I need immediate help about mal-ware

**hdyazdani** · 2009-10-04, 01:58

I have downloaded a program from the internet and unfortunately it contained a tons of different viruses which have been spread in all over my computer in the matter of seconds. some of the symptoms are not showing the hidden files, safe mode is disabled and serious browser hijacking. I managed to fix the hidden files problem by editing the registry. When I try run the computer into the safe mode the computer is restarting immediately after waiting for fraction of seconds on a blue screen showing memory crash for drivers interference. My browser hijack problem is that whenever I search something in the search engine, when I try to click on the link my browser will be hijacked to some chiness website each time with a diffrent URL which even does not exists at all such as :
http://z43523673.cn/Zzy3eWjp7v5jUHO6Ymlk.......(very long URL)
I tried diffrent antiviruses, anti-malwares, registery fixing programs such as: Antivir, AVG, Hijackthis, free registery fix, spy-bot s & d, registery mechanic, browser hijack recover(BHR), Microsoft malicious software removal.
none of those worked for me. I post my hijackthis log for you, please let me know if you need anything else.I am also suspious if I got the Conficker worm or not!!!! I am waiting for your kind help.
my log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:43 PM, on 10/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Babylon\Babylon.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\Program Files\Mimer SQL 9.2\TCPSRV.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
d:\Program Files\Mimer SQL 9.2\MIMSRV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\HAMIDY~1\LOCALS~1\Temp\Rar$EX01.515\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Babylon Client] d:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1935655697-813497703-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6796.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.mui.ac.ir/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} (ScriptPlayerRuntime Class) - https://gfs.nb.se/privat/bank/script...aSmartCard.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://members.driverguide.com/direc...e=toolkit_lite
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - f:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: MIMER Named Pipes - Mimer Information Technology AB - d:\Program Files\Mimer SQL 9.2\NAPSRV.exe
O23 - Service: MIMER TCP - Mimer Information Technology AB - d:\Program Files\Mimer SQL 9.2\TCPSRV.exe
O23 - Service: MIMER-temp - Mimer Information Technology AB - d:\Program Files\Mimer SQL 9.2\MIMSRV.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

--
End of file - 12137 bytes

**IndiGenus** · 2009-10-04, 17:21

Hello hdyazdani and welcome to the forums here at SpyBot S&D.

Let's see if we can go right after this with combofix.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

**hdyazdani** · 2009-10-04, 22:08

Hi IndiGenus!
Thanks for your warm greeting.I have executed combofix and I post the log for you. It was strange since it has deleted lot's of my windows files such as regedit, I do not know if it is normal or not?it seems to me I still have safe-mode problem but I should test more about my hijack problem
I send you both logs from combofix and hijackthis, first combofix and then hijackthis at end of this reply

