Hello -

Well, I should say that I am a total newbie and have nowhere near the knowledge I need to take on my problem alone. I have, however, learned quite a bit today... I believe hijacked is the proper term for what is happening to me, but I am not sure (thus the "?").

I have read through previous threads and some seem very similar to the problem I am having. This started yesterday, and here is what has happened since then:

It all started with the XP Antivirus 2009 thingy. Yes I had AVG, but that's all, and I am not sure how well it was working but I know that it updated every morning at 8:00 AM. After getting the red x and other things from the xp 2009, I searched the web and it sounded like Malawarebytes was the thing to do. Ran it, looks good, so I also downloaded SuperAntispyware, and Spybot, and eventually HJT. So now my computer is running better than it has in a year or more, and the XP 2009 thing is gone.

AND THEN! This morning I got the bright idea to restart the computer. Actually let it turn all the way off for a few minutes. Generally it is always running. You are familiar with the rest of the story - Windows now runs in safe mode only, every time I run Malawarebytes I get the same 5 problems (tdss) even if I delete them each time. I looked at the original log from 10/21 and I see the brastk and some other insidious junk. Also, in area 20 of HJT, you will see the Winlogon Notify, and the Karna.dat thing, both of which sound bad when reading about them online. They also return after each reboot.

Here is what seems a little different - while I know that some people have stated in previous threads that they cannot access antivirus websites, I can't either, and I cannot access anything that will let me download Combofix or the RIS_ something or other, and nothing that has HJT in the title or address AT ALL. Also, the only program that seems to update is Malaware. I tried to update AVG, and had a "serious" error with that. I was able to download Avast! and am running it now, it seems to funtion properly. I will include the most recent HJT log, and Malaware too, in hopes that someone patient enough wants to deal with this. I appreciate any help in advance.

****** HJT LOG ******

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:11 PM, on 10/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PTO - Sysinternals - www.sysinternals.com (http://www.sysinternals.com) - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe

--
End of file - 6368 bytes

******


****** Malaware Log ******

Malwarebytes' Anti-Malware 1.30
Database version: 1311
Windows 5.1.2600 Service Pack 2
10/23/2008 8:34:09 PM
mbam-log-2008-10-23 (20-34-09).txt
Scan type: Quick Scan
Objects scanned: 48355
Time elapsed: 3 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.


******

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Click here (http://noahdfear.net/downloads/TDdump.exe) and select Open (or Run) to run a tool that will check your computer for a specific rootkit infection.
When the tool completes a log will open.
Please post the contents of that log.

Note - if you do not have the option to open or run, you may save it and run it from your hard drive

Hi Katana, thank you for helping me. Here are the results from the link you gave me:


HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv
NextInstance REG_DWORD 1 (0x1)
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000
Service REG_SZ TDSSserv
Legacy REG_DWORD 1 (0x1)
ConfigFlags REG_DWORD 0 (0x0)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc REG_SZ TDSSserv
Capabilities REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\LogConf
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\Control
ActiveService REG_SZ TDSSserv

Step 1


Disable Teatimer
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.




----------------------------------------------------------- -----------------------------------------------------------
Step 2


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop




Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE (http://www.bleepingcomputer.com/forums/topic114351.html) for help

Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
----------------------------------------------------------- -----------------------------------------------------------
Step 3


Download and Run RSIT


Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:


log.txt will be opened maximized.
info.txt will be opened minimized.


Please post the contents of both log.txt and info.txt.



----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply


ComboFix Log
RSIT Logs
How are things running now ?

OK, I need to stop you here. I let Avast run a full scan last night before going to bed, and this morning there was a message that a virus had been found. There were 22 problems, 5 infections, and most of the problems could not be scanned as they were password protected supposedly. those 22 files were related to registry by the way... I could not get a screenshot for you, I apologize. So, Avast deleted the infected files (5).

Now back to present. That is the only other thing I have done by the way. So, I completed step 1, and rebooted, and my machine started up normally, albeit with some messages about diagnostic mode, and it SEEMS like the system restore has been activated (it would not respond previously). However, step 2 failed - none of the links you gave me are accessible. I can provide email address if that is a good method of receiving the CF file...

OK. Ran CF 3 times before a log was created, obviously each time CF went a little further... on the last completion, AVG updated automatically (I was using AVG before I downloaded Avast! yesterday out of desperation).

Here is the log:

ComboFix 08-10-23.08 - User 2008-10-24 9:29:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Downloaded Program Files\Temp
.
---- Previous Run -------
.
C:\Documents and Settings\User\Cookies\acexaneq.ban
C:\Documents and Settings\User\Cookies\nuhe.dat
C:\Documents and Settings\User\Cookies\ozawy.pif
C:\Documents and Settings\User\Cookies\ucalag.lib
C:\Documents and Settings\User\Cookies\yhoja._dl
C:\WINDOWS\system32\Drivers\TDSSpaxt.sys
C:\WINDOWS\system32\Drivers\TDSSpqlt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSSbivk.log
C:\WINDOWS\system32\TDSSbubv.log
C:\WINDOWS\system32\TDSSbubx.dll
C:\WINDOWS\system32\TDSScfub.dll
C:\WINDOWS\system32\TDSSfpmp.dll
C:\WINDOWS\system32\TDSShrxr.dll
C:\WINDOWS\system32\TDSSkpjp.log
C:\WINDOWS\system32\TDSSlrvd.dat
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSmaxt.dat
C:\WINDOWS\system32\TDSSnmxh.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSoeqh.dll
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSoiqt.dll
C:\WINDOWS\system32\TDSSosvn.dat
C:\WINDOWS\system32\TDSSosvn.dll
C:\WINDOWS\system32\TDSSrhyp.dll
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSrtqp.dll
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSsbhc.log
C:\WINDOWS\system32\TDSSthym.dll
C:\WINDOWS\system32\TDSStkdv.dll
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSvvbi.dll
C:\WINDOWS\system32\TDSSvvbi.log
C:\WINDOWS\system32\TDSSxfum.dll
C:\WINDOWS\system32\windows_update.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.
2008-10-23 16:47 . 2008-10-23 16:47 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-23 15:36 . 2008-10-23 15:36 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-10-23 14:46 . 2008-10-23 14:58 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2008-10-23 12:47 . 2008-10-23 12:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-22 10:13 . 2008-10-22 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 08:32 . 2008-10-22 08:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 23:31 . 2008-10-23 20:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 23:31 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 21:46 . 2008-10-23 19:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-21 21:46 . 2008-10-24 08:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 21:28 . 2008-10-21 21:28 2,002 --a------ C:\WINDOWS\Sysvxd.exe
2008-10-21 21:26 . 1999-12-21 07:58 21,312 --a------ C:\WINDOWS\choice.exe
2008-10-21 21:09 . 2008-10-21 21:09 <DIR> d-------- C:\Documents and Settings\User\Application Data\MSNInstaller
2008-10-21 20:21 . 2008-10-21 20:21 19,932 --a------ C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
2008-10-21 20:21 . 2008-10-21 20:21 19,831 --a------ C:\WINDOWS\system32\cilykanami.dl
2008-10-21 20:21 . 2008-10-21 20:21 19,118 --a------ C:\Documents and Settings\All Users\Application Data\ulam.sys
2008-10-21 20:21 . 2008-10-21 20:21 18,830 --a------ C:\Program Files\Common Files\detozu.com
2008-10-21 20:21 . 2008-10-21 20:21 17,036 --a------ C:\WINDOWS\ogawi.dat
2008-10-21 20:21 . 2008-10-21 20:21 16,754 --a------ C:\WINDOWS\system32\baxepi._dl
2008-10-21 20:21 . 2008-10-21 20:21 16,727 --a------ C:\WINDOWS\system32\aqohohameq.inf
2008-10-21 20:21 . 2008-10-21 20:21 14,567 --a------ C:\Documents and Settings\User\Application Data\iqacuce.dat
2008-10-21 20:21 . 2008-10-21 20:21 14,227 --a------ C:\WINDOWS\ivytac.dll
2008-10-21 20:21 . 2008-10-21 20:21 13,418 --a------ C:\WINDOWS\isam.reg
2008-10-21 20:21 . 2008-10-21 20:21 13,029 --a------ C:\Program Files\Common Files\jucadosos.dll
2008-10-21 20:21 . 2008-10-21 20:21 12,397 --a------ C:\WINDOWS\system32\umix.sys
2008-10-21 20:21 . 2008-10-21 20:21 11,986 --a------ C:\Documents and Settings\All Users\Application Data\awoq.pif
2008-10-21 20:21 . 2008-10-21 20:21 11,805 --a------ C:\WINDOWS\system32\irelul._dl
2008-10-21 20:21 . 2008-10-21 20:21 10,981 --a------ C:\Program Files\Common Files\yhuxovuw.vbs
2008-10-21 19:49 . 2008-10-21 19:49 19,474 --a------ C:\WINDOWS\qiximaz.bat
2008-10-21 19:49 . 2008-10-21 19:49 19,277 --a------ C:\Program Files\Common Files\axeja.bat
2008-10-21 19:49 . 2008-10-21 19:49 18,400 --a------ C:\Documents and Settings\All Users\Application Data\byluw.sys
2008-10-21 19:49 . 2008-10-21 19:49 17,654 --a------ C:\WINDOWS\system32\likoji.dl
2008-10-21 19:49 . 2008-10-21 19:49 17,512 --a------ C:\Documents and Settings\All Users\Application Data\qylo.exe
2008-10-21 19:49 . 2008-10-21 19:49 17,268 --a------ C:\Documents and Settings\All Users\Application Data\zulykuw.dat
2008-10-21 19:49 . 2008-10-21 19:49 16,991 --a------ C:\WINDOWS\fevezi.inf
2008-10-21 19:49 . 2008-10-21 19:49 15,801 --a------ C:\WINDOWS\dipuzud.bin
2008-10-21 19:49 . 2008-10-21 19:49 14,433 --a------ C:\WINDOWS\vokavet.bat
2008-10-21 19:49 . 2008-10-21 19:49 13,617 --a------ C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
2008-10-21 18:12 . 2008-10-21 18:12 163 --a------ C:\Documents and Settings\User\xrt_log.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 15:22 --------- d-----w C:\Documents and Settings\User\Application Data\AVG7
2008-10-24 14:26 --------- d-----w C:\Documents and Settings\User\Application Data\MSN6
2008-10-23 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-10-21 23:59 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-10-21 23:55 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-21 23:55 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-09-16 19:52 --------- d-----w C:\Documents and Settings\User\Application Data\Corel
2008-09-16 16:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-09-16 16:00 1,111,632 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2008-09-16 16:00 --------- d-----w C:\Program Files\Corel
2008-09-16 16:00 --------- d-----w C:\Program Files\Common Files\Corel
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 22:11 --------- d-----w C:\Program Files\myfantasyleague
2008-08-29 03:41 --------- d-----w C:\Documents and Settings\User\Application Data\U3
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2006-07-11 23:10 61,737,440 ----a-w C:\Program Files\World_Wind_1.3.5_Full.exe
2006-07-11 20:18 24,265,736 ----a-w C:\Program Files\dotnetfx.exe
2006-07-11 18:44 61,737,440 ----a-w C:\Program Files\Nasa World Wind Setup.exe
2005-06-05 20:17 63,488 ----a-w C:\Documents and Settings\All Users\Norton - June 5 2005 Password Manager SETUP.exe
2005-01-06 05:27 2,184 ----a-w C:\Program Files\uninstal.log
.
------- Sigcheck -------
2002-08-29 06:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-05-26 19:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\sp1qfe\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-21 17:55 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
2002-08-29 06:00 200192 fe84e045a09a4abc4deef7270448b64e C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2004-08-04 01:56 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
2008-10-21 17:55 295424 40ffc19a8d4875e9e19cecdc76ef9201 C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 282624]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2007-05-09 478800]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE [2007-01-13 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-05-09 13:11 478800 C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2000-09-13 11682]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
S3 NMUSB;NMUSB;C:\WINDOWS\system32\DRIVERS\Nmusb.sys [2003-05-22 40625]
S3 PTO;PTO;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f878ca4-6d49-11dd-8180-000c76e614fa}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-TDSSpaxt.sys

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 09:30:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-24 9:32:30
ComboFix-quarantined-files.txt 2008-10-24 15:32:25
Pre-Run: 94,294,257,664 bytes free
Post-Run: 94,283,169,792 bytes free
229 --- E O F --- 2008-10-20 09:04:17

Ok - here is the "log-Notepad" and the "info-notepad" from RSIT:

LOG:

