\RDOCURS.DLL
2010-06-25 10:47 . 2010-06-25 10:47 397312 ----a-w- c:\winnt\system32\MSRDO20.DLL
2010-06-25 08:31 . 2010-06-25 08:31 21393 ----a-w- c:\winnt\system32\drivers\iPassP.sys
2010-06-25 08:00 . 2010-06-25 08:00 293376 ----a-w- c:\winnt\system32\WISPTIS.EXE
2010-06-25 08:00 . 2010-06-25 08:00 207360 ----a-w- c:\winnt\system32\INKED.DLL
2010-06-25 05:37 . 2010-06-25 05:37 262144 ----a-w- c:\winnt\system32\default_user_class.dat
2010-06-25 05:25 . 2010-06-25 05:24 86315 ----a-w- c:\winnt\pchealth\helpctr\OfflineCache\index.dat
2010-06-25 05:23 . 2010-06-25 05:23 21640 ----a-w- c:\winnt\system32\emptyregdb.dat
2010-06-14 14:31 . 2010-06-25 05:23 744448 ----a-w- c:\winnt\pchealth\helpctr\binaries\helpsvc.exe
2010-06-26 06:54 . 2010-06-26 06:54 405504 ----a-w- c:\program files\internet explorer\plugins\HRCharterRes.dll
2010-06-26 06:54 . 2010-06-26 06:54 36864 ----a-w- c:\program files\internet explorer\plugins\lfbmp11n.dll
2010-06-26 06:54 . 2010-06-26 06:54 284672 ----a-w- c:\program files\internet explorer\plugins\LFCMP11n.DLL
2010-06-26 06:54 . 2010-06-26 06:54 172032 ----a-w- c:\program files\internet explorer\plugins\Lfpng11n.dll
2010-06-26 06:54 . 2010-06-26 06:54 262656 ----a-w- c:\program files\internet explorer\plugins\LTDIS11n.dll
2010-06-26 06:54 . 2010-06-26 06:54 117760 ----a-w- c:\program files\internet explorer\plugins\ltfil11n.DLL
2010-06-26 06:54 . 2010-06-26 06:54 391168 ----a-w- c:\program files\internet explorer\plugins\ltkrn11n.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HSIAAccessManager"="c:\program files\TATA\Photon+\hsiam.exe" [2009-07-28 3547136]
"Skype"="c:\documents and settings\1164623\Local Settings\Application Data\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"googletalk"="c:\documents and settings\1164623\Application Data\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"Synchronization Manager"="c:\winnt\system32\mobsync.exe" [2008-04-14 143360]
"!AXF XFRunOne.Exe"="c:\program files\Novadigm\AXF\Bin\XFRunOne.Exe" [2004-12-08 40960]
"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2007-09-18 45056]
"ITSCsystray"="c:\program files\ITSCWeb\ITSCweb.exe" [2007-04-25 337920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_15\bin\jusched.exe" [2010-06-26 75256]
"EFSAssistant"="c:\program files\Microsoft EFS Assistant\EFSAssistant.exe" [2007-05-22 62888]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2010-06-26 474624]
"RNSDaemon"="c:\progra~1\Novadigm\rnsdaemn.exe" [2007-06-26 32768]
"Rnsdaemonkit"="c:\progra~1\Novadigm\rnsdaemonkit.exe" [2007-06-08 16384]
"wallpaper"="c:\winnt\system32\kix32.exe" [2004-12-28 245760]
"AAAgent"="c:\program files\Encentuate\AATray.exe" [2008-08-12 1860952]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-06-26 5160288]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2008-09-30 125368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MeetingLauncher"="c:\program files\Meeting Center\Modules\Launcher\mcLauncher.exe" [2008-10-01 439608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\winnt\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\winnt\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRunasInstallPrompt"= 1 (0x1)
"PromptRunasInstallNetPath"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3226412287-358294239-3603207364-213616\Scripts\Logon\0\0]
"Script"=Startpage-chk3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3226412287-358294239-3603207364-213616\Scripts\Logon\0\1]
"Script"=CleanTempFile.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\rnsdaemn.exe"=
"c:\\Program Files\\Avaya\\Avaya IP Softphone\\ipsoftphone.exe"=

