PDA

View Full Version : HELP NEEDED with Trojan horse PSW.OnlineGames threat!!!!



flamingrecca
2008-03-27, 16:03
Recently, i have been troubled by trojan horses that my AVG scanner has revealed. I cant access my external harddisk or any flash drive properly by clicking on it. Instead, it said that i have no permission to access it and prompted me to open with an appropriate program..

Please help me!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:26 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?98926b13b58347abba60c4b10a489833
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?98926b13b58347abba60c4b10a489833
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173506026781
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)

--
End of file - 9271 bytes

Shaba
2008-03-29, 12:32
Hi flamingrecca

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

flamingrecca
2008-03-29, 19:35
Hi Shaba

Thanks for reply=) The following are my fresh hijackthis log and the combofix log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:19 AM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?98926b13b58347abba60c4b10a489833
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?98926b13b58347abba60c4b10a489833
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173506026781
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)

--
End of file - 9552 bytes

flamingrecca
2008-03-29, 19:42
AND my combofix log..

ComboFix 08-03-27.5 - user 2008-03-30 1:19:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\9KTAXRVD\www.inter-focus.cn
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\9KTAXRVD\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\kavo1.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-30 01:27 . 2008-03-30 01:27 4,474 --a------ C:\WINDOWS\GATHER.KM
2008-03-22 16:03 . 2008-03-27 02:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 16:03 . 2008-03-22 16:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 21:12 . 2008-03-15 21:12 <DIR> d-------- C:\Program Files\Softnyx
2008-03-05 02:59 . 2008-03-05 02:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 17:15 --------- d-----w C:\Documents and Settings\user\Application Data\SiteAdvisor
2008-03-26 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 19:32 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-03-22 07:39 --------- d-----w C:\Documents and Settings\user\Application Data\BitTorrent
2008-03-16 17:40 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-16 15:37 --------- d-----w C:\Program Files\Java
2008-02-24 07:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((( snapshot@2007-12-17_ 2.11.28.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-04 18:29:10 551,936 ----a-w C:\WINDOWS\$hf_mig$\KB943055\SP2QFE\oleaut32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943055\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943055\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
+ 2007-12-18 09:38:59 179,712 ----a-w C:\WINDOWS\$hf_mig$\KB946026\SP2QFE\mrxdav.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB946026\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB946026\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\updspapi.dll
+ 2007-03-06 01:22:33 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB946627\spmsg.dll
+ 2007-03-06 01:22:39 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB946627\spuninst.exe
+ 2007-03-06 01:22:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB946627\update\spcustom.dll
+ 2007-03-06 01:22:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB946627\update\update.exe
+ 2007-03-06 01:23:47 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB946627\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB941644$\spuninst\updspapi.dll
+ 2006-04-20 12:18:35 360,576 -c----w C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
+ 2007-05-17 11:28:05 549,376 -c----w C:\WINDOWS\$NtUninstallKB943055$\oleaut32.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB943055$\spuninst\updspapi.dll
+ 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\$NtUninstallKB943485$\lsasrv.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB943485$\spuninst\updspapi.dll
+ 2007-10-11 05:57:29 1,024,000 -c----w C:\WINDOWS\$NtUninstallKB944533$\browseui.dll
+ 2007-10-11 05:57:29 151,040 -c----w C:\WINDOWS\$NtUninstallKB944533$\cdfview.dll
+ 2007-10-11 05:57:30 1,054,208 -c----w C:\WINDOWS\$NtUninstallKB944533$\danim.dll
+ 2007-10-11 05:57:30 357,888 -c----w C:\WINDOWS\$NtUninstallKB944533$\dxtmsft.dll
+ 2007-10-11 05:57:30 205,824 -c----w C:\WINDOWS\$NtUninstallKB944533$\dxtrans.dll
+ 2007-10-11 05:57:30 55,808 -c----w C:\WINDOWS\$NtUninstallKB944533$\extmgr.dll
+ 2007-10-10 10:48:23 18,432 -c----w C:\WINDOWS\$NtUninstallKB944533$\iedw.exe