Logfile of random's system information tool 1.04 (written by random/random)
Run by User at 2008-10-24 09:45:39
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 90 GB (79%) free of 114 GB
Total RAM: 511 MB (22% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:29 AM, on 10/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PTO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe (file missing)
--
End of file - 7763 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll [2004-08-13 282624]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-08-15 57344]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2003-09-13 50688]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\point32.exe [2004-06-03 204800]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-17 590848]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2004-08-04 158208]
"Corel Photo Downloader"=C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe [2007-05-09 478800]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe [2007-05-09 478800]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"ForceClassicControlPanel"=1
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f878ca4-6d49-11dd-8180-000c76e614fa}]
shell\AutoRun\command - F:\LaunchU3.exe -a

======List of files/folders created in the last 1 months======
2008-10-24 09:45:39 ----D---- C:\rsit
2008-10-24 09:32:31 ----A---- C:\ComboFix.txt
2008-10-24 08:52:12 ----A---- C:\Boot.bak
2008-10-24 08:52:05 ----D---- C:\cmdcons
2008-10-24 08:50:58 ----A---- C:\WINDOWS\zip.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\VFIND.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\SWSC.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\SWREG.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\sed.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\grep.exe
2008-10-24 08:50:58 ----A---- C:\WINDOWS\fdsv.exe
2008-10-24 08:50:49 ----D---- C:\WINDOWS\ERDNT
2008-10-24 08:50:49 ----D---- C:\Qoobox
2008-10-23 16:47:52 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-10-23 16:47:49 ----D---- C:\Program Files\Alwil Software
2008-10-23 15:36:22 ----D---- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-10-23 14:46:13 ----D---- C:\Program Files\Free Window Registry Repair
2008-10-23 11:58:04 ----D---- C:\WINDOWS\pss
2008-10-23 11:42:00 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-22 10:13:43 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 08:32:52 ----D---- C:\Program Files\Trend Micro
2008-10-21 23:31:13 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 23:31:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:31:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 21:46:43 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-21 21:46:43 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 21:41:59 ----D---- C:\Program Files\SUPERAntiSpyware
2008-10-21 21:41:59 ----D---- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 21:41:31 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 21:28:59 ----A---- C:\WINDOWS\Sysvxd.exe
2008-10-21 21:26:33 ----A---- C:\WINDOWS\choice.exe
2008-10-21 21:09:54 ----D---- C:\Documents and Settings\User\Application Data\MSNInstaller
2008-10-21 20:21:53 ----A---- C:\WINDOWS\ivytac.dll
2008-10-21 20:21:53 ----A---- C:\Program Files\Common Files\yhuxovuw.vbs
2008-10-21 20:21:53 ----A---- C:\Program Files\Common Files\jucadosos.dll
2008-10-21 20:21:53 ----A---- C:\Program Files\Common Files\detozu.com
2008-10-21 19:49:55 ----A---- C:\WINDOWS\qiximaz.bat
2008-10-21 19:49:55 ----A---- C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
2008-10-21 19:49:54 ----A---- C:\WINDOWS\vokavet.bat
2008-10-21 19:49:54 ----A---- C:\Program Files\Common Files\axeja.bat
2008-10-21 19:49:54 ----A---- C:\Documents and Settings\All Users\Application Data\qylo.exe
======List of files/folders modified in the last 1 months======
2008-10-24 09:37:42 ----D---- C:\Documents and Settings\User\Application Data\MSN6
2008-10-24 09:32:38 ----D---- C:\WINDOWS\system32
2008-10-24 09:32:37 ----D---- C:\WINDOWS\Temp
2008-10-24 09:32:35 ----D---- C:\WINDOWS
2008-10-24 09:31:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-24 09:30:52 ----A---- C:\WINDOWS\system.ini
2008-10-24 09:30:42 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-24 09:30:05 ----D---- C:\WINDOWS\system32\drivers
2008-10-24 09:30:04 ----D---- C:\WINDOWS\AppPatch
2008-10-24 09:30:04 ----D---- C:\Program Files\Common Files
2008-10-24 09:25:58 ----RASH---- C:\boot.ini
2008-10-24 09:25:55 ----A---- C:\WINDOWS\win.ini
2008-10-24 09:22:09 ----D---- C:\Documents and Settings\User\Application Data\AVG7
2008-10-24 09:19:45 ----D---- C:\WINDOWS\system32\config
2008-10-24 08:50:48 ----D---- C:\WINDOWS\Prefetch
2008-10-24 08:20:29 ----SD---- C:\WINDOWS\Tasks
2008-10-23 16:47:49 ----RD---- C:\Program Files
2008-10-23 15:37:46 ----D---- C:\Documents and Settings\All Users\Application Data\avg7
2008-10-23 12:47:05 ----D---- C:\Documents and Settings
2008-10-23 11:34:06 ----D---- C:\WINDOWS\system32\LogFiles
2008-10-23 11:34:05 ----D---- C:\WINDOWS\Minidump
2008-10-23 10:51:32 ----RHD---- C:\$VAULT$.AVG
2008-10-22 08:38:32 ----D---- C:\WINDOWS\Debug
2008-10-21 23:41:47 ----SHD---- C:\WINDOWS\Installer
2008-10-21 23:41:47 ----HD---- C:\Config.Msi
2008-10-21 23:37:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-21 21:02:44 ----SD---- C:\Documents and Settings\User\Application Data\Microsoft
2008-10-21 20:54:55 ----D---- C:\Program Files\MSN
2008-10-21 20:54:49 ----HD---- C:\WINDOWS\inf
2008-10-21 17:59:05 ----D---- C:\Documents and Settings\User\Application Data\AdobeUM
2008-10-21 17:55:19 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-10-21 17:55:18 ----A---- C:\WINDOWS\system32\winlogon.exe
2008-10-21 17:54:24 ----D---- C:\WINDOWS\Registration
2008-10-20 03:04:12 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-20 03:01:26 ----D---- C:\Program Files\Internet Explorer
2008-10-07 13:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-10-22 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-04-06 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-04-06 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-20 10760]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbfilter;Keyboard Filter Driver; C:\WINDOWS\system32\drivers\kbfilter.sys [2000-09-13 11682]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2007-04-06 4960]
R2 IOPort;IOPort; \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-08-14 404736]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-08-21 462940]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys [2004-05-21 6912]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2004-06-03 20352]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NMUSB;NMUSB; C:\WINDOWS\System32\DRIVERS\Nmusb.sys [2003-05-22 40625]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\MSN\MSNCoreFiles\SABProcEnum.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-10-22 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-04-06 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-20 406528]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.EXE [1999-12-13 44032]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2006-11-02 174656]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608]
S3 PTO;PTO; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTO.exe []
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
-----------------EOF-----------------

