malware infected pc

[yukukuhi]

Hi there I think my pc is infected with malwares. please help. please reply.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:47 PM, on 11/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\nyviv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.speedbit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SBCONVERT - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\system32\wuaucIt.exe
O4 - HKLM\..\Run: [lare] C:\WINDOWS\system32\nyviv.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [riwa] C:\WINDOWS\system32\gourotyz.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunServices: [lare] C:\WINDOWS\system32\nyviv.exe
O4 - HKLM\..\RunServices: [riwa] C:\WINDOWS\system32\gourotyz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\S-1-5-18\..\Run: [lare] C:\Documents and Settings\LocalService\Application Data\Microsoft\nyviv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lare] C:\Documents and Settings\LocalService\Application Data\Microsoft\nyviv.exe (User 'Default user')
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

--
End of file - 6834 bytes

[shelf life]

hi yukukuhi,

I think my pc is infected with malwares

I think your right. Your log is a few days old if you still need help reply to my post.

[yukukuhi]

Hi there shelf life,
Ok Cool. So now should i post a New Log then. Please Reply.

[shelf life]

ok. We will start with Malwarebytes. Direction and link:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

[yukukuhi]

Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 2

11/26/2009 11:20:27 AM
mbam-log-2009-11-26 (11-20-05).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 179386
Time elapsed: 43 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
C:\Documents and Settings\ram\Local Settings\Temporary Internet Files\Content.IE5\GMQOGA4K\ldr[1] (Malware.Packer) -> No action taken.
D:\System Volume Information\_restore{A6FEFDD3-C5AB-473A-A6C3-B5BEDF526D1E}\RP24\A0009824.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\Drivers\ndisvvan.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> No action taken.
C:\WINDOWS\inf\phil1vid.inf (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wuaucIt.exe (Trojan.Agent) -> No action taken.

[shelf life]

After you ran Malwarebytes you restarted your computer?
We will get one more download to use. its called combofix. There is a guide to read first. Read the guide, download combofix to your desktop, disable your antivirus and anti-malware, double click the combofix icon and follow the prompts. Post the combofix log in your reply.

Guide to using Combofix

[yukukuhi]

