SpybotSD.exe is missing

**Gnfnrs** · 2008-01-07, 12:57

Hi, when I try to open Spybot I get the message that the exe file is missing. The same thing happens when I try to open other anti-malware programs.

This is the Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:23 AM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Lestat\Desktop\Progfangs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Lestat\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mtmjmtuz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mtmjmtuz.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\tshl.exe
O4 - HKLM\..\Run: [242ed09f] rundll32.exe "C:\WINDOWS\system32\bjlhojnw.dll",b
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [EDMF Agent] C:\WINDOWS\system32\Sys32\EDMF.exe
O4 - HKLM\..\Run: [License] locker.exe
O4 - HKLM\..\Run: [EDMF Agent] C:\WINDOWS\system32\Sys32\EDMF .exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [a-squared] "C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKCU\..\Run: [nntime.exe] nntime.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Documents and Settings\Ajan\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\DOCUME~1\Ajan\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\DOCUME~1\Ajan\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1198043326174
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.c...nstall1322.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Unknown owner - C:\Program Files\Anti-Malware\a2service.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOCORE.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\xkorpddi.exe (file missing)
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido anti-malware\ewidoctrl.exe (file missing)
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5807 bytes

This is the GMER results:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-07 03:55:54
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQueryDirectoryFile
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F86C7ABE] xpdx.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F82EE1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F82EE1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F82EE454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F82EE1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F82E1F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F82E1F4C] fltmgr.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F86C898C] xpdx.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86C898C] xpdx.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86C898C] xpdx.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86C898C] xpdx.sys

---- EOF - GMER 1.0.13 ----

Thank you for the help.

**Blade81** · 2008-01-09, 18:45

Hi

Unfortunately your log shows signs of a rootkit being present on your system.This means your PC is at risk now and sadly may always be.
The problem with rootkits is they are very hard to detect and extremely hard to remove completely.
Rootkits may also have what is known as a backdoor.The backdoor, if present, will give complete remote access to your system.This means someone will be able to steal any information stored on your PC including addresses, names and telephone numbers and more worryingly passwords, bank account details and any other financial information, basically they will have access to any data that you do.

At this point you have 2 options :-

OPTION 1

We attempt to remove the rootkit but will never really know if it is completely removed which means all the above applies.
There will be no guarantees with this option.

OPTION 2

We reformat your system.
This will destroy the rootkit but means you will have to reinstall everything.

My advice would be OPTION 2 It is the only safe, effective and positive way of dealing with this type of infection.
It will also be much quicker to reformat/reinstall than to attempt the removal.

I would like you to read the information over and when you have decided which option to choose post back and I will gladly assist with what ever route you choose to take.

If you take option 1 navigate into :\Documents and Settings\Lestat\Desktop\Progfangs\Temizle folder and rename HijackThis.exe file -> Gnfnrs.exe. After renaming post a fresh hjt log.

**Gnfnrs** · 2008-01-10, 15:46

Hi Blade81, thank you for the reply. Fortunately I was able to run Spybot and fixed the problems found. Although I suspect that it is enough. I would like to go with option 1 because I have a lot of files and data that I can't save elsewhere for now. I renamed Hijackthis and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:01 AM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Dok\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Windows Media Player\mplayerc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Gnfnrs.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\DOCUME~1\Ajan\SDHelper.dll
O2 - BHO: (no name) - {68A453C9-C650-474E-80E6-1A4F885F387D} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {76ad6002-1dd2-11b2-9391-c40bb9df0f00} - C:\WINDOWS\turgjyza.dll (file missing)
O2 - BHO: {3a202bbc-b908-8d39-ffd4-a858678b667e} - {e766b876-858a-4dff-93d8-809bcbb202a3} - C:\WINDOWS\system32\vscnuhjo.dll
O2 - BHO: (no name) - {FA16FE06-B462-470E-9653-79C54B1871FF} - C:\WINDOWS\system32\hggedax.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Lestat\Desktop\Progfangs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mtmjmtuz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mtmjmtuz.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\tshl.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [License] locker.exe
O4 - HKLM\..\Run: [a-squared] "C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Dok\SDTrayApp.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2734] command /c del "C:\WINDOWS\system32\gebyw.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3487] cmd /c del "C:\WINDOWS\system32\gebyw.dll_tobedeleted"
O4 - HKCU\..\Run: [nntime.exe] nntime.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7121] command /c del "C:\WINDOWS\system32\gebyw.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3971] cmd /c del "C:\WINDOWS\system32\gebyw.dll_tobedeleted"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\DOCUME~1\Ajan\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\DOCUME~1\Ajan\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1198043326174
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.c...nstall1322.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dbgeng32 - C:\WINDOWS\SYSTEM32\dbgeng32.dll
O20 - Winlogon Notify: hggedax - hggedax.dll (file missing)
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Unknown owner - C:\Program Files\Anti-Malware\a2service.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOCORE.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido anti-malware\ewidoctrl.exe (file missing)
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Dok\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Dok\swdsvc.exe