INFO:

info.txt logfile of random's system information tool 1.04 2008-10-24 09:46:31
======Uninstall list======
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actiontec Gateway-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Adobe Download Manager 1.2 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update-->MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ASIO4ALL-->C:\Program Files\ASIO4ALL v2\uninstall.exe
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG 7.5-->C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Collab-->C:\Program Files\Image-Line\Collab\uninstall.exe
Corel Snapfire-->MsiExec.exe /X{0EE4030A-8FD4-4798-A21D-17E525B1F7CF}
Creative Jukebox Driver-->C:\Program Files\Creative\Jukebox Driver\DrvUnins.exe /s
Creative NOMAD II Driver-->C:\Program Files\Creative\NOMAD2 Driver\DrvUnins.exe /s
Creative PlayCenter 2-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\PlayCenter2\Player2.isu"
Deckadance-->C:\Program Files\VstPlugins\Deckadance\uninstall.exe
EMU7800-->MsiExec.exe /X{A7B9D802-94C0-4AF3-88F6-3D71C935F385}
FFLM version 7.01-->"C:\Program Files\Fantasy Manager\unins000.exe"
FL Studio 7-->C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
Free Window Registry Repair-->C:\PROGRA~1\FREEWI~1\UNWISE.EXE C:\PROGRA~1\FREEWI~1\INSTALL.LOG
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7-->"C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update-->MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
IL Download Manager-->C:\Program Files\Image-Line\Downloader\uninstall.exe
Indeo® Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"
iTunes-->MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LADSPA_plugins-win-0.4.15-->"C:\Program Files\Audacity\Plug-Ins\unins000.exe"
MagicKey-->UpUninst.exe C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MagicKey\Uninst.isu"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MathPlayer-->C:\Program Files\Design Science\MathPlayer\Setup.exe -u
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Outlook Web Access S/MIME-->MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Picture It! Express 9-->C:\WINDOWS\System32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0900}
Microsoft Picture It! Library 9-->C:\WINDOWS\System32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3220}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MSN Encarta Plus Support Files-->MsiExec.exe /I{00000000-785F-478A-BAA2-87F1A136068C}
MSN Money Investment Toolbox-->C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:5
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSN Toolbar-->C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\mtbs.exe c
MSN-->C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Musicnotes Player V1.22.3-->"C:\Program Files\Musicnotes\Player\unins000.exe"
myfantasyleague.com Game Day 2008-->"C:\Program Files\myfantasyleague\unins000.exe"
NOMAD II Manual-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\NOMAD II MANUAL\Uninst.isu"
NTI CD-Maker 6 Gold-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1033 AnyText
NVIDIA Display Driver-->C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Puzzle Master 4-->C:\PROGRA~1\eGames\PUZZLE~1\UNWISE.EXE C:\PROGRA~1\eGames\PUZZLE~1\INSTALL.LOG
Quicken 2002 Basic-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime-->MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Studio Buddy-->C:\WINDOWS\unvise32.exe c:\PROGRA~1\uninstal.log
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
VST Bridge 1.0-->"C:\Program Files\Audacity\Plug-Ins\Plug-ins\VST Bridge\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant-->MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
=====HijackThis Backups=====
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - AppInit_DLLs: karna.dat
======Security center information======
AV: AVG 7.5.549 (disabled)
AV: avast! antivirus 4.8.1229 [VPS 081024-0]
FW: Norton Internet Worm Protection (disabled)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
-----------------EOF-----------------

There looks to be items there that MBAM should have taken care of, please do the following.




Start MalwareBytes AntiMalware


Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update


When the update is complete, select the Scanner tab
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply


If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Hi -

What was it that should have been removed? As you can see below, nothing was found, which is quite unusual. Please let me know what looks bad. Thanks.



Malwarebytes' Anti-Malware 1.30
Database version: 1313
Windows 5.1.2600 Service Pack 2
10/24/2008 10:49:32 AM
mbam-log-2008-10-24 (10-49-32).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 115181
Time elapsed: 46 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Please let me know what looks bad
That would take far too long :hair:

Step 1


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINDOWS\Sysvxd.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\choice.exe

If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)

----------------------------------------------------------- -----------------------------------------------------------
Step 2


Custom CFScript



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

http://icrontic.com/forum/showthread.php?p=648427#post648427
KillAll::
FCopy::
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll | C:\WINDOWS\system32\termsrv.dll

Suspect::[4]
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Sysvxd.exe
C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
C:\WINDOWS\system32\cilykanami.dl
C:\Documents and Settings\All Users\Application Data\ulam.sys
C:\Program Files\Common Files\detozu.com
C:\WINDOWS\ogawi.dat
C:\WINDOWS\system32\baxepi._dl
C:\WINDOWS\system32\aqohohameq.inf
C:\Documents and Settings\User\Application Data\iqacuce.dat
C:\WINDOWS\ivytac.dll
C:\WINDOWS\isam.reg
C:\Program Files\Common Files\jucadosos.dll
C:\WINDOWS\system32\umix.sys
C:\Documents and Settings\All Users\Application Data\awoq.pif
C:\WINDOWS\system32\irelul._dl
C:\Program Files\Common Files\yhuxovuw.vbs
C:\WINDOWS\qiximaz.bat
C:\Program Files\Common Files\axeja.bat
C:\Documents and Settings\All Users\Application Data\byluw.sys
C:\WINDOWS\system32\likoji.dl
C:\Documents and Settings\All Users\Application Data\qylo.exe
C:\Documents and Settings\All Users\Application Data\zulykuw.dat
C:\WINDOWS\fevezi.inf
C:\WINDOWS\dipuzud.bin
C:\WINDOWS\vokavet.bat
C:\Documents and Settings\All Users\Application Data\ecemidisi.dll


File::
C:\WINDOWS\Sysvxd.exe
C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
C:\WINDOWS\system32\cilykanami.dl
C:\Documents and Settings\All Users\Application Data\ulam.sys
C:\Program Files\Common Files\detozu.com
C:\WINDOWS\ogawi.dat
C:\WINDOWS\system32\baxepi._dl
C:\WINDOWS\system32\aqohohameq.inf
C:\Documents and Settings\User\Application Data\iqacuce.dat
C:\WINDOWS\ivytac.dll
C:\WINDOWS\isam.reg
C:\Program Files\Common Files\jucadosos.dll
C:\WINDOWS\system32\umix.sys
C:\Documents and Settings\All Users\Application Data\awoq.pif
C:\WINDOWS\system32\irelul._dl
C:\Program Files\Common Files\yhuxovuw.vbs
C:\WINDOWS\qiximaz.bat
C:\Program Files\Common Files\axeja.bat
C:\Documents and Settings\All Users\Application Data\byluw.sys
C:\WINDOWS\system32\likoji.dl
C:\Documents and Settings\All Users\Application Data\qylo.exe
C:\Documents and Settings\All Users\Application Data\zulykuw.dat
C:\WINDOWS\fevezi.inf
C:\WINDOWS\dipuzud.bin
C:\WINDOWS\vokavet.bat
C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
Folder::
Driver::
PTO
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-

ADS::

Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.