+ 2007-10-11 05:57:31 251,904 -c----w C:\WINDOWS\$NtUninstallKB944533$\iepeers.dll
+ 2007-10-11 05:57:31 96,256 -c----w C:\WINDOWS\$NtUninstallKB944533$\inseng.dll
+ 2007-10-11 05:57:31 16,384 -c----w C:\WINDOWS\$NtUninstallKB944533$\jsproxy.dll
+ 2007-10-30 09:55:21 3,065,856 -c----w C:\WINDOWS\$NtUninstallKB944533$\mshtml.dll
+ 2007-10-11 05:57:36 449,024 -c----w C:\WINDOWS\$NtUninstallKB944533$\mshtmled.dll
+ 2007-10-11 05:57:36 146,432 -c----w C:\WINDOWS\$NtUninstallKB944533$\msrating.dll
+ 2007-10-11 05:57:37 532,480 -c----w C:\WINDOWS\$NtUninstallKB944533$\mstime.dll
+ 2007-10-11 05:57:37 39,424 -c----w C:\WINDOWS\$NtUninstallKB944533$\pngfilt.dll
+ 2007-10-11 05:57:39 1,498,112 -c----w C:\WINDOWS\$NtUninstallKB944533$\shdocvw.dll
+ 2007-10-11 05:57:40 474,112 -c----w C:\WINDOWS\$NtUninstallKB944533$\shlwapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB944533$\spuninst\updspapi.dll
+ 2007-10-11 05:57:40 617,984 -c----w C:\WINDOWS\$NtUninstallKB944533$\urlmon.dll
+ 2007-10-11 05:57:41 666,112 -c----w C:\WINDOWS\$NtUninstallKB944533$\wininet.dll
+ 2007-10-29 10:04:03 350,720 -c----w C:\WINDOWS\$NtUninstallKB944533$\xpsp3res.dll
+ 2004-08-04 13:00:00 181,248 -c----w C:\WINDOWS\$NtUninstallKB946026$\mrxdav.sys
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB946026$\spuninst\updspapi.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w C:\WINDOWS\$NtUninstallKB946627$\spuninst\updspapi.dll
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2007-03-13 02:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-03-17 06:32:42 88,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\ADDRPARS.DLL
+ 2005-03-17 06:36:34 161,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\IETAG.DLL
+ 2005-03-17 06:32:46 122,056 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\IMPMAIL.DLL
+ 2005-03-17 06:32:50 141,000 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\OUTLPH.DLL
+ 2005-03-31 05:21:32 64,200 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\OUTLRPC.DLL
+ 2005-03-17 06:02:02 555,720 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\PUBCONV.DLL
+ 2005-03-17 06:32:40 74,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\RM.DLL
+ 2004-05-24 11:45:10 2,482,176 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\VBE6.DLL
- 2007-12-13 19:06:56 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-03-20 19:05:42 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-13 19:06:56 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-03-20 19:05:42 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-13 19:06:56 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-03-20 19:05:42 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-12-13 19:06:56 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-03-20 19:05:42 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-13 19:06:56 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-03-20 19:05:43 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-13 19:06:56 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-03-20 19:05:43 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-13 19:06:56 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-03-20 19:05:43 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-13 19:06:57 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-03-20 19:05:43 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-13 19:06:56 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-03-20 19:05:42 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-13 19:06:56 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-03-20 19:05:42 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-13 19:06:57 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-03-20 19:05:43 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-13 19:06:55 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-03-20 19:05:41 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-12-13 19:06:55 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-03-20 19:05:41 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-07-02 06:10:07 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-21 06:59:17 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
- 2007-07-02 06:10:07 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-21 06:59:17 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2007-07-02 06:10:07 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-12-21 06:59:17 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2000-08-31 00:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2004-08-04 13:00:00 73,376 ----a-w C:\WINDOWS\system\MCIAVI.DRV
+ 2004-08-04 13:00:00 25,264 ----a-w C:\WINDOWS\system\MCISEQ.DRV
+ 2004-08-04 13:00:00 28,160 ----a-w C:\WINDOWS\system\MCIWAVE.DRV
+ 2004-08-04 13:00:00 3,360 ----a-w C:\WINDOWS\system\SYSTEM.DRV