log:
ComboFix 09-10-04.01 - Hamid Yazdani 10/04/2009 12:33.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.451 [GMT 3:00]
Running from: c:\documents and settings\Hamid Yazdani\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Hamid Yazdani\Favorites\.url
c:\documents and settings\Hamid Yazdani\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}
c:\documents and settings\Hamid Yazdani\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\bg.jpg
c:\documents and settings\Hamid Yazdani\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\CurrentVersion.xml
c:\documents and settings\Hamid Yazdani\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Data\ProductInfo.mx
c:\documents and settings\Hamid Yazdani\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\icon.ico
c:\documents and settings\Hamid Yazdani\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\productinfo.dll
c:\documents and settings\Hamid Yazdani\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Setup.exe
c:\windows\Installer\105d0e12.msp
c:\windows\Installer\105d0e18.msp
c:\windows\Installer\10e787f6.msp
c:\windows\Installer\10e787fc.msp
c:\windows\Installer\1270688f.msp
c:\windows\Installer\12706895.msp
c:\windows\Installer\13b2a28d.msp
c:\windows\Installer\13b2a293.msp
c:\windows\Installer\14f2f4f.msp
c:\windows\Installer\14f2f55.msp
c:\windows\Installer\16067d.msp
c:\windows\Installer\16085b07.msp
c:\windows\Installer\16085b0d.msp
c:\windows\Installer\177bda2.msp
c:\windows\Installer\177bda8.msp
c:\windows\Installer\1cfdfa5.msp
c:\windows\Installer\1cfdfab.msp
c:\windows\Installer\1e503f0.msp
c:\windows\Installer\1e503f6.msp
c:\windows\Installer\1e79588.msp
c:\windows\Installer\1e7958e.msp
c:\windows\Installer\2596788.msp
c:\windows\Installer\259678e.msp
c:\windows\Installer\25b57ee.msp
c:\windows\Installer\25b57f4.msp
c:\windows\Installer\2889896.msp
c:\windows\Installer\288989c.msp
c:\windows\Installer\2e9c4db.msp
c:\windows\Installer\2e9c4e1.msp
c:\windows\Installer\2fd73fe.msp
c:\windows\Installer\2fd7404.msp
c:\windows\Installer\3149cf2.msp
c:\windows\Installer\3149cf8.msp
c:\windows\Installer\35106d4.msp
c:\windows\Installer\35106da.msp
c:\windows\Installer\35a7c95.msp
c:\windows\Installer\35a7c9b.msp
c:\windows\Installer\370515d.msp
c:\windows\Installer\3705172.msp
c:\windows\Installer\3c2a5.msp
c:\windows\Installer\3c2ab.msp
c:\windows\Installer\41e586a.msp
c:\windows\Installer\41e5870.msp
c:\windows\Installer\4249631.msp
c:\windows\Installer\4249637.msp
c:\windows\Installer\6105789.msp
c:\windows\Installer\610578f.msp
c:\windows\Installer\69e0484.msp
c:\windows\Installer\69e048a.msp
c:\windows\Installer\7aef15a.msp
c:\windows\Installer\7aef160.msp
c:\windows\Installer\823ed98.msp
c:\windows\Installer\823ed9e.msp
c:\windows\Installer\871dfd1.msp
c:\windows\Installer\871dfd7.msp
c:\windows\Installer\877515b.msp
c:\windows\Installer\8775161.msp
c:\windows\Installer\880ffa5.msp
c:\windows\Installer\880ffab.msp
c:\windows\Installer\896a96c.msp
c:\windows\Installer\896a972.msp
c:\windows\Installer\a5ff2e9.msp
c:\windows\Installer\a5ff2ef.msp
c:\windows\Installer\b36a698.msp
c:\windows\Installer\b36a69e.msp
c:\windows\Installer\b60e4be.msp
c:\windows\Installer\b60e4c4.msp
c:\windows\Installer\b8baa25.msp
c:\windows\Installer\c1e2c.msp
c:\windows\Installer\d06aec5.msp
c:\windows\Installer\d06aecb.msp
c:\windows\Installer\d4a082a.msp
c:\windows\Installer\d4a0830.msp
c:\windows\Installer\d9d9e4c.msp
c:\windows\Installer\d9d9e52.msp
c:\windows\Installer\da7332d.msp
c:\windows\Installer\da73333.msp
c:\windows\Installer\ea4e8b.msp
c:\windows\Installer\ea4e91.msp
c:\windows\regedit.com
c:\windows\rundll32.exe
c:\windows\system32\drivers\gasfkypdapamtk2.sys
c:\windows\winhelp.ini

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Kitty ate it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Service_ndisrd