R2 APS;Admin Password Scrambler;c:\winnt\system32\apss.exe [7/20/2010 3:00 PM 8192]
R2 ObsService;ObsService;c:\program files\Encentuate\ObsService.exe [8/12/2008 8:43 PM 83288]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [12/2/2002 3:50 PM 196608]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [9/30/2002 2:53 PM 249856]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\radstgms.exe [3/27/2003 9:44 AM 303104]
R2 SOCIAccess;SOCIAccess;c:\program files\Encentuate\SOCIAccess.exe [8/12/2008 8:43 PM 873816]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [6/25/2010 8:10 PM 434864]
R2 WakeUpAgt;1E WakeUp Agent;c:\program files\1E\WakeUp\Agent\WakeUpAgt.exe [1/12/2010 11:46 AM 275792]
R2 XFSrvcNT;XFSrvcNT;c:\program files\Novadigm\AXF\Bin\XFSrvcNT.Exe [6/25/2010 11:56 AM 81920]
R2 Zebedee Client Service;Zebedee Client Service;c:\program files\Zebedee\zebedee.exe [6/26/2010 11:40 AM 246748]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [6/25/2010 8:06 PM 9817]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/25/2010 11:09 AM 99376]
R3 XFDrvrNT;XFDrvrNT;c:\winnt\system32\drivers\XFDrvrNT.Sys [6/25/2010 11:56 AM 58748]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [6/25/2010 8:06 PM 117760]
S3 evudbus;Epivalley(R) Composite Device driver (WDM);c:\winnt\system32\drivers\evudbus.sys [7/20/2010 12:03 AM 89856]
S3 evuddiag;Epivalley(R) Device Status 2 Driver (WDM);c:\winnt\system32\drivers\evuddiag.sys [7/20/2010 12:03 AM 99968]
S3 evudmdfl;~Epivalley(R) Modem Filter~;c:\winnt\system32\drivers\evudmdfl.sys [7/20/2010 12:03 AM 14976]
S3 evudmdm;Epivalley(R) Modem Driver;c:\winnt\system32\drivers\evudmdm.sys [7/20/2010 12:03 AM 121088]
S3 evudserd;Epivalley(R) Device Status 1 Driver (WDM);c:\winnt\system32\drivers\evudserd.sys [7/20/2010 12:03 AM 99968]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##INSCTFPS101#APPS]
\Shell\AutoRun\command - l:\winamp_cache_0001\ehthumbs.exe
\Shell\explore\command - L:\winamp_cache_0001/ehthumbs.exe
\Shell\open\command - L:\winamp_cache_0001/ehthumbs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##INSCTFPS101#PRG]
\Shell\AutoRun\command - h:\winamp_cache_0001\ehthumbs.exe
\Shell\explore\command - H:\winamp_cache_0001/ehthumbs.exe
\Shell\open\command - H:\winamp_cache_0001/ehthumbs.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://iconnect.zone1.scb.net
mStart Page = hxxp://ICONNECT.zone1.scb.net
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-27 22:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@SACL=(02 0001)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
@SACL=(02 0001)
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@SACL=(02 0001)
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@SACL=(02 0001)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@SACL=(02 0001)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@SACL=(02 0001)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@SACL=(02 0001)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\program files\Encentuate\ConsoleHookLoader.dll
c:\winnt\system32\netprovcredman.dll
c:\winnt\system32\igfxdev.dll
c:\program files\Encentuate\ObsBaseAgent.dll

- - - - - - - > 'lsass.exe'(1056)
c:\program files\Encentuate\ConsoleHookLoader.dll
.
Completion time: 2010-08-27 22:55:15
ComboFix-quarantined-files.txt 2010-08-27 17:25

Pre-Run: 12,837,314,560 bytes free
Post-Run: 12,873,146,368 bytes free

- - End Of File - - CC7F3C5C5E51EB61B8622CA7E7810DB5

Combofix has removed your KIXTart script tool.
Did you intend for your wallpaper [background] to be set as "wallpaper"="c:\winnt\system32\kix32.exe in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] ?

c:\winnt\system32\mscc.dll =could you check the properties of this please? You might submit it for scanning...
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination [use the Choose button to browse to the file]:
-post the result, please.
The folder 1E appears as if it masquerades as IE; what is this program?
c:\program files\1E
c:\documents and settings\All Users\Application Data\1E
These next I suspect; do you know the 3 .exes? If not, delete them.
2010-07-19 15:09 . 2010-07-19 15:09 24576 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{AF18DDC5-1CF6-C5DD-3FF6-1E687DC0BBE1}\Icon047153950CF67C54.EXE
2010-07-19 15:08 . 2010-07-19 15:08 28672 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{6F310ED0-4A2C-CBA3-05E3-E5AD46044D94}\Icon35FC33EA5BDF78E5.EXE
2010-07-19 14:38 . 2010-07-19 14:38 32768 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{2735EFD5-9C2F-C76F-39BB-EC65638C80FB}\Icon4F911834D8D8730B.EXE

Combofix has removed your KIXTart script tool.
Did you intend for your wallpaper [background] to be set as "wallpaper"="c:\winnt\system32\kix32.exe in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] ?

c:\winnt\system32\mscc.dll =could you check the properties of this please? You might submit it for scanning...
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination [use the Choose button to browse to the file]:
-post the result, please.

>>> done, all links says "Found nothing"

The folder 1E appears as if it masquerades as IE; what is this program?
c:\program files\1E
c:\documents and settings\All Users\Application Data\1E

>>> This is installed by my office as Nightwatchman and wakeup to save power, etc

These next I suspect; do you know the 3 .exes? If not, delete them.
2010-07-19 15:09 . 2010-07-19 15:09 24576 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{AF18DDC5-1CF6-C5DD-3FF6-1E687DC0BBE1}\Icon047153950CF67C54.EXE
2010-07-19 15:08 . 2010-07-19 15:08 28672 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{6F310ED0-4A2C-CBA3-05E3-E5AD46044D94}\Icon35FC33EA5BDF78E5.EXE
2010-07-19 14:38 . 2010-07-19 14:38 32768 ----a-r- c:\documents and settings\1164623\Application Data\Microsoft\Installer\{2735EFD5-9C2F-C76F-39BB-EC65638C80FB}\Icon4F911834D8D8730B.EXE

>>> I have checked these directories, these icons are my office familiar softwares...every softwares, even office gets auto installed remotely.... I think these are used for that purpose...because the dates are when my laptop got formatted and re-installed with OS (that is also auto)

The Chinese webpage now does not open again, its been some 12-14 days may be...

Thanks, nil. It's tough ivestigating in-house or company software... that which is private is open to question merely because it is not known. thanks for sorting those details.
12 -14 days? something you did eradicated it - be happy with that.
Cheers.