Click OK and follow the instructions to submit the file.



CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***



Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.



Now download and install Java Runtime Environment (JRE) (http://java.sun.com/javase/downloads/index.jsp).

----------------------------------------------------------- -----------------------------------------------------------
Step 4




Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.


Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.




----------------------------------------------------------- -----------------------------------------------------------
Step 5


Logs/Information to Post in Reply
Please post the following logs/Information in your reply


Virus Total results
ComboFix Log
Kaspersky Log
How are things running now ?

Step 1 Results:


File Sysvxd.exe received on 10.16.2008 11:00:31 (CET)
Current status: finished
Result: 0/36 (0.00%)

http://www.virustotal.com/img/compress-icon.png Compact (http://www.virustotal.com/analisis/e416729d0b0fa4998c0f91cc7e6261ce#)
Print results (javascript:window.print()) http://www.virustotal.com/img/print-icon.png



AntivirusVersionLast UpdateResultAhnLab-V32008.10.16.02008.10.16-AntiVir7.9.0.42008.10.16-Authentium5.1.0.42008.10.16-Avast4.8.1248.02008.10.15-AVG8.0.0.1612008.10.16-BitDefender7.22008.10.16-CAT-QuickHeal9.502008.10.16-ClamAV0.93.12008.10.16-DrWeb4.44.0.091702008.10.16-eSafe7.0.17.02008.10.15-eTrust-Vet31.6.61502008.10.16-Ewido4.02008.10.15-F-Prot4.4.4.562008.10.15-F-Secure8.0.14332.02008.10.16-Fortinet3.113.0.02008.10.16-GData192008.10.16-IkarusT3.1.1.34.02008.10.16-K7AntiVirus7.10.4962008.10.15-Kaspersky7.0.0.1252008.10.16-McAfee54062008.10.16-Microsoft1.40052008.10.16-NOD3235262008.10.16-Norman5.80.022008.10.15-Panda9.0.0.42008.10.15-PCTools4.4.2.02008.10.15-Prevx1V22008.10.16-Rising20.66.32.002008.10.16-SecureWeb-Gateway6.7.62008.10.16-Sophos4.34.02008.10.16-Sunbelt3.1.1727.12008.10.16-Symantec102008.10.16-TheHacker6.3.1.0.1142008.10.15-TrendMicro8.700.0.10042008.10.16-VBA323.12.8.72008.10.16-ViRobot2008.10.16.14222008.10.16-VirusBuster4.5.11.02008.10.15-Additional informationFile size: 2002 bytesMD5...: fb02957ebc0a93ae729ec416441c2978SHA1..: 98534600c3820593187cc644b42a4220c1051144SHA256: ecf1baa5b5cfbe6712dfa7b54f90d572e0692f6b579db4382bcca2866cbb991fSHA512: 1d2effe4dac20dd71a8b0cdb4786e2f6023d2431fae5e3350749974beabbc436
efde28440c023690210118219c50ed8daa78eb1d6d40475ffc9d3cf565dea0dcPEiD..: -TrID..: File type identification
HyperText Markup Language with DOCTYPE (80.6%)
HyperText Markup Language (19.3%)PEInfo: -

*************

File choice.exe received on 10.09.2008 00:00:06 (CET)
Current status: finished
Result: 1/36 (2.78%)

http://www.virustotal.com/img/compress-icon.png Compact (http://www.virustotal.com/analisis/3a3d04eed6385728dfe04ea8dfd46678#)
Print results (javascript:window.print()) http://www.virustotal.com/img/print-icon.png



AntivirusVersionLast UpdateResultAhnLab-V32008.10.3.22008.10.08-AntiVir7.8.1.342008.10.08-Authentium5.1.0.42008.10.08-Avast4.8.1248.02008.10.08-AVG8.0.0.1612008.10.08-BitDefender7.22008.10.08-CAT-QuickHeal9.502008.10.08-ClamAV0.93.12008.10.08-DrWeb4.44.0.091702008.10.08-eSafe7.0.17.02008.10.08Suspicious FileeTrust-Vet31.6.61342008.10.07-Ewido4.02008.10.08-F-Prot4.4.4.562008.10.08-F-Secure8.0.14332.02008.10.08-Fortinet3.113.0.02008.10.08-GData192008.10.08-IkarusT3.1.1.34.02008.10.08-K7AntiVirus7.10.4882008.10.08-Kaspersky7.0.0.1252008.10.08-McAfee54002008.10.07-Microsoft1.40052008.10.08-NOD3235042008.10.08-Norman5.80.022008.10.07-Panda9.0.0.42008.10.07-PCTools4.4.2.02008.10.08-Prevx1V22008.10.09-Rising20.65.22.002008.10.08-SecureWeb-Gateway6.7.62008.10.08-Sophos4.34.02008.10.08-Sunbelt3.1.1708.12008.10.08-Symantec102008.10.08-TheHacker6.3.1.0.1032008.10.07-TrendMicro8.700.0.10042008.10.08-VBA323.12.8.62008.10.07-ViRobot2008.10.8.14122008.10.08-VirusBuster4.5.11.02008.10.08-Additional informationFile size: 21312 bytesMD5...: 2e5832d56dcc6dc7ecb1cbe9ea350b9bSHA1..: 0dfad92a2f9305ed8d46e374bf0bf36a554a9900SHA256: 4223fa3cc5e3a0c3646addcc27911aec1c6858ca36b375bf5bf6370215679be4SHA512: 013f3e82565150e56e311aef189f4010bb8262eef99f1a85653ab2013225071c
f798e3502664ed85e55c0c578c11a81f2c1ace1ea95ca8e179f6af2f15849153PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John ReiserTrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100fa50
timedatestamp.....: 0x385fa388 (Tue Dec 21 15:58:00 1999)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xb000 0x5000 0x4c00 7.87 ab0a276a59e31f203f4a918d004916f6
UPX2 0x10000 0x1000 0x200 1.44 fb560fb590e032d609686e011bef8d53

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> USER32.dll: wsprintfA

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=2e5832d56dcc6dc7ecb1cbe9ea350b9bpackers (Kaspersky): UPXpackers (F-Prot): UPX

It is the esafe if you can't see it right away that is a suspicious file...