--
End of file - 8325 bytes

**Blade81** · 2008-01-10, 17:25

Okay. Let's try the cleaning then

1. Download this file -
combofix.exe to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

**Gnfnrs** · 2008-01-12, 03:00

Ok, here is the combofix log:

ComboFix 08-01-10.2 - Lestat 2008-01-11 15:47:01.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.243 [GMT -8:00]
Running from: C:\Documents and Settings\Lestat\Desktop\ComboFix.exe
Command switches used :: and Settings\Lestat\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\mtmjmtuz.dll
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOC425 .EXE
C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.exe
C:\WINDOWS\system32\ownbulqn.dll
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini2

Code:

 <pre>
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOC425 .EXE ---> QooBox
C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant    .exe ---> QooBox
C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant   .exe ---> UnlockerAssistant.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant  .exe ---> UnlockerAssistant.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant .exe ---> UnlockerAssistant.exe
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 05:00 . 2008-01-11 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 05:00 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 04:55 . 2008-01-11 04:55 2,472 --a------ C:\clean.bat
2008-01-11 00:21 . 2008-01-11 06:34 354 --ahs---- C:\WINDOWS\system32\bdcjxnhm.ini
2008-01-10 18:00 . 2008-01-10 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-10 11:47 . 2007-04-01 21:58 546,304 --a------ C:\WINDOWS\system32\SETC8.tmp
2008-01-10 09:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 05:59 . 2008-01-10 05:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-10 05:53 . 2008-01-10 05:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-09 15:40 . 2008-01-09 18:20 414 --ahs---- C:\WINDOWS\system32\juxmvpts.ini
2008-01-08 06:42 . 2008-01-08 06:42 183,808 --a------ C:\WINDOWS\system32\drivers\Nyhv71.sys.ren
2008-01-07 23:30 . 2008-01-08 06:42 183,808 --a------ C:\WINDOWS\system32\drivers\symavc32.sys.ren
2008-01-07 23:17 . 2008-01-07 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 23:16 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-07 23:16 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-07 15:38 . 2008-01-07 15:38 294 --ahs---- C:\WINDOWS\system32\nblsvfhm.ini
2008-01-07 03:44 . 2008-01-07 03:55 250 --a------ C:\WINDOWS\gmer.ini
2008-01-07 03:03 . 2008-01-07 03:06 <DIR> d-------- C:\Program Files\Panda Security
2008-01-07 02:32 . 2008-01-10 17:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 22:14 . 2007-12-31 19:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-06 03:40 . 2008-01-06 03:40 294 --ahs---- C:\WINDOWS\system32\wnjohljb.ini
2008-01-06 03:37 . 2008-01-06 03:37 75,840 --a------ C:\WINDOWS\system32\kyeolesd.dll
2008-01-05 20:42 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-01-05 20:42 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-01-05 20:40 . 2008-01-05 20:41 <DIR> d-------- C:\WINDOWS\system32\RMBin
2008-01-05 06:04 . 2008-01-05 06:06 <DIR> d-------- C:\My Documents
2008-01-04 18:16 . 2004-08-03 23:56 135,680 --a------ C:\taskmgr.exe
2008-01-04 18:13 . 2008-01-04 18:13 583 --a------ C:\Shortcut to taskmgr.lnk
2008-01-04 16:55 . 2007-02-28 01:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-01-04 16:55 . 2007-02-28 01:08 2,136,064 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-04 04:26 . 2008-01-04 11:52 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-04 04:21 . 2008-01-04 04:21 474 --a------ C:\WINDOWS\otstuk.tmp
2008-01-04 04:20 . 2008-01-04 04:20 2 --a------ C:\WINDOWS\uid.tmp
2008-01-04 03:37 . 2008-01-05 05:23 594 --ahs---- C:\WINDOWS\system32\xhkygacd.ini
2008-01-03 21:46 . 2008-01-07 23:30 <DIR> d-------- C:\Program Files\Anti-Malware
2008-01-03 21:15 . 2008-01-03 21:15 354 --ahs---- C:\WINDOWS\system32\shrxcrmt.ini
2008-01-03 18:43 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-03 18:38 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-03 18:37 . 2008-01-03 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2008-01-03 18:37 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-03 18:37 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-03 18:37 . 2008-01-07 02:56 941 --a------ C:\WINDOWS\BOC425.INI
2008-01-02 08:53 . 2008-01-02 08:53 294 --ahs---- C:\WINDOWS\system32\xjwrbgoj.ini