((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-03 21:43 . 2009-10-03 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-03 21:42 . 2009-10-03 21:42 -------- d-----w- c:\program files\Common Files\iS3
2009-10-03 21:41 . 2009-10-03 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-03 21:18 . 2009-10-03 21:26 -------- d-----w- c:\program files\Exterminate It!
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\ACW
2009-10-02 20:38 . 2009-10-02 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-02 20:38 . 2009-10-02 20:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-02 19:07 . 2009-10-02 19:07 -------- d-----w- c:\documents and settings\Hamid Yazdani\Local Settings\Application Data\Promosoft Corporation
2009-10-02 19:06 . 2009-10-02 19:06 -------- d-----w- c:\program files\Promosoft Corporation
2009-10-02 19:01 . 2009-10-02 19:07 -------- d-----w- c:\program files\Free Window Registry Repair
2009-10-02 18:49 . 2009-10-02 18:49 -------- d-----w- C:\$AVG8.VAULT$
2009-10-02 15:51 . 2009-10-02 15:52 -------- d-----w- c:\program files\Browser Hijack Recover
2009-10-02 15:14 . 2009-10-02 15:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-02 15:14 . 2009-10-02 15:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-02 15:14 . 2009-10-02 15:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-02 15:14 . 2009-10-02 15:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-02 15:12 . 2009-10-04 08:47 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-02 15:11 . 2009-10-02 15:11 -------- d-----w- c:\program files\AVG
2009-10-02 15:11 . 2009-10-02 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-02 14:53 . 2009-10-02 14:53 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\Malwarebytes
2009-10-02 14:53 . 2009-09-10 11:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 14:53 . 2009-10-02 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 14:53 . 2009-10-02 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 14:53 . 2009-09-10 11:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 14:47 . 2009-10-02 14:47 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\AVG8
2009-10-02 12:40 . 2009-10-02 12:42 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-02 11:04 . 2009-10-02 11:04 -------- d-----w- c:\program files\Uniblue
2009-09-27 11:20 . 2009-09-27 11:20 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-09-27 11:20 . 2009-09-27 11:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-27 11:20 . 2009-09-27 11:20 -------- d-----w- c:\program files\Common Files\XoftSpySE
2009-09-27 11:20 . 2009-09-27 11:20 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-09-27 11:20 . 2009-09-27 11:20 -------- d-----w- c:\program files\XoftSpySE6
2009-09-24 20:10 . 2009-09-24 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-24 19:50 . 2009-09-24 19:51 -------- d-----w- c:\program files\Word Password Unlocker
2009-09-24 15:30 . 2009-09-24 15:31 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\MiniDm
2009-09-24 14:42 . 2009-09-24 14:43 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\IEPro
2009-09-23 21:13 . 2009-09-23 21:13 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\Basta Computing
2009-09-11 20:06 . 2009-09-11 20:06 -------- d-----w- c:\documents and settings\Hamid Yazdani\Local Settings\Application Data\GlobalSCAPE
2009-09-11 20:06 . 2009-09-11 20:06 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\GlobalSCAPE
2009-09-11 20:06 . 2009-09-11 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2009-09-11 20:06 . 2009-09-11 20:06 -------- d-----w- c:\program files\GlobalSCAPE
2009-09-10 07:41 . 2009-09-10 07:41 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-09-10 07:41 . 2009-09-10 07:41 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-09-05 19:57 . 2004-04-19 15:53 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2009-09-05 19:57 . 2009-06-03 16:06 180224 ----a-w- c:\windows\system32\cnvshell.dll
2009-09-05 19:56 . 2009-09-05 19:58 -------- d-----w- c:\program files\ImageConverter Plus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 09:52 . 2007-11-24 08:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-04 09:30 . 2008-09-22 18:56 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\Babylon
2009-10-03 21:52 . 2009-10-03 21:51 1016 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-03 15:58 . 2008-10-18 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-02 11:04 . 2008-06-16 09:19 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\Uniblue
2009-10-02 10:54 . 2009-01-16 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-02 10:10 . 2007-11-11 16:11 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\Skype
2009-09-24 20:04 . 2009-04-24 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-24 18:47 . 2007-11-23 22:45 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\uTorrent
2009-09-24 16:13 . 2007-10-13 15:22 88776 ----a-w- c:\documents and settings\Hamid Yazdani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 21:05 . 2008-02-02 16:55 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\U3
2009-09-11 20:06 . 2007-09-23 06:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-10 23:12 . 2009-02-14 22:52 -------- d-----w- c:\program files\Replay Media Catcher
2009-09-10 23:12 . 2009-02-14 22:53 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-09-03 05:00 . 2009-09-03 05:00 -------- d-----w- c:\program files\Apple Software Update
2009-08-28 08:13 . 2009-08-28 08:13 -------- d-----w- c:\program files\Sony
2009-08-28 08:13 . 2009-05-14 20:17 -------- d-----w- c:\program files\Sony Ericsson
2009-08-27 23:25 . 2009-08-27 23:25 1024 ----a-w- c:\documents and settings\All Users\Application Data\imgpdf2.dll
2009-08-27 23:25 . 2009-08-27 23:25 -------- d-----w- c:\program files\PDF-Convert
2009-08-27 23:24 . 2009-08-27 23:24 -------- d-----w- c:\program files\psconvert
2009-08-27 23:21 . 2009-08-27 23:21 -------- d-----w- c:\program files\GflSDK
2009-08-27 23:20 . 2009-08-27 23:20 -------- d-----w- c:\program files\Convert Multiple PDF Files To JPG Files Software
2009-08-07 20:42 . 2009-08-07 19:35 -------- d-----w- c:\documents and settings\Hamid Yazdani\Application Data\TH1
2009-08-06 12:49 . 2009-05-05 19:27 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 12:07 . 2009-08-03 12:07 403816 ----a-w- c:\windows\system32\OGACheckControl.DLL
2008-04-29 19:31 . 2007-10-13 15:22 88 --sha-r- c:\windows\system32\9EAA864B62.sys
2008-04-29 19:31 . 2007-10-13 15:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"RemoteControl"="f:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Babylon Client"="d:\program files\Babylon\Babylon.exe" [2004-11-28 2158592]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-03 1032192]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe [2007-9-23 25214]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"FOLDEROPTIONS"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-02 15:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"f:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"d:\\Program Files\\MediaRing\\MediaRing Talk\\mrtalk.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"f:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_10\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_10\\jre\\bin\\java.exe"=
"e:\\eclipse\\eclipse\\eclipse.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ArGo Software Design\\Mail Server\\mailserver.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Documents and Settings\\Hamid Yazdani\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Hamid Yazdani\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuwave\\Shared\\mRouterRuntime\\mRouterRuntime.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [9/10/2009 10:41 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [9/10/2009 10:41 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/2/2009 6:14 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/2/2009 6:14 PM 108552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/5/2009 10:27 PM 108289]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/2/2009 6:11 PM 297752]
R2 CSIScanner;CSIScanner;c:\program files\PrevxCSI\prevxcsi.exe [10/18/2008 11:05 AM 4368952]
R2 MIMER-temp;MIMER-temp;d:\program files\Mimer SQL 9.2\mimsrv.exe [10/26/2007 8:55 PM 2893096]
R3 MIMER TCP;MIMER TCP;d:\program files\Mimer SQL 9.2\tcpsrv.exe [10/26/2007 8:55 PM 87336]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [4/5/2008 2:04 PM 68096]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:07 AM 14336]
S3 MIMER Named Pipes;MIMER Named Pipes;d:\program files\Mimer SQL 9.2\napsrv.exe [10/26/2007 8:55 PM 87336]
S3 TdsNordecr;Nordea NCR1 SmartCard Reader;c:\windows\system32\drivers\nordecr.sys [10/30/2007 9:57 AM 23040]
S3 Tomcat6;Apache Tomcat;c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [1/29/2008 1:39 AM 57344]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/29/2009 12:15 AM 582424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2009-10-04 c:\windows\Tasks\Free Registry Fix.job
- c:\program files\Promosoft Corporation\Free Registry Fix\regfix.exe [2008-06-12 06:46]