Here is CF log for step 2, but no window for internet/file submission. Computer did reboot automatically though.


ComboFix 08-10-23.08 - User 2008-10-24 11:59:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.121 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\All Users\Application Data\awoq.pif
C:\Documents and Settings\All Users\Application Data\byluw.sys
C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
C:\Documents and Settings\All Users\Application Data\qylo.exe
C:\Documents and Settings\All Users\Application Data\ulam.sys
C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
C:\Documents and Settings\All Users\Application Data\zulykuw.dat
C:\Documents and Settings\User\Application Data\iqacuce.dat
C:\Program Files\Common Files\axeja.bat
C:\Program Files\Common Files\detozu.com
C:\Program Files\Common Files\jucadosos.dll
C:\Program Files\Common Files\yhuxovuw.vbs
C:\WINDOWS\dipuzud.bin
C:\WINDOWS\fevezi.inf
C:\WINDOWS\isam.reg
C:\WINDOWS\ivytac.dll
C:\WINDOWS\ogawi.dat
C:\WINDOWS\qiximaz.bat
C:\WINDOWS\system32\aqohohameq.inf
C:\WINDOWS\system32\baxepi._dl
C:\WINDOWS\system32\cilykanami.dl
C:\WINDOWS\system32\irelul._dl
C:\WINDOWS\system32\likoji.dl
C:\WINDOWS\system32\umix.sys
C:\WINDOWS\Sysvxd.exe
C:\WINDOWS\vokavet.bat
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\awoq.pif
C:\Documents and Settings\All Users\Application Data\byluw.sys
C:\Documents and Settings\All Users\Application Data\ecemidisi.dll
C:\Documents and Settings\All Users\Application Data\qylo.exe
C:\Documents and Settings\All Users\Application Data\ulam.sys
C:\Documents and Settings\All Users\Application Data\vonydaxid.scr
C:\Documents and Settings\All Users\Application Data\zulykuw.dat
C:\Documents and Settings\User\Application Data\iqacuce.dat
C:\Program Files\Common Files\axeja.bat
C:\Program Files\Common Files\detozu.com
C:\Program Files\Common Files\jucadosos.dll
C:\Program Files\Common Files\yhuxovuw.vbs
C:\WINDOWS\dipuzud.bin
C:\WINDOWS\fevezi.inf
C:\WINDOWS\isam.reg
C:\WINDOWS\ivytac.dll
C:\WINDOWS\ogawi.dat
C:\WINDOWS\qiximaz.bat
C:\WINDOWS\system32\aqohohameq.inf
C:\WINDOWS\system32\baxepi._dl
C:\WINDOWS\system32\cilykanami.dl
C:\WINDOWS\system32\irelul._dl
C:\WINDOWS\system32\likoji.dl
C:\WINDOWS\system32\umix.sys
C:\WINDOWS\Sysvxd.exe
C:\WINDOWS\vokavet.bat
.
--------------- FCopy ---------------
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe --> C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll --> C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PTO
-------\Service_PTO

((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.
2008-10-24 11:59 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-10-24 09:45 . 2008-10-24 09:50 <DIR> d-------- C:\rsit
2008-10-23 16:47 . 2008-10-23 16:47 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-23 15:36 . 2008-10-23 15:36 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-10-23 14:46 . 2008-10-23 14:58 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2008-10-23 12:47 . 2008-10-23 12:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-22 10:13 . 2008-10-22 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 08:32 . 2008-10-22 08:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 23:31 . 2008-10-23 20:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-21 23:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:31 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 23:31 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 21:46 . 2008-10-23 19:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-21 21:46 . 2008-10-24 08:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 21:41 . 2008-10-21 21:41 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 21:26 . 1999-12-21 07:58 21,312 --a------ C:\WINDOWS\choice.exe
2008-10-21 21:09 . 2008-10-21 21:09 <DIR> d-------- C:\Documents and Settings\User\Application Data\MSNInstaller
2008-10-21 18:12 . 2008-10-21 18:12 163 --a------ C:\Documents and Settings\User\xrt_log.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 15:37 --------- d-----w C:\Documents and Settings\User\Application Data\MSN6
2008-10-24 15:22 --------- d-----w C:\Documents and Settings\User\Application Data\AVG7
2008-10-23 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-10-21 23:59 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-09-16 19:52 --------- d-----w C:\Documents and Settings\User\Application Data\Corel
2008-09-16 16:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-09-16 16:00 1,111,632 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2008-09-16 16:00 --------- d-----w C:\Program Files\Corel
2008-09-16 16:00 --------- d-----w C:\Program Files\Common Files\Corel
2008-09-08 22:11 --------- d-----w C:\Program Files\myfantasyleague
2008-08-29 03:41 --------- d-----w C:\Documents and Settings\User\Application Data\U3
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-07-11 23:10 61,737,440 ----a-w C:\Program Files\World_Wind_1.3.5_Full.exe
2006-07-11 20:18 24,265,736 ----a-w C:\Program Files\dotnetfx.exe
2006-07-11 18:44 61,737,440 ----a-w C:\Program Files\Nasa World Wind Setup.exe
2005-06-05 20:17 63,488 ----a-w C:\Documents and Settings\All Users\Norton - June 5 2005 Password Manager SETUP.exe
2005-01-06 05:27 2,184 ----a-w C:\Program Files\uninstal.log
.
((((((((((((((((((((((((((((( snapshot@2008-10-24_ 9.31.57.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:07 295,424 ----a-w C:\WINDOWS\LastGood.Tmp\system32\termsrv.dll
+ 2004-08-04 07:56:46 295,424 -c--a-w C:\WINDOWS\system32\dllcache\termsrv.dll
+ 2004-08-04 07:56:57 502,272 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
+ 2008-10-24 18:02:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 282624]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2007-05-09 478800]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE [2007-01-13 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-05-09 13:11 478800 C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2000-09-13 11682]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]
S3 NMUSB;NMUSB;C:\WINDOWS\system32\DRIVERS\Nmusb.sys [2003-05-22 40625]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f878ca4-6d49-11dd-8180-000c76e614fa}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 12:03:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-10-24 12:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-24 18:10:47
ComboFix2.txt 2008-10-24 15:32:31
Pre-Run: 94,264,594,432 bytes free
Post-Run: 94,317,154,304 bytes free
223 --- E O F --- 2008-10-20 09:04:17