2008-01-01 15:49 . 2008-01-10 05:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-01 15:49 . 2008-01-10 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-01 15:49 . 2008-01-10 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 15:49 . 2008-01-10 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 13:29 . 2008-01-01 13:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-01 13:29 . 2008-01-01 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 03:52 . 2008-01-05 07:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-01 00:36 . 2008-01-01 00:36 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-12-31 19:27 . 2007-12-31 19:27 <DIR> d-------- C:\WINDOWS\Sun
2007-12-31 19:27 . 2008-01-07 23:05 <DIR> d-------- C:\Documents and Settings\Lestat\.housecall6.6
2007-12-31 16:57 . 2008-01-07 23:30 <DIR> d-------- C:\Program Files\ewido anti-malware
2007-12-31 15:55 . 2007-12-31 15:55 <DIR> d-------- C:\WINDOWS\tsqwqcfw
2007-12-31 15:55 . 2008-01-03 07:33 <DIR> d-------- C:\WINDOWS\KB628926
2007-12-31 05:45 . 2007-12-31 05:51 <DIR> d-------- C:\Program Files\Play65
2007-12-29 23:14 . 2007-12-29 23:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-28 02:59 . 2007-12-28 02:59 <DIR> d-------- C:\Program Files\InstallPlay65
2007-12-25 13:11 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-25 02:15 . 2007-12-25 02:15 <DIR> d-------- C:\Program Files\Vstplugins
2007-12-24 17:27 . 2007-12-24 17:27 <DIR> d-------- C:\WINDOWS\uninstall\Qabalah Trainer V 2.00
2007-12-24 17:27 . 2007-12-24 17:27 <DIR> d-------- C:\WINDOWS\uninstall
2007-12-24 17:27 . 2007-12-24 17:27 0 --a------ C:\WINDOWS\system32\kabbtree.reg
2007-12-24 17:26 . 2000-12-06 00:00 209,608 --a------ C:\WINDOWS\system32\Tabctl32.ocx
2007-12-24 17:26 . 2007-07-27 13:05 203,976 --a------ C:\WINDOWS\system32\Richtx32.ocx
2007-12-24 17:26 . 1999-05-07 00:00 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2007-12-24 17:25 . 2007-12-24 17:28 98 --a------ C:\WINDOWS\ANS2000.INI
2007-12-24 17:25 . 2007-12-24 17:25 20 --ah----- C:\WINDOWS\akebook.ini
2007-12-24 17:25 . 2007-12-24 17:25 4 --ah----- C:\WINDOWS\a3kebook.ini
2007-12-24 12:24 . 2006-04-26 13:00 8,167,424 --a------ C:\WINDOWS\system32\ATLANTIS 3D SCREENSAVER.BAK
2007-12-24 12:22 . 2006-04-26 13:00 8,167,424 --a------ C:\WINDOWS\system32\Atlantis 3D Screensaver.scr
2007-12-24 12:22 . 2006-04-26 12:59 3,197 --a------ C:\WINDOWS\system32\Atlantis3DScreensaver.html
2007-12-23 04:06 . 2007-12-23 04:06 <DIR> d-------- C:\Documents and Settings\Lestat\Incomplete
2007-12-23 04:04 . 2008-01-04 01:58 <DIR> d-------- C:\Program Files\Java
2007-12-23 04:04 . 2007-12-23 04:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 04:04 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 03:10 . 2007-12-23 03:49 36 --a------ C:\Documents and Settings\Lestat\klextlock.dat
2007-12-23 03:01 . 2007-12-23 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kazaa Lite
2007-12-22 21:11 . 2008-01-11 14:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-22 21:11 . 2007-12-22 21:11 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 21:10 . 2007-12-22 21:10 <DIR> d-------- C:\Program Files\iPod
2007-12-22 21:08 . 2008-01-04 13:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-22 21:08 . 2008-01-01 06:09 <DIR> d-------- C:\Program Files\QuickTime
2007-12-22 21:08 . 2007-12-22 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-21 22:16 . 2004-08-20 14:56 57,151 --a------ C:\WINDOWS\system32\igfx.hlp
2007-12-21 21:18 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-21 21:18 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-21 21:18 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-21 21:09 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-21 19:46 . 1998-09-02 00:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-12-21 19:46 . 1998-08-26 20:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-12-21 19:46 . 1998-08-20 03:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2007-12-21 19:46 . 1998-09-02 00:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-12-21 19:46 . 1998-09-02 00:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-12-21 19:46 . 1998-08-17 01:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2007-12-21 19:46 . 1998-08-17 01:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-12-21 19:46 . 1998-08-17 01:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2007-12-21 19:46 . 2007-12-21 19:46 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-12-21 19:46 . 2007-12-21 19:46 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 23:59 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-19 02:49 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