ComboFix 09-11-27.04 - ram 11/28/2009 14:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.654 [GMT 5.5:30]
Running from: c:\documents and settings\ram\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ram\Application Data\inst.exe
c:\documents and settings\ram\secupdat.dat
c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\windows\system32\msvcrt2.dll
c:\windows\system32\qxzv85.exe@
c:\windows\system32\secupdat.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\ram\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 04:29 . 2009-11-26 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 04:29 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-22 03:21 . 2009-11-18 12:56 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-22 03:21 . 2009-11-18 12:56 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-22 03:20 . 2009-11-18 12:56 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-22 03:20 . 2009-11-18 12:56 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-21 07:49 . 2009-11-21 07:49 -------- d-----w- c:\program files\Veoh Networks
2009-11-20 13:58 . 2009-11-20 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-20 13:15 . 2009-11-20 13:15 -------- d-----w- c:\program files\Trend Micro
2009-11-18 12:56 . 2009-11-18 13:31 -------- d-----w- C:\$AVG
2009-11-18 12:56 . 2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-18 12:56 . 2009-11-18 12:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-18 12:56 . 2009-11-18 12:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-18 12:56 . 2009-11-28 05:24 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-18 12:55 . 2009-11-18 14:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-18 12:52 . 2009-11-18 12:52 40128 ----a-w- c:\windows\system32\drivers\eugjbkhf.sys
2009-11-18 05:46 . 2009-11-18 05:46 79616 ----a-w- c:\windows\system32\drivers\zthcxtmv.sys
2009-11-15 14:26 . 2009-11-15 14:27 -------- d-----w- c:\program files\Exact Audio Copy
2009-11-15 14:14 . 2009-11-15 14:42 -------- d-----w- c:\program files\SlySoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 09:48 . 2009-09-29 04:39 -------- d-----w- c:\documents and settings\ram\Application Data\vlc
2009-11-23 07:08 . 2009-06-27 11:11 72024 -c--a-w- c:\documents and settings\ram\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 07:08 . 2009-06-23 06:25 -------- d-----w- c:\documents and settings\ram\Application Data\VideoReDo-TVSuite
2009-11-23 07:06 . 2009-06-23 06:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-22 15:25 . 2009-10-10 05:43 -------- d-----w- c:\documents and settings\ram\Application Data\Skype
2009-11-22 11:27 . 2009-10-10 05:57 -------- d-----w- c:\documents and settings\ram\Application Data\skypePM
2009-11-20 14:07 . 2009-06-27 10:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-18 12:56 . 2009-06-27 11:05 -------- d-----w- c:\program files\AVG
2009-10-28 02:32 . 2009-08-04 13:58 -------- d-----w- c:\documents and settings\ram\Application Data\U3
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\program files\DVDFab 5
2009-10-27 06:38 . 2009-09-06 14:11 -------- d-----w- c:\documents and settings\ram\Application Data\Vso
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-09-06 14:11 47360 ----a-w- c:\documents and settings\ram\Application Data\pcouffin.sys
2009-10-27 06:38 . 2009-10-23 09:47 -------- d-----w- c:\program files\CDisplay
2009-10-26 03:04 . 2009-06-23 03:06 -------- d-----w- c:\program files\AVerTV
2009-10-25 16:31 . 2009-10-25 16:26 -------- d-----w- c:\program files\Alcohol Soft
2009-10-25 16:22 . 2009-10-25 16:22 639224 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-13 04:35 . 2009-10-13 04:35 -------- d-----w- c:\documents and settings\ram\Application Data\Apple Computer
2009-10-10 05:57 . 2009-10-10 05:57 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\program files\Common Files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----r- c:\program files\Skype
2009-10-08 14:51 . 2009-10-08 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-08 12:32 . 2009-10-08 12:29 703488 ----a-w- c:\windows\system32\cftu.exe
2009-10-04 11:51 . 2009-10-04 11:51 -------- d-----w- c:\documents and settings\ram\Application Data\dvdcss
2009-10-04 10:52 . 2009-10-04 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-10-04 08:16 . 2009-10-04 08:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\program files\Transparent
2009-10-04 08:16 . 2009-10-04 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2009-10-04 07:48 . 2009-10-04 07:47 -------- d-----w- c:\program files\QuickTime
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Common Files\Apple
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\program files\Apple Software Update
2009-10-04 07:47 . 2009-10-04 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 07:18 . 2009-09-12 07:17 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-08 13:27 . 2009-09-08 13:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-06 14:11 . 2009-09-06 14:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-23 06:29 . 2009-06-23 06:29 58652 ----a-w- c:\program files\AMVapp-uninst.exe
2009-06-23 06:28 . 2009-06-23 06:28 67895 ----a-w- c:\program files\Premiere AVS Plugin uninst.exe
2004-05-08 06:41 . 2004-05-08 06:41 53361 ----a-w- c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 . 2004-05-06 21:57 57344 -c--a-w- c:\program files\IM-Avisynth.prm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickTV.lnk - c:\program files\AVerTV\QuickTV.exe [2005-10-30 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-18 12:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\eugjbkhf.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ram^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\ram\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 eugjbkhf;eugjbkhf;c:\windows\system32\drivers\eugjbkhf.sys [11/18/2009 6:22 PM 40128]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/30/2009 10:35 AM 28552]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2009 9:52 PM 639224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/18/2009 6:26 PM 333192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/18/2009 6:26 PM 285392]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [6/23/2009 8:35 AM 57152]
S2 f3u3aoalmts7oi;Zip Backup to CD;c:\windows\system32\rahoud.exe --> c:\windows\system32\rahoud.exe [?]
S2 kdhkkjaegfolum;kdhkkjaegfolum;c:\windows\system32\drivers\zthcxtmv.sys [11/18/2009 11:16 AM 79616]
S2 lqaypseitoiznxuu;Websense CPM Report Scheduler;c:\windows\system32\kutyd.exe --> c:\windows\system32\kutyd.exe [?]
S3 caehwtzy;caehwtzy;\??\c:\windows\System32\Drivers\caehwtzy.sys --> c:\windows\System32\Drivers\caehwtzy.sys [?]
S3 lmfcnrnh;lmfcnrnh;\??\c:\windows\System32\Drivers\lmfcnrnh.sys --> c:\windows\System32\Drivers\lmfcnrnh.sys [?]
S3 mfcvermf;mfcvermf;\??\c:\windows\System32\Drivers\mfcvermf.sys --> c:\windows\System32\Drivers\mfcvermf.sys [?]
S3 vnrildvq;vnrildvq;\??\c:\windows\System32\Drivers\vnrildvq.sys --> c:\windows\System32\Drivers\vnrildvq.sys [?]
S3 xbziilsx;xbziilsx;\??\c:\windows\System32\Drivers\xbziilsx.sys --> c:\windows\System32\Drivers\xbziilsx.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{45408DC9-5BB3-465E-8843-F87C6FC3D999}.job
- c:\windows\system32\msfeedssync.exe [2009-01-14 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = search.speedbit.com
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\ram\Application Data\Mozilla\Firefox\Profiles\wpwmbnk9.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

AddRemove-Byki Express - c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}\BYKI4Installer.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 14:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865D11D8]<<
kernel: error reading MBR

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{59985D0F-EEB6-70CB-E15F-4BE44F1B96F3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1292428093-1085031214-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729DC006-8213-1BFB-6F7E-776798F5AC4C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haibkidaenonpphf"=hex:6f,61,68,61,66,61,64,66,6e,6c,63,65,68,6e,66,67,67,6e,
63,61,61,65,70,63,6f,6f,6b,69,6b,6a,00,77
"jajbfibakphkgmjenaed"=hex:64,62,6a,62,6d,6b,6a,70,61,62,6d,61,6d,67,6a,64,67,
6b,64,6d,69,6e,69,65,62,66,64,6a,62,61,6a,65,6b,63,6e,6a,66,6d,6c,61,00,e3

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\�•€|ÿÿÿÿ"•€|þ»Ôw*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-28 14:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-28 08:45

Pre-Run: 10,489,323,520 bytes free
Post-Run: 10,468,663,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2CA0F1BD189B447DFA7E6A08B85B52F2

[shelf life]

You have some nasty processes running. Looks like root kit activity. You should use the machine as little as possible and no financial or personal transactions. Power it off or at least ensure there is no connectivity when not in use. I would consider reformatting and reinstalling Windows. Root kits can be difficult to remove. Up to you how you want to continue. Some general info about rootkits:

http://technet.microsoft.com/en-us/l.../cc512642.aspx

This link dosnt even mention the word root kit, but it still applies:
http://technet.microsoft.com/en-us/l.../cc512587.aspx

[yukukuhi]

Well then, ok. iam ready to continue please help.

[shelf life]

We will continue with Combofix. Before using it disable your antivirus and any anitmalware that might be running.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

Driver::
eugjbkhf
f3u3aoalmts7oi
kdhkkjaegfolum
lqaypseitoiznxuu
caehwtzy
lmfcnrnh
mfcvermf
vnrildvq
xbziilsx

File::
c:\windows\system32\drivers\eugjbkhf.sys
c:\windows\system32\rahoud.exe
c:\windows\system32\drivers\zthcxtmv.sys
c:\windows\system32\kutyd.exe
c:\windows\System32\Drivers\caehwtzy.sys
c:\windows\System32\Drivers\lmfcnrnh.sys
c:\windows\System32\Drivers\mfcvermf.sys
c:\windows\System32\Drivers\vnrildvq.sys
c:\windows\System32\Drivers\xbziilsx.sys
c:\windows\system32\cftu.exe
c:\windows\system32\ezsidmv.dat

Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved and the combofix icon, both on your desktop.
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

After combofix is finished make sure your AV and any antimalware is running.
Check Malwarebytes for updates and do a scan with it also and post the log:

click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.