Here is the Java Log:


JavaRa 1.11 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Fri Oct 24 12:28:22 2008
Found and removed: C:\Program Files\Java\jre1.5.0_07
Found and removed: C:\Program Files\Java\jre1.6.0_02
Found and removed: C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64
Found and removed: Software\JavaSoft\Java2D\1.5.0_07
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Classes\JavaPlugin.150_07
Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_07
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_07
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510007
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150070}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}
Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Classes\JavaPlugin.160_02
Found and removed: SOFTWARE\Classes\JavaPlugin.160_03
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_02
Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_02
Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610002
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610002
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160020}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_07
Found and removed: Software\Classes\JavaPlugin.160_02
Found and removed: Software\Classes\JavaPlugin.160_03
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_07\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\bin\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_02
Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03
Found and removed: Software\JavaSoft\Java2D\1.6.0_03
Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}
Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}
------------------------------------
Finished reporting.

Do you have the Kaspersky log ?

Here are the Kaspersky scan results:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 24, 2008 20:52:26
Records in database: 1343168
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan statistics:
Files scanned: 68209
Threat name: 6
Infected objects: 13
Suspicious objects: 2
Duration of the scan: 01:22:30

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\308430E0.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42005DFE.79 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42005DFE.79 Infected: Email-Worm.Win32.NetSky.q 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4F9830BD.8d Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4F9830BD.8d Infected: Email-Worm.Win32.NetSky.q 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D547282.58 Infected: Email-Worm.Win32.NetSky.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir Infected: Backdoor.Win32.TDSS.ats 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqlt.sys.vir Infected: Backdoor.Win32.TDSS.ats 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqxt.sys.vir Infected: Backdoor.Win32.TDSS.ats 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSShrxr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnmxh.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSosvn.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSrtqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
The selected area was scanned.

Not very good, I know.

Is this gonna be like that John Travolta '70's movie and my computer will have to live in a plastic bubble all the time now?

Is this gonna be like that John Travolta '70's movie and my computer will have to live in a plastic bubble all the time now?
http://img116.exs.cx/img116/1231/z7shysterical.gif


Actually, that Kaspersky log is fine. All the items it found have already been put in quarantine :rockon:

Now, I need you to upload some files for me as the auto submit didn't work.
(that is if you don't mind helping us :) )
Your files will find their way into the Antivirus databases, so you will have done your bit towards helping everyone with a computer.

Let's see where that .zip file went to

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.


@echo off
if exist C:\Kresults.txt del /q C:\Kresults.txt
dir /a /d /s C:\qoobox > C:\Kresults.txt
start notepad C:\Kresults.txt
del /q %0
Exit
Double click on look.bat
Please be patient, as this will search the entire disc

Notepad will open, please copy/paste the results here.

It took no time whatsoever. Here is the notepad scribble that came back:

Volume in drive C has no label.
Volume Serial Number is F87D-4C7C
Directory of C:\qoobox
[.] ComboFix2.txt
[..] [Quarantine]
Add-Remove Programs.txt snapshot@2008-10-24_ 9.31.57.14.dat
[BackEnv] snapshot@2008-10-24_ 9.31.57.14_B.dat
CFScript_used_2008-10-24@11.57.txt
ComboFix-quarantined-files.txt
6 File(s) 2,091,859 bytes
Directory of C:\qoobox\BackEnv
[.] personal.folder.dat
[..] Profiles.Folder.dat
appdata.folder.dat programs.folder.dat
cache.folder.dat SetPath.bat
Cookies.folder.dat startmenu.folder.dat
desktop.folder.dat startup.folder.dat
favorites.folder.dat SysPath.dat
localappdata.folder.dat templates.folder.dat
localsettings.folder.dat
mypictures.folder.dat
16 File(s) 18,115 bytes
Directory of C:\qoobox\Quarantine
[.] [Registry_backups]
[..] [4]-Submit_2008-10-24@11.57.zip
[C]
catchme.log
2 File(s) 692,344 bytes
Directory of C:\qoobox\Quarantine\C
[.] [Documents and Settings] [WINDOWS]
[..] [Program Files]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings
[.] [..] [All Users] [User]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\All Users
[.] [..] [Application Data]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data
[.] byluw.sys.vir ulam.sys.vir
[..] ecemidisi.dll.vir vonydaxid.scr.vir
awoq.pif.vir qylo.exe.vir zulykuw.dat.vir
7 File(s) 117,833 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\User
[.] [Application Data]
[..] [Cookies]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\User\Application Data
[.] [..] iqacuce.dat.vir
1 File(s) 14,567 bytes
Directory of C:\qoobox\Quarantine\C\Documents and Settings\User\Cookies
[.] acexaneq.ban.vir ozawy.pif.vir yhoja._dl.vir
[..] nuhe.dat.vir ucalag.lib.vir
5 File(s) 76,983 bytes
Directory of C:\qoobox\Quarantine\C\Program Files
[.] [..] [Common Files]
0 File(s) 0 bytes
Directory of C:\qoobox\Quarantine\C\Program Files\Common Files
[.] axeja.bat.vir jucadosos.dll.vir
[..] detozu.com.vir yhuxovuw.vbs.vir
4 File(s) 62,117 bytes
Directory of C:\qoobox\Quarantine\C\WINDOWS
[.] fevezi.inf.vir ogawi.dat.vir Sysvxd.exe.vir
[..] isam.reg.vir qiximaz.bat.vir vokavet.bat.vir
dipuzud.bin.vir ivytac.dll.vir [system32]
8 File(s) 113,382 bytes
Directory of C:\qoobox\Quarantine\C\WINDOWS\system32
[.] TDSSlxwp.dll.vir TDSSsbhc.log.vir
[..] TDSSmaxt.dat.vir TDSSthym.dll.vir
aqohohameq.inf.vir TDSSnmxh.dll.vir TDSStkdv.dll.vir
baxepi._dl.vir TDSSnmxh.log.vir TDSStkdv.log.vir
cilykanami.dl.vir TDSSnrsr.dll.vir TDSSvvbi.dll.vir
[drivers] TDSSoeqh.dll.vir TDSSvvbi.log.vir
irelul._dl.vir TDSSoiqh.dll.vir TDSSxfum.dll.vir
likoji.dl.vir TDSSoiqt.dll.vir termsrv.dll.vir
TDSSbubv.log.vir TDSSosvn.dat.vir umix.sys.vir
TDSScfub.dll.vir TDSSosvn.dll.vir windows_update.exe.vir
TDSSfpmp.dll.vir TDSSrhyp.dll.vir winlogon.exe.vir
TDSShrxr.dll.vir TDSSriqp.dll.vir
TDSSkpjp.log.vir TDSSrtqp.dll.vir
TDSSlrvd.dat.vir TDSSsbhc.dll.vir
36 File(s) 1,763,999 bytes
Directory of C:\qoobox\Quarantine\C\WINDOWS\system32\drivers
[.] TDSSpaxt.sys.vir TDSSpqxt.sys.vir
[..] TDSSpqlt.sys.vir
3 File(s) 181,248 bytes
Directory of C:\qoobox\Quarantine\Registry_backups
[.] SafeBoot-TDSSpaxt.sys.reg.dat
[..] Service_PTO.reg.dat
HKLM-Run-CFSServ.exe.reg.dat Service_TDSSserv.reg.dat
HKLM-Run-NDSTray.exe.reg.dat Service_TDSSserv.sys).reg.dat
HKLM-Run-TFncKy.reg.dat tcpip.reg
Legacy_PTO.reg.dat
9 File(s) 10,019 bytes
Total Files Listed:
97 File(s) 5,142,466 bytes
47 Dir(s) 94,230,999,040 bytes free