Code:

<pre>
----a-w         1,318,912 2008-01-09 00:05:06  C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w         1,038,336 2008-01-11 12:49:41  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76ad6002-1dd2-11b2-9391-c40bb9df0f00}]
C:\WINDOWS\turgjyza.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nntime.exe"="nntime.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"SUPERAntiSpyware"="C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"iTunesHelper"="C:\Documents and Settings\Lestat\Desktop\Progfangs\iTunes\iTunesHelper.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"drmsrv32"="C:\tshl.exe" [ ]
"UnlockerAssistant"="C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant .exe" [ ]
"License"="locker.exe" []
"!AVG Anti-Spyware"="C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\avgas.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA1836"="command /c del C:\WINDOWS\SchedLgU.Txt_tobedeleted" [ ]
"SpybotDeletingC5923"="cmd /c del C:\WINDOWS\SchedLgU.Txt_tobedeleted" [ ]
"SpybotDeletingA2356"="command /c del C:\WINDOWS\system32\gebyw.dll_tobedeleted" [ ]
"SpybotDeletingC1994"="cmd /c del C:\WINDOWS\system32\gebyw.dll_tobedeleted" [ ]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2004-05-12 01:03 3948032]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbgeng32]
dbgeng32.dll 2004-11-05 02:35 8192 C:\WINDOWS\system32\dbgeng32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggedax]
hggedax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32]
winrnt32.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 03:12]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOCDRIVE.sys [2007-04-17 14:14]

*Newly Created Service* - AVGASCLN
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 15:55:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 16:03:34 - machine was rebooted [Lestat]
ComboFix-quarantined-files.txt 2008-01-12 00:03:14
.
2008-01-10 19:53:54 --- E O F ---

**Blade81** · 2008-01-12, 12:52

Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\clean.bat
C:\WINDOWS\system32\bdcjxnhm.ini
C:\WINDOWS\system32\juxmvpts.ini
C:\WINDOWS\system32\drivers\Nyhv71.sys.ren
C:\WINDOWS\system32\drivers\symavc32.sys.ren
C:\WINDOWS\system32\nblsvfhm.ini
C:\WINDOWS\system32\wnjohljb.ini
C:\WINDOWS\system32\kyeolesd.dll
C:\taskmgr.exe
C:\Shortcut to taskmgr.lnk
C:\WINDOWS\otstuk.tmp
C:\WINDOWS\uid.tmp
C:\WINDOWS\system32\xhkygacd.ini
C:\WINDOWS\system32\shrxcrmt.ini
C:\WINDOWS\system32\xjwrbgoj.ini
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\turgjyza.dll
C:\WINDOWS\system32\dbgeng32.dll

Folder::
C:\WINDOWS\tsqwqcfw
C:\WINDOWS\KB628926

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76ad6002-1dd2-11b2-9391-c40bb9df0f00}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drmsrv32"=-
"License"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbgeng32]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggedax]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32]

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Run GMER again and post its log, Combofix log & a fresh hjt log.

**Gnfnrs** · 2008-01-13, 22:14

Hi, this is the combofix log:

ComboFix 08-01-10.2 - Lestat 2008-01-13 12:35:58.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.240 [GMT -8:00]
Running from: C:\Documents and Settings\Lestat\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lestat\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\clean.bat
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Shortcut to taskmgr.lnk
C:\taskmgr.exe
C:\WINDOWS\otstuk.tmp
C:\WINDOWS\system32\bdcjxnhm.ini
C:\WINDOWS\system32\dbgeng32.dll
C:\WINDOWS\system32\drivers\Nyhv71.sys.ren
C:\WINDOWS\system32\drivers\symavc32.sys.ren
C:\WINDOWS\system32\juxmvpts.ini
C:\WINDOWS\system32\kyeolesd.dll
C:\WINDOWS\system32\nblsvfhm.ini
C:\WINDOWS\system32\shrxcrmt.ini
C:\WINDOWS\system32\wnjohljb.ini
C:\WINDOWS\system32\xhkygacd.ini
C:\WINDOWS\system32\xjwrbgoj.ini
C:\WINDOWS\turgjyza.dll
C:\WINDOWS\uid.tmp
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 03:15 . 2008-01-12 03:21 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\The Chosen
2008-01-12 03:15 . 2008-01-12 03:15 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\Frater
2008-01-12 02:21 . 2008-01-12 02:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-01-12 02:09 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-12 02:09 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-12 02:09 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-12 02:09 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-01-12 02:06 . 2008-01-12 02:22 <DIR> d-------- C:\Program Files\Battlestar Galactica
2008-01-12 00:43 . 2008-01-12 01:59 <DIR> d-------- C:\Downloads
2008-01-11 05:01 . 2008-01-11 05:01 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\Grisoft
2008-01-11 05:00 . 2008-01-11 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 05:00 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-10 18:00 . 2008-01-11 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-10 11:47 . 2007-04-01 21:58 546,304 --a------ C:\WINDOWS\system32\SETC8.tmp
2008-01-10 09:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 05:59 . 2008-01-10 05:59 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-10 05:53 . 2008-01-10 05:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-07 23:17 . 2008-01-07 23:17 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\SUPERAntiSpyware.com
2008-01-07 23:17 . 2008-01-07 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 23:16 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-07 23:16 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-07 03:44 . 2008-01-13 12:27 250 --a------ C:\WINDOWS\gmer.ini
2008-01-07 03:03 . 2008-01-07 03:06 <DIR> d-------- C:\Program Files\Panda Security
2008-01-07 02:32 . 2008-01-10 17:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 22:14 . 2007-12-31 19:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 20:42 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-01-05 20:42 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-01-05 20:40 . 2008-01-05 20:41 <DIR> d-------- C:\WINDOWS\system32\RMBin
2008-01-05 06:04 . 2008-01-11 23:13 <DIR> d-------- C:\My Documents
2008-01-04 16:55 . 2007-02-28 01:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-01-04 16:55 . 2007-02-28 01:08 2,136,064 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-04 04:26 . 2008-01-04 11:52 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 21:46 . 2008-01-07 23:30 <DIR> d-------- C:\Program Files\Anti-Malware
2008-01-03 18:43 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-03 18:38 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-03 18:37 . 2008-01-03 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2008-01-03 18:37 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-03 18:37 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-03 18:37 . 2008-01-07 02:56 941 --a------ C:\WINDOWS\BOC425.INI
2008-01-01 15:49 . 2008-01-10 05:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-01 15:49 . 2008-01-10 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-01 15:49 . 2008-01-10 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 15:49 . 2008-01-10 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 13:29 . 2008-01-01 13:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-01 13:29 . 2008-01-01 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 03:52 . 2008-01-05 07:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-01 00:36 . 2008-01-01 00:36 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-12-31 19:27 . 2007-12-31 19:27 <DIR> d-------- C:\WINDOWS\Sun
2007-12-31 19:27 . 2008-01-07 23:05 <DIR> d-------- C:\Documents and Settings\Lestat\.housecall6.6
2007-12-31 16:57 . 2008-01-07 23:30 <DIR> d-------- C:\Program Files\ewido anti-malware
2007-12-31 05:45 . 2007-12-31 05:51 <DIR> d-------- C:\Program Files\Play65
2007-12-29 23:14 . 2007-12-29 23:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-28 02:59 . 2007-12-28 02:59 <DIR> d-------- C:\Program Files\InstallPlay65
2007-12-25 13:11 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-25 12:29 . 2007-12-25 12:29 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\Sony
2007-12-25 12:25 . 2007-12-25 12:25 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\Publish Providers
2007-12-25 12:25 . 2007-12-25 12:25 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\NetMedia Providers
2007-12-25 02:15 . 2007-12-25 02:15 <DIR> d-------- C:\Program Files\Vstplugins
2007-12-24 17:27 . 2007-12-24 17:27 <DIR> d-------- C:\WINDOWS\uninstall\Qabalah Trainer V 2.00
2007-12-24 17:27 . 2007-12-24 17:27 <DIR> d-------- C:\WINDOWS\uninstall
2007-12-24 17:27 . 2007-12-24 17:27 0 --a------ C:\WINDOWS\system32\kabbtree.reg
2007-12-24 17:26 . 2000-12-06 00:00 209,608 --a------ C:\WINDOWS\system32\Tabctl32.ocx
2007-12-24 17:26 . 2007-07-27 13:05 203,976 --a------ C:\WINDOWS\system32\Richtx32.ocx
2007-12-24 17:26 . 1999-05-07 00:00 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2007-12-24 17:25 . 2007-12-24 17:28 98 --a------ C:\WINDOWS\ANS2000.INI
2007-12-24 17:25 . 2007-12-24 17:25 20 --ah----- C:\WINDOWS\akebook.ini
2007-12-24 17:25 . 2007-12-24 17:25 4 --ah----- C:\WINDOWS\a3kebook.ini
2007-12-24 12:24 . 2006-04-26 13:00 8,167,424 --a------ C:\WINDOWS\system32\ATLANTIS 3D SCREENSAVER.BAK
2007-12-24 12:22 . 2006-04-26 13:00 8,167,424 --a------ C:\WINDOWS\system32\Atlantis 3D Screensaver.scr
2007-12-24 12:22 . 2006-04-26 12:59 3,197 --a------ C:\WINDOWS\system32\Atlantis3DScreensaver.html
2007-12-23 15:06 . 2007-12-23 15:06 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\vlc
2007-12-23 04:18 . 2007-12-23 04:18 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\eMule
2007-12-23 04:06 . 2007-12-23 04:06 <DIR> d-------- C:\Documents and Settings\Lestat\Incomplete
2007-12-23 04:05 . 2007-12-23 04:12 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\LimeWire
2007-12-23 04:04 . 2008-01-04 01:58 <DIR> d-------- C:\Program Files\Java
2007-12-23 04:04 . 2007-12-23 04:04 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 04:04 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 03:10 . 2007-12-23 03:49 36 --a------ C:\Documents and Settings\Lestat\klextlock.dat
2007-12-23 03:01 . 2007-12-23 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kazaa Lite
2007-12-22 21:11 . 2008-01-13 12:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-22 21:11 . 2007-12-22 21:11 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 21:10 . 2007-12-22 21:10 <DIR> d-------- C:\Program Files\iPod
2007-12-22 21:10 . 2007-12-26 01:25 <DIR> d-------- C:\Documents and Settings\Lestat\Application Data\Apple Computer
2007-12-22 21:08 . 2008-01-04 13:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-22 21:08 . 2008-01-01 06:09 <DIR> d-------- C:\Program Files\QuickTime
2007-12-22 21:08 . 2007-12-22 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-21 22:16 . 2004-08-20 14:56 57,151 --a------ C:\WINDOWS\system32\igfx.hlp
2007-12-21 21:18 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-21 21:18 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-21 21:18 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-21 21:09 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-21 19:46 . 1998-09-02 00:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-12-21 19:46 . 1998-08-26 20:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-12-21 19:46 . 1998-08-20 03:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2007-12-21 19:46 . 1998-09-02 00:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-12-21 19:46 . 1998-09-02 00:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-12-21 19:46 . 1998-08-17 01:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2007-12-21 19:46 . 1998-08-17 01:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-12-21 19:46 . 1998-08-17 01:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2007-12-21 19:46 . 2007-12-21 19:46 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 01:27 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-21 23:59 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-19 02:49 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot_2008-01-13_12.25.42.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 20:15:23 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 20:35:52 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 20:15:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 20:35:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 20:15:23 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 20:35:52 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 20:15:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 20:35:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 20:15:23 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 20:35:52 5,087,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 20:15:23 212,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 20:35:52 212,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nntime.exe"="nntime.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"SUPERAntiSpyware"="C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"iTunesHelper"="C:\Documents and Settings\Lestat\Desktop\Progfangs\iTunes\iTunesHelper.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"UnlockerAssistant"="C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant .exe" [ ]
"!AVG Anti-Spyware"="C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\avgas.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASWINLO.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 03:12]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOCDRIVE.sys [2007-04-17 14:14]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 12:38:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 12:38:57
ComboFix-quarantined-files.txt 2008-01-13 20:38:41
ComboFix2.txt 2008-01-13 20:26:24
ComboFix3.txt 2008-01-12 00:03:39
.
2008-01-10 19:53:54 --- E O F ---

**Gnfnrs** · 2008-01-13, 22:16

Hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:14 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Ad-aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOCORE.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Gnfnrs.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Lestat\Desktop\Progfangs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Documents and Settings\Lestat\Desktop\Progfangs\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [nntime.exe] nntime.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1198043326174
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.c...nstall1322.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Unknown owner - C:\Program Files\Anti-Malware\a2service.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Documents and Settings\Lestat\Desktop\Progfangs\Ad-aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\Comodo\BOCORE.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido anti-malware\ewidoctrl.exe (file missing)
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6495 bytes

Gmer log:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-13 13:05:15
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \??\C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.13 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x01 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Con 0x01 0x00 0x00 0x00 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList@System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI 0x01 0x00 0x00 0x00 ...

---- EOF - GMER 1.0.13 ----

Thank you for your time and the help.

**Blade81** · 2008-01-14, 07:47

Hi

You need to reinstall following programs to make them work properly again (uninstall first thru add/remove programs if found any with similar names):
-Superantispyware
-Spybot
-Sun Java (this is on the list with a bit different name)
-RealPlayer
-QuickTime player
-Adobe reader 8.0
-Unlocker

AVG Anti-Spyware 7.5 is new version of Ewido anti-malware. So, you can unistall Ewido to free up some space.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.

The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:

Scan using the following Anti-Virus database:

Extended (If available, otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

Once the scan is complete:

Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post.
If the results of the anti virus scan itself will take more than one post to contain, you can upload report to http://rapidshare.com.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.
Download HERE
To run SafeBootKeyRepair.exe:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click the SafeBootKeyRepair.exe file.
When finished, it shall produce a log for you.
3. Post the entire contents of C:\SafeBoot_Repair.txt in your next reply.

Summary of logs to be posted:
-Kaspersky report
-entire contents of C:\SafeBoot_Repair.txt

**Gnfnrs** · 2008-01-15, 23:01

Hi, this is the kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 15, 2008 4:48:29 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/01/2008
Kaspersky Anti-Virus database records: 511739
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 75020
Number of viruses found: 15
Number of infected objects: 58
Number of suspicious objects: 0
Duration of the scan process: 02:02:13
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\00B98372.exe.bac_a00776 Infected: Trojan.Win32.Pakes.bqt skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\2923FC1F.exe.bac_a00776 Infected: Trojan.Win32.Pakes.bqt skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\A2E1767E.exe.bac_a02600 Infected: Trojan.Win32.Pakes.bqt skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\bjlhojnw.dll.bac_a02600 Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\egmulhxk.dll.bac_a02676 Infected: Trojan-Downloader.Win32.VB.bzi skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\gamadril20071203[1].bac_a00776 Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\gamadril20071203[1].bac_a02600 Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\gebyw.exe.bac_a00776 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\gebyw.exe.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\hctp[1].bac_a00776 Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\hctp[1].bac_a02600 Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\hggedax.dll.bac_a00776 Infected: Trojan-Downloader.Win32.Small.hlr skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\isrcivbl.exe.bac_a00776 Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\jusched.exe.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\kb628927.exe.bac_a02676 Infected: Trojan-Downloader.Win32.Adload.ma skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\Keygen.zip.bac_a01012/Keygen.exe Infected: Trojan-Dropper.Win32.Agent.bcw skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\Keygen.zip.bac_a01012 ZIP: infected - 1 skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\Keygen.zip.bac_a01012 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\mhfvslbn.dll.bac_a00776 Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\Norton Antivirus 2007 + KeyGen.zip.bac_a01012/Keygen.zip/Keygen.exe Infected: Trojan-Dropper.Win32.Agent.bcw skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\Norton Antivirus 2007 + KeyGen.zip.bac_a01012/Keygen.zip Infected: Trojan-Dropper.Win32.Agent.bcw skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\Norton Antivirus 2007 + KeyGen.zip.bac_a01012 ZIP: infected - 2 skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\Norton Antivirus 2007 + KeyGen.zip.bac_a01012 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\oijilkqo.exe.bac_a02600 Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX110.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX11B.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX12A.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX12E.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX132.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX3C.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX57.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCX7.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXAB.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXC3.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXC7.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXD7.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXED.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXF2.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXF6.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\RCXFA.tmp.bac_a02600 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\r[1].exe.bac_a00776 Infected: Trojan.Win32.Pakes.bqt skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\r[1].exe.bac_a02600 Infected: Trojan.Win32.Pakes.bqt skipped
C:\Documents and Settings\Lestat\.housecall6.6\Quarantine\wl.exe.bac_a02600 Infected: not-a-virus:RiskTool.Win32.Winlocker.a skipped
C:\Documents and Settings\Lestat\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Lestat\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Lestat\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\history.dat Object is locked skipped
C:\Documents and Settings\Lestat\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\key3.db Object is locked skipped
C:\Documents and Settings\Lestat\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Lestat\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Lestat\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Lestat\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lestat\Desktop\Progfangs\SCREAMSAVERS, ICONS, WALLPAPERS\Atlantis\AS Keygen.exe Infected: Trojan-Dropper.Win32.KGen.di skipped
C:\Documents and Settings\Lestat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\Application Data\Mozilla\Firefox\Profiles\36txuuzh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\History\History.IE5\MSHist012008011520080116\index.dat Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\Temp\Perflib_Perfdata_40c.dat Object is locked skipped
C:\Documents and Settings\Lestat\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lestat\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lestat\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Lestat\Desktop\Progfangs\Temizle\2\AVG Anti-Spyware 7.5\avgas.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dbgeng32.dll.vir Infected: Trojan.Win32.Agent.dte skipped
C:\QooBox\Quarantine\catchme2008-01-11_155533.78.zip/gebyw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\catchme2008-01-11_155533.78.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\Registry_backups\LEGACY_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP191\A0021150.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP191\A0021151.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP191\A0021152.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP191\A0021153.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP191\A0021154.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP191\A0021155.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP191\A0021156.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP193\A0021256.dll Infected: Trojan.Win32.Agent.dte skipped
C:\System Volume Information\_restore{6FC5BF30-15D8-463E-8450-AAE0020ECFFC}\RP214\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{837584A7-9EAA-4F77-855F-4C85EA96DDD3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_5d0.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\WinLockDll.dll Infected: not-a-virus:RiskTool.Win32.Winlocker.a skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

Thread: SpybotSD.exe is missing

Thread Tools

Display

SpybotSD.exe is missing

Posting Permissions