+ 2004-08-04 13:00:00 4,048 ----a-w C:\WINDOWS\system\TIMER.DRV
+ 2004-08-04 13:00:00 13,600 ----a-w C:\WINDOWS\system\WFWNET.DRV
+ 2004-08-04 13:00:00 146,432 ----a-w C:\WINDOWS\system\WINSPOOL.DRV
- 2007-10-11 05:57:29 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-12-07 00:44:30 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-10-11 05:57:29 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-12-07 00:44:30 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2004-08-04 13:00:00 10,544 ----a-w C:\WINDOWS\system32\comm.drv
- 2007-10-11 05:57:30 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2007-12-07 00:44:32 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-10-11 05:57:29 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2007-12-07 00:44:30 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-10-11 05:57:29 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2007-12-07 00:44:30 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-10-11 05:57:30 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
+ 2007-12-07 00:44:32 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
- 2007-10-11 05:57:30 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-12-07 00:44:33 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-10-11 05:57:30 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-12-07 00:44:33 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-10-11 05:57:30 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-12-07 00:44:33 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-10-10 10:48:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-12-06 10:05:52 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-10-11 05:57:31 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-12-07 00:44:33 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-10-11 05:57:31 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-12-07 00:44:33 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-10-11 05:57:31 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-12-07 00:44:33 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2006-08-17 12:28:27 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-12-18 09:51:35 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
- 2007-10-30 09:55:21 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-12-07 00:44:35 3,066,368 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-10-11 05:57:36 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-12-07 00:44:36 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-10-11 05:57:36 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-12-07 00:44:36 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-10-11 05:57:37 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-12-07 00:44:36 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-05-17 11:28:05 549,376 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
+ 2007-12-04 18:38:13 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
- 2007-10-11 05:57:37 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-12-07 00:44:36 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-11 05:57:39 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2007-12-07 00:44:37 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-10-11 05:57:40 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2007-12-07 00:44:38 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2006-04-20 12:18:35 360,576 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 16:53:32 360,832 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2007-10-11 05:57:40 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-12-07 00:44:39 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-10-11 05:57:41 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-12-07 00:44:39 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-11-11 05:42:30 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-12-22 05:41:54 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-11-11 05:42:30 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-22 05:41:34 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2004-08-04 13:00:00 181,248 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
+ 2007-12-18 09:51:35 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
- 2006-04-20 12:18:35 360,576 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2007-10-11 05:57:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-12-07 00:44:33 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-10-11 05:57:30 205,824 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-12-07 00:44:33 205,824 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-10-11 05:57:30 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-12-07 00:44:33 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2000-08-31 00:00:00 73,728 ----a-w

flamingrecca
2008-03-29, 19:43
C:\WINDOWS\system32\fdsv.exe
- 2007-12-11 06:14:16 211,768 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-02-23 17:06:56 214,952 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2000-08-31 00:00:00 80,412 ----a-w C:\WINDOWS\system32\grep.exe
- 2007-10-11 05:57:31 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-12-07 00:44:33 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-10-11 05:57:31 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-12-07 00:44:33 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-07-11 17:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 14:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-11 17:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 14:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-11 18:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 15:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-10-11 05:57:31 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-12-07 00:44:33 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2005-05-24 03:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
- 2007-02-21 09:48:18 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
- 2007-02-21 09:49:08 946,176 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2004-08-04 13:00:00 221,600 ----a-w C:\WINDOWS\system32\lanman.drv
- 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2004-08-04 13:00:00 73,376 ----a-w C:\WINDOWS\system32\mciavi.drv
+ 2004-08-04 13:00:00 25,264 ----a-w C:\WINDOWS\system32\mciseq.drv
+ 2004-08-04 13:00:00 28,160 ----a-w C:\WINDOWS\system32\mciwave.drv
- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2004-08-04 13:00:00 20,480 ----a-w C:\WINDOWS\system32\msacm32.drv
+ 2004-08-04 13:00:00 188,416 ----a-w C:\WINDOWS\system32\msh261.drv
+ 2004-08-04 13:00:00 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
- 2007-10-30 09:55:21 3,065,856 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-12-07 00:44:35 3,066,368 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-10-11 05:57:36 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-12-07 00:44:36 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-10-11 05:57:36 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-12-07 00:44:36 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-10-11 05:57:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-12-07 00:44:36 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-05-17 11:28:05 549,376 ----a-w C:\WINDOWS\system32\oleaut32.dll
+ 2007-12-04 18:38:13 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
- 2007-10-11 05:57:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-12-07 00:44:36 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2000-08-31 00:00:00 98,816 ----a-w C:\WINDOWS\system32\sed.exe
- 2007-10-11 05:57:39 1,498,112 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-12-07 00:44:37 1,499,136 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-10-11 05:57:40 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-12-07 00:44:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-12-13 13:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 00:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2004-08-04 13:00:00 3,360 ----a-w C:\WINDOWS\system32\system.drv
+ 2004-08-04 13:00:00 4,048 ----a-w C:\WINDOWS\system32\timer.drv
- 2007-10-11 05:57:40 617,984 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-12-07 00:44:39 617,984 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2004-08-04 13:00:00 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
+ 2004-08-04 13:00:00 13,600 ----a-w C:\WINDOWS\system32\wfwnet.drv
- 2007-10-11 05:57:41 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-12-07 00:44:39 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2004-08-04 13:00:00 146,432 ----a-w C:\WINDOWS\system32\winspool.drv
- 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2000-08-31 00:00:00 68,096 ----a-w C:\WINDOWS\system32\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-05 18:42 1481968]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 07:01 43008]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [2007-02-23 15:29 2479592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-09 03:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-09 03:17 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 10:39 897024]
"TpShocks"="TpShocks.exe" [2004-10-28 07:58 106496 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"TP4EX"="tp4ex.exe" [2004-11-12 17:07 40960 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 18:10 212992]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-12 13:00 344064]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-15 08:34 36864]
"UC_SMB"="" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 17:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 17:05 127035]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 19:07 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 17:00 135168]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-28 01:53 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-24 02:27 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-20 23:50 185896]
"EPSON Stylus CX3700 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe" [2005-02-08 03:00 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-22 13:41 579072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-29 06:49:19 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2005-03-18 19:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-13 12:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 15:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin"=

R0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys [2005-04-28 01:15]
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2004-05-15 06:08]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-03 08:14]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 19:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 19:07]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-15 04:59]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2004-12-21 17:00]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-04-28 02:27]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-20 05:41]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-03 07:54]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 19:07]
S3 XDva115;XDva115;C:\WINDOWS\system32\XDva115.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9788788f-2c5d-11dc-9536-0012f0ac34ae}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL web.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0c5547f-f1a1-11db-94e0-0012f0ac34ae}]
\Shell\AutoRun\command - E:\n2de.cmd
\Shell\explore\Command - E:\n2de.cmd
\Shell\open\Command - E:\n2de.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed5ec971-1e61-11dc-9523-0012f0ac34ae}]
\Shell\Auto\command - sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 17:19:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-29 17:26:59 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 01:27:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-30 1:30:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 17:30:54
ComboFix2.txt 2007-12-16 18:26:39
Pre-Run: 4,341,415,936 bytes free
Post-Run: 4,366,614,528 bytes free
.
2008-03-20 19:06:20 --- E O F ---

Shaba
2008-03-31, 12:44
Hi and sorry for delay

Is E: your flash drive?

Open notepad and copy/paste the text in the quotebox below into it:


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9788788f-2c5d-11dc-9536-0012f0ac34ae}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0c5547f-f1a1-11db-94e0-0012f0ac34ae}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed5ec971-1e61-11dc-9523-0012f0ac34ae}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

flamingrecca
2008-04-01, 18:00
Hi Shaba and sorry for the late reply too.

Yes. Whichever flashdrive or external hard disk plugged in to my laptop will appear as E: drive.

Here are the latest combofix and hijackthis logs:

ComboFix 08-03-27.5 - user 2008-04-01 22:40:11.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 22:46 . 2008-04-01 22:46 4,474 --a------ C:\WINDOWS\GATHER.KM
2008-03-31 04:08 . 2008-03-31 04:08 <DIR> d-------- C:\Program Files\CCleaner
2008-03-22 16:03 . 2008-03-31 00:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-22 16:03 . 2008-03-22 16:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 21:12 . 2008-03-15 21:12 <DIR> d-------- C:\Program Files\Softnyx
2008-03-05 02:59 . 2008-03-05 02:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 14:36 --------- d-----w C:\Documents and Settings\user\Application Data\SiteAdvisor
2008-04-01 14:35 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-03-30 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 12:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-22 07:39 --------- d-----w C:\Documents and Settings\user\Application Data\BitTorrent
2008-03-16 17:40 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-16 15:37 --------- d-----w C:\Program Files\Java
2008-02-24 07:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-05 18:42 1481968]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 07:01 43008]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [2007-02-23 15:29 2479592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-09 03:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-09 03:17 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 10:39 897024]
"TpShocks"="TpShocks.exe" [2004-10-28 07:58 106496 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 17:07 40960 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 18:10 212992]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-12 13:00 344064]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-15 08:34 36864]
"UC_SMB"="" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 17:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 17:05 127035]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 19:07 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 17:00 135168]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-28 01:53 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-24 02:27 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-20 23:50 185896]
"EPSON Stylus CX3700 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.exe" [2005-02-08 03:00 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-22 13:41 579072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-29 06:49:19 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2005-03-18 19:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-13 12:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 15:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin"=

R0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys [2005-04-28 01:15]
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2004-05-15 06:08]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-03 08:14]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 19:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 19:07]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-15 04:59]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2004-12-21 17:00]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-04-28 02:27]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-20 05:41]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-03 07:54]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 19:07]
S3 XDva115;XDva115;C:\WINDOWS\system32\XDva115.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{877d2c21-d392-11db-94bc-0012f0ac34ae}]
\Shell\AutoRun\command - 3o.exe
\Shell\explore\Command - 3o.exe
\Shell\open\Command - 3o.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 20:19:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-01 14:46:36 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 22:46:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-01 22:50:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 14:50:05
ComboFix2.txt 2008-03-29 17:31:00
ComboFix3.txt 2007-12-16 18:26:39
Pre-Run: 4,479,729,664 bytes free
Post-Run: 4,462,522,368 bytes free
.
2008-03-20 19:06:20 --- E O F ---

flamingrecca
2008-04-01, 18:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:39 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENSG/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/xmau8kyg.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?98926b13b58347abba60c4b10a489833
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?98926b13b58347abba60c4b10a489833
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173506026781
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)

--
End of file - 9440 bytes

Shaba
2008-04-01, 18:03
Hi

Have you plugged lately flashdrive or external hard disk?

I ask because I see signs of new flash infection in combofix log.

flamingrecca
2008-04-01, 18:57
Yes i have yesterday. What should i do to disinfect my external hard disk??

Shaba
2008-04-01, 19:51
Hi

It depends how important stuff you have here.

Easiest way would be reformatting.

But other way is to plug in it before Kaspersky scan that we can see which files are infected.

Your choice :)

Shaba
2008-04-06, 12:16
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.