Please open LINK >>> THIS PAGE (http://www.bleepingcomputer.com/submit-malware.php?channel=4) <<< LINK in a new window.



In the box marked Link to topic where this file was requested: please copy/paste this text
http://icrontic.com/forum/showthread.php?p=648450#post648450

Now click Browse and navigate to C:\qoobox\Quarantine\[4]-Submit_2008-10-24@11.57.zip
In the Largest box please put
File Requested By Katana
Failed CF Submit
Finally click SendFile


Let me know when you have done that.

OK, I have done that. It was successful.

If I haven't thanked you lately, then thank you for all your efforts. I do so appreciate you.

If I haven't thanked you lately, then thank you for all your efforts. I do so appreciate you.It's a pleasure :)

Last steps now ....

OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop


Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )



:Files
C:\Documents and Settings\User\Desktop\JavaRa.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\RSIT (folder)
C:\Kresults.txt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\*.*
:Commands
[EmptyTemp]


Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.




Click the red Moveit! button.
Close OTMoveIt3



If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



----------------------------------------------------------- -----------------------------------------------------------

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up



This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png






Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.

You can also delete any logs we have produced, and empty your Recycle bin.


Enable Teatimer



RIGHT click Link >>> HERE <<< Link (http://downloads.subratam.org/ResetTeaTimer.bat) and select "save as" and save it to your desktop
Double click ResetTeaTimer.bat
Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
check the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
You can now delete ResetTeaTimer.bat




----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program

It includes host protection and registry protection
A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites


MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner



Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com)

An excellent startup manager and then some !!
Notifies you if programs are added to startup
Allows delayed startup
A must have addition


SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html)

SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.


SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html)

SpywareGuard provides real-time protection against spyware.
Not required if you have other "realtime" antispyware or Winpatrol


ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33)

Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.


MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip)

This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002.
Not required if you are using other host file protections





Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.


Next press the Apply button and then the OK to exit the Internet Properties page.




If you are still using IE6 then either update, or get one of the following.

FireFox (http://www.mozilla.com/en-US/firefox/)

With many addons available that make customization easy this is a very popular choice
NoScript and AdBlockPlus addons are essential


Opera (http://www.opera.com/)

Another popular alternative


Netscape (http://browser.netscape.com/addons)

Another popular alternative
Also has Addons available







Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25)

Free and very simple to use


CCleaner (http://www.ccleaner.com/)

Free and very flexible, you can chose which cookies to keep





Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Good morning -

Here is the message when running MoveIt:

The application or DLL C:\Documents and Settings\All USers\Application Data\Symantec\Norton AntiVirus\Quarantine\241F2FB2.dll is not a valid Windows image. Please check this against your installation diskette.

Norton may be protecting that folder, so let's leave it alone
Use this with OTMoveIT

:Files
C:\Documents and Settings\User\Desktop\JavaRa.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\RSIT (folder)
C:\Kresults.txt
:Commands
[EmptyTemp]

Katana -

My entire household, and especially myself, thanks you immensely. I have done everything except read the how did I get infected in the first place article (by the way, I subscribe to Netflix and downloaded a movie viewer they have so that you can watch things online, and that pretty much coincides with my problems' beginning - no sketchy sites including porn)

I have a couple of questions and then I shall leave you alone - for now! Ha ha...

- Windows asks me on startup about running System Restore - what should I do with that?
- Windows also asks about security - firewall is disabled. I do not have any other firewall software. What should I do about that?

Otherwise, everything is ok; you can archive the thread. Again I thank you very much and I would make you a cheesecake (MY specialty) to reciprocate; alas I fear that is impossible! Have a great day, life, etc. - A.

- Windows asks me on startup about running System Restore - what should I do with that?
- Windows also asks about security - firewall is disabled. I do not have any other firewall software. What should I do about that?

It should ask about Recovery Console for about 2-3 seconds at start up, not System Restore.
I recommend that you leave that in place, as it could save your machine one day.

When it prompts about the firewall, if you click the balloon it should give you an option to disable notification.

Yes you are right, it is recovery function.

So, will I not need a firewall then on top of everything else I have, and I should disable the Windows firewall?

A firewall is always a wise thing to have, but you only have 511 MB ram.
Sometimes you have to trade safety with performance.
If you can live with less speed, then definitely use a firewall

Firewall

A third party firewall is much safer than the Windows basic firewall , as it stops malware that does get on your PC from contacting "home"
Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
It is recommended to have only one Firewall active.
Comodo Firewall (http://www.personalfirewall.comodo.com/)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/index.php)

OK last one - should I change all my important passwords now? I mean, I am not even sure what was on my system and what it was meant to do exactly...

And thank you again very much.

You should be fine, but it is always wise to change passwords after being infected.

Glad we could be of assistance! This topic is now closed.

If you wish to reopen your topic, please send a Private Message (PM) to Trogan (http://icrontic.com/forum/private.php?do=newpm&u=2703) with a link to your thread.

If you are not the user who started this thread, you must start your own Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead :)