malware infected pc

**yukukuhi** · 2009-11-30, 16:09

ComboFix 09-11-29.06 - ram 11/30/2009 18:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.565 [GMT 5.5:30]
Running from: c:\documents and settings\ram\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ram\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\cftu.exe"
"c:\windows\System32\Drivers\caehwtzy.sys"
"c:\windows\system32\drivers\eugjbkhf.sys"
"c:\windows\System32\Drivers\lmfcnrnh.sys"
"c:\windows\System32\Drivers\mfcvermf.sys"
"c:\windows\System32\Drivers\vnrildvq.sys"
"c:\windows\System32\Drivers\xbziilsx.sys"
"c:\windows\system32\drivers\zthcxtmv.sys"
"c:\windows\system32\ezsidmv.dat"
"c:\windows\system32\kutyd.exe"
"c:\windows\system32\rahoud.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cftu.exe
c:\windows\system32\drivers\eugjbkhf.sys
c:\windows\system32\drivers\zthcxtmv.sys
c:\windows\system32\ezsidmv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EUGJBKHF
-------\Legacy_F3U3AOALMTS7OI
-------\Legacy_LQAYPSEITOIZNXUU
-------\Service_caehwtzy
-------\Service_eugjbkhf
-------\Service_f3u3aoalmts7oi
-------\Service_kdhkkjaegfolum
-------\Service_lmfcnrnh
-------\Service_lqaypseitoiznxuu
-------\Service_mfcvermf
-------\Service_vnrildvq
-------\Service_xbziilsx

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\ram\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 03:21 . 2009-11-18 12:56 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-22 03:21 . 2009-11-18 12:56 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-22 03:20 . 2009-11-18 12:56 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-22 03:20 . 2009-11-18 12:56 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-21 07:49 . 2009-11-21 07:49 -------- d-----w- c:\program files\Veoh Networks
2009-11-20 13:58 . 2009-11-20 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-20 13:15 . 2009-11-20 13:15 -------- d-----w- c:\program files\Trend Micro
2009-11-18 12:56 . 2009-11-18 13:31 -------- d-----w- C:\$AVG
2009-11-18 12:56 . 2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 12:56 . 2009-11-18 12:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 12:56 . 2009-11-18 12:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-18 12:56 . 2009-11-30 12:38 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-15 14:26 . 2009-11-15 14:27 -------- d-----w- c:\program files\Exact Audio Copy
2009-11-15 14:14 . 2009-11-15 14:42 -------- d-----w- c:\program files\SlySoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 15:05 . 2009-10-10 05:43 -------- d-----w- c:\documents and settings\ram\Application Data\Skype
2009-11-29 13:27 . 2009-10-10 05:57 -------- d-----w- c:\documents and settings\ram\Application Data\skypePM
2009-11-28 08:49 . 2009-09-29 04:39 -------- d-----w- c:\documents and settings\ram\Application Data\vlc
2009-11-23 07:08 . 2009-06-27 11:11 72024 -c--a-w- c:\documents and settings\ram\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 07:08 . 2009-06-23 06:25 -------- d-----w- c:\documents and settings\ram\Application Data\VideoReDo-TVSuite
2009-11-23 07:06 . 2009-06-23 06:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-20 14:07 . 2009-06-27 10:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-18 12:56 . 2009-06-27 11:05 -------- d-----w- c:\program files\AVG
2009-10-28 02:32 . 2009-08-04 13:58 -------- d-----w- c:\documents and settings\ram\Application Data\U3
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\program files\DVDFab 5
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\documents and settings\ram\Application Data\Vso
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-10-23 09:47 -------- d-----w- c:\program files\CDisplay
2009-10-26 03:04 . 2009-06-23 03:06 -------- d-----w- c:\program files\AVerTV
2009-10-25 16:31 . 2009-10-25 16:26 -------- d-----w- c:\program files\Alcohol Soft
2009-10-25 16:22 . 2009-10-25 16:22 639224 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-13 04:35 . 2009-10-13 04:35 -------- d-----w- c:\documents and settings\ram\Application Data\Apple Computer
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----r- c:\program files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-04 11:51 . 2009-10-04 11:51 -------- d-----w- c:\documents and settings\ram\Application Data\dvdcss
2009-10-04 10:52 . 2009-10-04 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-10-04 08:16 . 2009-10-04 08:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\program files\Transparent
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2009-10-04 07:48 . 2009-10-04 07:47 -------- d-----w- c:\program files\QuickTime
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Common Files\Apple
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Apple Software Update
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 07:18 . 2009-09-12 07:17 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-08 13:27 . 2009-09-08 13:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-06 14:11 . 2009-09-06 14:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-23 06:29 . 2009-06-23 06:29 58652 ----a-w- c:\program files\AMVapp-uninst.exe
2009-06-23 06:28 . 2009-06-23 06:28 67895 ----a-w- c:\program files\Premiere AVS Plugin uninst.exe
2004-05-08 06:41 . 2004-05-08 06:41 53361 ----a-w- c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 . 2004-05-06 21:57 57344 -c--a-w- c:\program files\IM-Avisynth.prm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickTV.lnk - c:\program files\AVerTV\QuickTV.exe [2005-10-30 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/30/2009 10:35 AM 28552]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2009 9:52 PM 639224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/18/2009 6:26 PM 333192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/18/2009 6:26 PM 285392]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [6/23/2009 8:35 AM 57152]
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{45408DC9-5BB3-465E-8843-F87C6FC3D999}.job
- c:\windows\system32\msfeedssync.exe [2009-01-14 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = search.speedbit.com
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\ram\Application Data\Mozilla\Firefox\Profiles\wpwmbnk9.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

SafeBoot-eugjbkhf.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 18:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865D01D8]<<
kernel: error reading MBR

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{59985D0F-EEB6-70CB-E15F-4BE44F1B96F3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729DC006-8213-1BFB-6F7E-776798F5AC4C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haibkidaenonpphf"=hex:6f,61,68,61,66,61,64,66,6e,6c,63,65,68,6e,66,67,67,6e,
63,61,61,65,70,63,6f,6f,6b,69,6b,6a,00,77
"jajbfibakphkgmjenaed"=hex:64,62,6a,62,6d,6b,6a,70,61,62,6d,61,6d,67,6a,64,67,
6b,64,6d,69,6e,69,65,62,66,64,6a,62,61,6a,65,6b,63,6e,6a,66,6d,6c,61,00,e3

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-30 18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 13:29
ComboFix2.txt 2009-11-28 08:45

Pre-Run: 10,425,323,520 bytes free
Post-Run: 10,318,565,376 bytes free

- - End Of File - - 8A2F98C6E78223A2B91C479A7ECBBFAE

**yukukuhi** · 2009-11-30, 16:11

Malwarebytes' Anti-Malware 1.41
Database version: 3260
Windows 5.1.2600 Service Pack 2

11/30/2009 8:34:28 PM
mbam-log-2009-11-30 (20-34-28).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 179768
Time elapsed: 29 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**shelf life** · 2009-11-30, 23:27

hi,

ok good. One more download to get as another check. Link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

**yukukuhi** · 2009-12-01, 09:35

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/01 13:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000116
Image Path: \Driver\00000116
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA3C5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B3A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9723000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: D:\SLOKAM\M.S.Subbulakshmi\videodownload:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf73e50b0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf73ea84c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf73eabec

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf73e5090

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf73eacc4

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf73eab44

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf73ead56

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8655e1d8 Size: 151

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x85c3a1d8 Size: 131

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8655f1d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8655f1d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8655f1d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8655f1d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8655f1d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8655f1d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8655f1d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x863721d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x865d31d8 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x86441980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x86441980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86441980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86441980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x86441980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86441980 Size: 463

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x86441980 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x865601d8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x85c88308 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x85c88308 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c88308 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c88308 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x85c88308 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x85c88308 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x863ca308 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x863ca308 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863ca308 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863ca308 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x863ca308 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863ca308 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x863ca308 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85c831d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_CREATE]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_CLOSE]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_READ]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_CLEANUP]
Process: System Address: 0x85c6f1d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఊ祓譐Ȩ, IRP_MJ_PNP]
Process: System Address: 0x85c6f1d8 Size: 463

==EOF==

**shelf life** · 2009-12-02, 00:42

Post another hjt log for me and download and run DDS also. Link and directions for DDS:

Please download DDS and save it to your desktop.
Disable any script blocking protection. Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Copy/paste both logs in your reply.

**yukukuhi** · 2009-12-02, 07:32

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:47 AM, on 12/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.speedbit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SBCONVERT - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

--
End of file - 5518 bytes

DDS (Ver_09-12-01.01) - NTFSx86
Run by ram at 11:56:28.90 on Wed 12/02/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.632 [GMT 5.5:30]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVerTV\QuickTV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\ram\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = search.speedbit.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SBCONVERT Class: {a1056498-d09a-41e4-864b-505edd640d9e} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicktv.lnk - c:\program files\avertv\QuickTV.exe
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ram\applic~1\mozilla\firefox\profiles\wpwmbnk9.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-8-30 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-18 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-18 28424]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-18 285392]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2009-6-23 57152]

=============== Created Last 30 ================

2009-11-28 08:37:55 0 d-sha-r- C:\cmdcons
2009-11-28 08:34:19 98816 ----a-w- c:\windows\sed.exe
2009-11-28 08:34:19 77312 ----a-w- c:\windows\MBR.exe
2009-11-28 08:34:19 260608 ----a-w- c:\windows\PEV.exe
2009-11-28 08:34:19 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 04:29:41 0 d-----w- c:\docume~1\ram\applic~1\Malwarebytes
2009-11-26 04:29:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 04:29:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 04:29:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 04:29:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-21 07:49:49 0 d-----w- c:\program files\Veoh Networks
2009-11-20 13:15:58 0 d-----w- c:\program files\Trend Micro
2009-11-18 12:56:33 0 d-----w- C:\$AVG
2009-11-18 12:56:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 12:56:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 12:56:05 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-18 12:55:59 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-18 12:55:39 0 d-----w- c:\windows\SxsCaPendDel
2009-11-15 14:26:55 0 d-----w- c:\program files\Exact Audio Copy
2009-11-15 14:14:11 0 d-----w- c:\program files\SlySoft

==================== Find3M ====================

2009-10-27 06:38:48 47360 ----a-w- c:\docume~1\ram\applic~1\pcouffin.sys
2009-10-25 16:22:07 639224 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-08 13:27:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-23 06:29:36 58652 ----a-w- c:\program files\AMVapp-uninst.exe
2009-06-23 06:28:54 67895 ----a-w- c:\program files\Premiere AVS Plugin uninst.exe
2004-05-08 06:41:32 53361 ----a-w- c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57:06 57344 -c--a-w- c:\program files\IM-Avisynth.prm

============= FINISH: 11:56:38.10 ===============

**shelf life** · 2009-12-03, 00:01

ok. thanks for all the info. you can delete the rootrepeal icon from your desktop. Another download will remove combofix for you:

Please download OTCleanIt and save it to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Always check malwarebytes for updates before a scan.
If all is good, some info for you:

10 Tips for Reducing/Preventing Your Risk To Malware:

1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you keep getting malware then you should review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Even if you get a E-Mail from someone you know, its possible that there computer or account information has been compromised.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0 Read the FAQ's.

10) Warez, cracks etc are very popular for carrying malware payloads. Using them will cause all kinds of problems. If you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

Thread: malware infected pc

Thread Tools

Display

ComboFix log

Malwarebytes log

RootRepeal

hijackthis.log and DDS

Posting Permissions