2009-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-813497703-839522115-1003Core.job
- c:\documents and settings\Hamid Yazdani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 21:26]

2009-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-813497703-839522115-1003UA.job
- c:\documents and settings\Hamid Yazdani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 21:26]

2009-10-02 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]

2009-10-01 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]

2009-09-29 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-08-28 21:13]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mWindow Title =
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} - hxxps://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab
DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - hxxp://members.driverguide.com/director/dispatch_getfile.php?mode=toolkit_lite
FF - ProfilePath - c:\documents and settings\Hamid Yazdani\Application Data\Mozilla\Firefox\Profiles\tuq6rmmq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Hamid Yazdani\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Hamid Yazdani\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
AddRemove-HijackThis - c:\docume~1\HAMIDY~1\LOCALS~1\Temp\Rar$EX01.515\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 12:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(4028)
f:\program files\TortoiseCVS\TrtseShl.dll
c:\windows\system32\msi.dll
d:\program files\Babylon\CAPTLIB.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CVSNT\cvsservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-04 12:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 09:58

Pre-Run: 11,859,345,408 bytes free
Post-Run: 15,924,989,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Safe Mode" /safeboot:minimal /sos /bootlog

372 --- E O F --- 2009-03-15 17:52

------------------------------------------------------------------------
hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:30 PM, on 10/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Babylon\Babylon.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\Program Files\Mimer SQL 9.2\TCPSRV.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
d:\Program Files\Mimer SQL 9.2\MIMSRV.EXE
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\HAMIDY~1\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Babylon Client] d:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-1935655697-813497703-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6796.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.mui.ac.ir/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} (ScriptPlayerRuntime Class) - https://gfs.nb.se/privat/bank/script...aSmartCard.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://members.driverguide.com/direc...e=toolkit_lite
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - f:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: MIMER Named Pipes - Mimer Information Technology AB - d:\Program Files\Mimer SQL 9.2\NAPSRV.exe
O23 - Service: MIMER TCP - Mimer Information Technology AB - d:\Program Files\Mimer SQL 9.2\TCPSRV.exe
O23 - Service: MIMER-temp - Mimer Information Technology AB - d:\Program Files\Mimer SQL 9.2\MIMSRV.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

--
End of file - 10581 bytes

**hdyazdani** · 2009-10-04, 22:31

Hi!
I forgot to say that combofix has detected rootkit malware on my pc and one more issue is that now I can not install adds-on my internet explorers such as IE7pro , do you know how I can fix that???

**IndiGenus** · 2009-10-05, 03:40

Hi,

It was strange since it has deleted lot's of my windows files such as regedit, I do not know if it is normal or not

Those are not the legitimate Windows files. The legit. rundll32.exe should be in the system32 folder. And regedit is an executable (.exe) file.

You appear to be running some file sharing/P2P programs.

eMule
uTorrent

Those will both need to be removed before we continue. See the link below for the rules regarding these programs in this forum.

http://forums.spybot.info/showthread.php?t=282

Also, it appears you have 2 Antivirus programs running, AVG and Antivir. Running 2 can cause all kinds of problems including system slowdown, errors, conflicts, ect.... You should remove one of those.

After doing that please do the following.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

We Need to check for Rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop.
- Zip Mirrors (Recommended)
- Rar Mirrors - Only if you know what a RAR is and can extract it.
Extract RootRepeal.exe from the archive.
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

**hdyazdani** · 2009-10-07, 10:36

Hi IndiaGenus!

Sorry for my little delay. I really appreciate your time for helping me out of this

I think my computer has turned to hub of different virtues and I even did not noticed before
anyway, I put the log that you were asked for the first log is ddd.txt and the second is attach.txt which are the default logs of DDS. The last log is rootrepeal log. I also noticed that my safe-mode problem has been solved using the combofix but I have noticed a new problem which is when I tried to reach some directories I will get an windows explorer crash and all the windows will be closed and reopen after some seconds, can it be a new effect of virus?

Best Regards

DDS (Ver_09-09-29.01) - NTFSx86
Run by Hamid Yazdani at 1:08:51.32 on Wed 10/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.464 [GMT 3:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\CVSNT\cvslock.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
d:\Program Files\Mimer SQL 9.2\TCPSRV.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
d:\Program Files\Mimer SQL 9.2\MIMSRV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Babylon\Babylon.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Hamid Yazdani\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
mWindow Title =
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Share Accelerator MM Toolbar: {4596013b-6c31-408b-a266-deae5c086dc2} - c:\program files\share_accelerator_mm\tbShar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RemoteControl] "f:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Babylon Client] d:\program files\babylon\Babylon.exe -AutoStart
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a70001000000}\SC_Reader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: FOLDEROPTIONS = 0 (0x0)
IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://camera.mui.ac.ir/activex/AxisCamControl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E505599B-F37A-4849-A7B0-E0AAB5CB054C} - hxxps://gfs.nb.se/privat/bank/scripts/eid/NordeaSmartCard.cab
DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - hxxp://members.driverguide.com/director/dispatch_getfile.php?mode=toolkit_lite
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 setuid

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hamidy~1\applic~1\mozilla\firefox\profiles\tuq6rmmq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\hamid yazdani\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\hamid yazdani\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\divx\divx content uploader\npUpload.dll
FF - plugin: d:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\divx\divx web player\npdivx32.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-9-10 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-9-10 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-2 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-2 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-2 297752]
R2 CSIScanner;CSIScanner;c:\program files\prevxcsi\prevxcsi.exe [2008-10-18 4368952]
R2 MIMER-temp;MIMER-temp;d:\program files\mimer sql 9.2\mimsrv.exe [2007-10-26 2893096]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]
R3 MIMER TCP;MIMER TCP;d:\program files\mimer sql 9.2\tcpsrv.exe [2007-10-26 87336]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-10-5 57408]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);c:\windows\system32\drivers\zebrceb.sys [2009-5-14 63360]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2008-4-5 68096]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wn111v2\jswpsapi.exe --> c:\program files\netgear\wn111v2\jswpsapi.exe [?]
S3 MIMER Named Pipes;MIMER Named Pipes;d:\program files\mimer sql 9.2\napsrv.exe [2007-10-26 87336]
S3 TdsNordecr;Nordea NCR1 SmartCard Reader;c:\windows\system32\drivers\nordecr.sys [2007-10-30 23040]
S3 Tomcat6;Apache Tomcat;c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe [2008-1-29 57344]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\wn111v2.sys --> c:\windows\system32\drivers\WN111v2.sys [?]
S3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-8-29 582424]
S3 zebrbus;Sony Ericsson Composite Device driver;c:\windows\system32\drivers\zebrbus.sys [2009-5-14 83200]
S3 zebrmdfl;Sony Ericsson Modem Filter;c:\windows\system32\drivers\zebrmdfl.sys [2009-5-14 14848]
S3 zebrmdm;Sony Ericsson Port (WDM);c:\windows\system32\drivers\zebrmdm.sys [2009-5-14 109568]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);c:\windows\system32\drivers\zebrmdmc.sys [2009-5-14 109568]
S3 zebrsce;Sony Ericsson PC-Connect Port;c:\windows\system32\drivers\zebrsce.sys [2009-5-14 91264]

=============== Created Last 30 ================

2009-10-06 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSScanAppDataDir
2009-10-06 14:52 3,249 a------- c:\windows\system32\wbem\Outlook_01ca467b77c2c8ba.mof
2009-10-06 14:46 <DIR> --d----- c:\program files\common files\L&H
2009-10-06 14:46 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-10-06 14:31 3,249 a------- c:\windows\system32\wbem\Outlook_01ca467881864c44.mof
2009-10-05 20:29 49,904 a----r-- c:\windows\system32\drivers\BVRPMPR5.SYS
2009-10-05 20:27 <DIR> --d----- C:\Netgear
2009-10-05 20:19 <DIR> --d-hr-- c:\docume~1\alluse~1\applic~1\Atheros
2009-10-05 20:17 57,408 a------- c:\windows\system32\drivers\wsimd.sys
2009-10-05 20:17 <DIR> --d----- c:\program files\Atheros
2009-10-05 20:13 <DIR> --d----- c:\program files\NETGEAR
2009-10-05 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NETGEAR
2009-10-04 13:26 <DIR> --d----- c:\program files\IEPro
2009-10-04 12:25 <DIR> a-dshr-- C:\cmdcons
2009-10-04 12:02 229,888 a------- c:\windows\PEV.exe
2009-10-04 12:02 161,792 a------- c:\windows\SWREG.exe
2009-10-04 12:02 98,816 a------- c:\windows\sed.exe
2009-10-04 00:51 1,016 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-04 00:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-04 00:42 <DIR> --d----- c:\program files\common files\iS3
2009-10-04 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-04 00:18 <DIR> --d----- c:\program files\Exterminate It!
2009-10-03 01:26 <DIR> --d----- c:\program files\ACW
2009-10-02 23:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-02 23:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-02 22:06 <DIR> --d----- c:\program files\Promosoft Corporation
2009-10-02 22:01 <DIR> --d----- c:\program files\Free Window Registry Repair
2009-10-02 21:49 <DIR> --d----- C:\$AVG8.VAULT$
2009-10-02 18:52 0 a------- c:\windows\system32\8104297.jun
2009-10-02 18:51 <DIR> --d----- c:\program files\Browser Hijack Recover
2009-10-02 18:14 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-10-02 18:14 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-02 18:14 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-10-02 18:12 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-10-02 18:11 <DIR> --d----- c:\program files\AVG
2009-10-02 18:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-10-02 17:53 <DIR> --d----- c:\docume~1\hamidy~1\applic~1\Malwarebytes
2009-10-02 17:53 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-02 17:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-02 17:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 17:47 <DIR> --d----- c:\docume~1\hamidy~1\applic~1\AVG8
2009-10-02 14:04 <DIR> --d----- c:\program files\Uniblue
2009-09-27 14:20 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-09-27 14:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-09-27 14:20 <DIR> --d----- c:\program files\common files\XoftSpySE
2009-09-27 14:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\XoftSpySE
2009-09-27 14:20 <DIR> --d----- c:\program files\XoftSpySE6
2009-09-24 22:50 <DIR> --d----- c:\program files\Word Password Unlocker
2009-09-24 18:30 <DIR> --d----- c:\docume~1\hamidy~1\applic~1\MiniDm
2009-09-24 17:42 <DIR> --d----- c:\docume~1\hamidy~1\applic~1\IEPro
2009-09-24 00:13 <DIR> --d----- c:\docume~1\hamidy~1\applic~1\Basta Computing
2009-09-11 23:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GlobalSCAPE
2009-09-11 23:06 <DIR> --d----- c:\program files\GlobalSCAPE
2009-09-10 10:41 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-09-10 10:41 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-09-10 10:41 24,653 a------- c:\windows\wininit.ini

==================== Find3M ====================

2009-09-11 02:12 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-08-28 02:25 1,024 a------- c:\docume~1\alluse~1\applic~1\imgpdf2.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.DLL
2008-04-29 22:31 88 a--shr-- c:\windows\system32\9EAA864B62.sys
2008-04-29 22:31 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 1:09:13.03 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/19/2009 1:10:08 AM
System Uptime: 10/6/2009 3:46:28 PM (10 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Intel(R) Core(TM) Duo CPU T2450 @ 2.00GHz | Microprocessor | 1995/133mhz
Processor: Intel(R) Core(TM) Duo CPU T2450 @ 2.00GHz | Microprocessor | 1994/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 39 GiB total, 14.542 GiB free.
D: is FIXED (FAT32) - 24 GiB total, 16.668 GiB free.
E: is FIXED (FAT32) - 24 GiB total, 17.517 GiB free.
F: is FIXED (FAT32) - 24 GiB total, 5.115 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1A87050464FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1A87050464FC000
Service: NIC1394

==== System Restore Points ===================

RP148: 9/11/2009 11:06:33 PM - Installed CuteFTP 8 Home
RP149: 9/12/2009 11:06:57 PM - System Checkpoint
RP150: 9/13/2009 11:33:28 PM - System Checkpoint
RP151: 9/15/2009 12:40:18 AM - System Checkpoint
RP152: 9/16/2009 3:37:13 AM - System Checkpoint
RP153: 9/17/2009 4:04:39 AM - System Checkpoint
RP154: 9/18/2009 9:27:41 PM - System Checkpoint
RP155: 9/21/2009 12:10:37 AM - System Checkpoint
RP156: 9/22/2009 12:17:38 AM - System Checkpoint
RP157: 9/23/2009 2:00:30 AM - System Checkpoint
RP158: 9/24/2009 12:09:35 AM - Installed Horas
RP159: 9/24/2009 5:27:06 PM - Removed Horas
RP160: 9/25/2009 6:51:49 PM - System Checkpoint
RP161: 9/26/2009 11:16:15 PM - System Checkpoint
RP162: 9/27/2009 11:23:13 PM - System Checkpoint
RP163: 9/29/2009 12:32:56 AM - System Checkpoint
RP164: 9/30/2009 12:43:19 AM - System Checkpoint
RP165: 10/1/2009 1:02:25 AM - System Checkpoint
RP166: 10/2/2009 12:11:58 PM - System Checkpoint
RP167: 10/2/2009 4:08:27 PM - Installed Windows XP KB958644.
RP168: 10/2/2009 6:11:43 PM - Installed AVG Free 8.5
RP169: 10/3/2009 2:49:47 AM - Installed Windows XP KB915865.
RP170: 10/3/2009 2:50:44 AM - Installed Windows NLSDownlevelMapping.
RP171: 10/3/2009 2:51:26 AM - Installed Windows IDNMitigationAPIs.
RP172: 10/3/2009 2:51:55 AM - Installed Windows Internet Explorer 7.
RP173: 10/3/2009 3:06:00 AM - Software Distribution Service 3.0
RP174: 10/3/2009 11:55:17 AM - Avg8 Update
RP175: 10/3/2009 6:48:31 PM - Avg8 Update
RP176: 10/4/2009 12:41:38 AM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP177: 10/4/2009 1:08:46 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP178: 10/4/2009 1:44:09 PM - Installed Windows XP KB915865.
RP179: 10/4/2009 1:45:12 PM - Installed Windows NLSDownlevelMapping.
RP180: 10/4/2009 1:45:51 PM - Installed Windows IDNMitigationAPIs.
RP181: 10/4/2009 1:46:27 PM - Installed Windows Internet Explorer 7.
RP182: 10/5/2009 8:13:26 PM - Installed RangeMax Wireless-N USB Adapter WN111v2
RP183: 10/6/2009 2:09:07 PM - Removed Microsoft Office Professional Edition 2003
RP184: 10/6/2009 2:22:02 PM - Installed Microsoft Office Professional Edition 2003
RP185: 10/6/2009 2:26:27 PM - Configured Microsoft Office Professional 2007
RP186: 10/6/2009 2:37:23 PM - Removed Microsoft Office Professional Edition 2003
RP187: 10/6/2009 2:44:44 PM - Installed Microsoft Office Professional Edition 2003
RP188: 10/6/2009 2:52:10 PM - Configured Microsoft Office Professional 2007
RP189: 10/7/2009 12:38:41 AM - Avira AntiVir Personal - 10/7/2009 0:38
RP190: 10/7/2009 1:02:18 AM - Configured RangeMax Wireless-N USB Adapter WN111v2

==== Installed Programs ======================

A4 TECH USB PC Camera H
Addison-Wesley
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Apache Tomcat 6.0 (remove only)
Apple Mobile Device Support
Apple Software Update
ArGoSoft Mail Server Freeware
Audacity 1.2.6
Audacity Recovery Utility
AutoUpdate
AVG Free 8.5
Babylon
Borland C++ 5.0
Broadcom 440x 10/100 Integrated Controller
Browser Hijack Recover(BHR) 3.0
Bullzip PDF Printer 4.0.0.543
Camtasia Studio 5
ClikView 2.1
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Convert Multiple PDF Files To JPG Files Software 7.0
Cucusoft YouTube Mate 7.10
CuteFTP 8 Home
CVSNT 2.5.03.2382
DC++ 0.699
Dell Resource CD
Desktop Screen Record 5
Dia (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
doPDF 5.0 printer
Exterminate It!
Free PS Convert driver 8.15
Free Registry Fix 5.0
Free Window Registry Repair
FreeCall
GanttProject 2.0.7
Gecode 2.2.0/Qt
getPlus(R) for Adobe
GlassFish V2
GnuWin32: Bison-2.1
Google Chrome
Google Earth
Google Talk Plugin
Google Toolbar for Internet Explorer
GPL Ghostscript Lite 8.61
Graphics Converter Pro v6.9x
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
IE7Pro
ImageConverter Plus 7.1
Intel(R) Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0 Update 6
Java DB 10.3.1.4
Java Runtime Environment 1.2
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 10
LAME v3.98.2 for Audacity
Lizardtech DjVu Control
Lizardtech Express View Browser Plug-in
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
MATLAB 7.1
MediaRing Talk
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mimer SQL Engine
Mimer SQL Engine 9.2
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
NetBeans IDE 6.0
OpenOffice.org 3.0
PC Suite for Sony Ericsson
PDF to Image Converter 2.00
Play89
PowerDVD
PPTools - Remove ALL
Prevx CSI
PuTTY version 0.60
QuickSet
QuickTime
RealPlayer
Registry Mechanic 8.0
Replay Media Catcher 3.01
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Share Accelerator MM Toolbar
Shock 4Way 3D v1.29
Shockwave
SigmaTel Audio
Skype™ 3.5
Sony Ericsson Media Manager 1.1
Sony Ericsson Symbian 9 Drivers
System Requirements Lab
TortoiseCVS
Uniblue RegistryBooster 2010
Unicode Image Maker 1.02.01
Uninstall GflAx
Universal Document Converter
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Manager
VLC media player 0.9.8a
WampServer 2.0
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
WinSCP 4.1.8
Xming-fonts 7.3.0.15
Xming 6.9.0.31
XML Pro
XoftSpySE
Yahoo Message Archive Decoder 4.3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

10/6/2009 12:31:34 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0019B9743A70 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/6/2009 1:04:12 PM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.2, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
10/6/2009 1:02:54 PM, error: Dhcp [1002] - The IP address lease 69.226.34.12 for the Network Card with network address 0019B9743A70 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/5/2009 8:51:56 PM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.3, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
10/5/2009 8:29:54 PM, error: Service Control Manager [7000] - The BVRPMPR5 NDIS Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
10/5/2009 8:28:46 PM, error: Dhcp [1002] - The IP address lease 69.229.110.116 for the Network Card with network address 0019B9743A70 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/5/2009 8:17:53 PM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
10/5/2009 8:14:39 PM, error: ipnathlp [31012] - The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.
10/5/2009 8:13:40 PM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 0019B9743A70 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/5/2009 8:12:23 PM, error: Dhcp [1002] - The IP address lease 69.229.174.197 for the Network Card with network address 0019B9743A70 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/4/2009 12:32:38 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
10/4/2009 12:32:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CVSNT Locking Service 2.5.03.2382 service to connect.
10/4/2009 12:32:38 PM, error: Service Control Manager [7000] - The CVSNT Locking Service 2.5.03.2382 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/4/2009 12:29:20 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/4/2009 1:15:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/4/2009 1:15:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/3/2009 3:56:40 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd
10/3/2009 3:56:40 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the MATLAB Server service to connect.
10/3/2009 3:56:40 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
10/3/2009 3:56:40 AM, error: Service Control Manager [7000] - The MATLAB Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/3/2009 3:55:53 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
10/3/2009 2:21:41 AM, error: System Error [1003] - Error code 000000d1, parameter1 00000006, parameter2 00000002, parameter3 00000000, parameter4 a837a2a9.
10/3/2009 2:06:38 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 2:06:25 AM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
10/3/2009 2:06:20 AM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 2:06:20 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
10/3/2009 2:06:16 AM, error: Service Control Manager [7034] - The CVSNT Locking Service 2.5.03.2382 service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 2:06:13 AM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/3/2009 2:06:10 AM, error: Service Control Manager [7034] - The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 2:05:54 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/3/2009 2:05:44 AM, error: Service Control Manager [7034] - The ProtexisLicensing service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 2:05:41 AM, error: Service Control Manager [7034] - The MIMER TCP service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 2:05:38 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 1:07:15 AM, error: Service Control Manager [7034] - The CSIScanner service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 1:07:06 AM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
10/3/2009 1:07:01 AM, error: Service Control Manager [7034] - The MIMER-temp service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 01:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA941000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B29000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8B67000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\temp\Perflib_Perfdata_17b0.dat
Status: Invisible to the Windows API!

Path: c:\documents and settings\hamid yazdani\local settings\temp\etilqs_ecqdf5qh3una6szw8wnh
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\hamid yazdani\local settings\application data\google\chrome\user data\default\cache\f_000935
Status: Size mismatch (API: 7927677, Raw: 6564249)

==EOF==

**IndiGenus** · 2009-10-07, 13:44

when I tried to reach some directories I will get an windows explorer crash and all the windows will be closed and reopen after some seconds, can it be a new effect of virus?

Certainly possible. A couple things we can run and check out next.

Please download exeHelper by Raktor to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

**IndiGenus** · 2009-10-07, 13:51

Also, had a question. Are you a Java developer? Noticed you had NetBeans, along with several old Java versions. They should all be removed and the latest installed, but I know developers will sometimes keep old versions for development purposes. Let me know.

**hdyazdani** · 2009-10-07, 20:16

Hi!

Yes, It is more comfortable if I can keep netbeans but I can remove eclipse and other versions if you think it would be better to that

BR

**hdyazdani** · 2009-10-07, 21:24

Hi, Sorry I forgot to post the logs:

exeHelper by Raktor - 09
Build 20090925
Run at 11:18:39 on 10/07/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Thread: I need immediate help about mal-ware

Thread Tools

Display

I need immediate help about mal-ware

I executed combofix

root kit

Your request logs

New Log

Tags for this Thread

Posting Permissions