Infected.

[venus_n]

I downloaded ComboFix.exe, but it asked me if i wanted to update first, it said there is a newer version, i said no, because i didnt know, and i was not sure if i could open other programs to find this while i had already double clicked the icon.

It did'nt disconnect me from internet throughout.

Heres the report:

ComboFix 10-10-18.03 - Antivirus 10/19/2010 19:10:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.104 [GMT 5.5:30]
Running from: c:\documents and settings\Antivirus\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-01 19:17 . 2010-10-01 19:17 -------- d-----w- c:\documents and settings\Antivirus\Application Data\Safer Networking
2010-10-01 19:17 . 2010-10-01 19:17 -------- d-----w- c:\program files\Safer Networking
2010-09-30 05:53 . 2010-09-30 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-30 05:53 . 2010-09-30 08:14 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-9-7 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/9/2010 1:12 PM 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {7CC2FDD7-4E5F-41FE-93F0-688524BE22B2} = 202.56.215.54,202.56.215.55
FF - ProfilePath - c:\documents and settings\Antivirus\Application Data\Mozilla\Firefox\Profiles\b335fjj7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-10-19 19:16:27
ComboFix-quarantined-files.txt 2010-10-19 13:46
ComboFix2.txt 2010-09-27 13:44

Pre-Run: 17,999,699,968 bytes free
Post-Run: 17,994,158,080 bytes free

- - End Of File - - 3E2A0AE8DEF5D4151088C86354ECFF99

[venus_n]

Addition: The bleeping computer site didnt open atall (still so) so i could read/ revise the instructions. I did it from what i remembered from last time.

It says.. Firefox can't establish a connection to the server at www.bleepingcomputer.com.

[venus_n]

sorry.i misspelled.
i meant .... could NOT* read / revise the instructions.

[venus_n]

You know what.... I doubt this...

"All-new yahoo mail doesn't function without javascript"

Thats what my yahoomail says. As soon as i login, i get this text page with 6 to 9 lines to switch on my javascript or else switch to lower yahoo mail classic. So i've been working in yahoo mail classic to be secure.

Today i just selected the whole page (supoosed to be only text) and it highlighted areas which did not have any text written. Large blank area. Because it had a lot of empty space below. It highlighted 2 large blank squares. And a series of line breaks (return charecter/ newline charecter). Can be this guy is trying to locate my IP from my visits on this page by invisible images (tracking images).

[venus_n]

Source Code Removed

[venus_n]

Source Code Removed

[venus_n]

Source Code Removed

[venus_n]

Source Code Removed

[venus_n]

Heres the attached image of the page...I've blanked out my userid.

Even the signout link doesnt click.

[venus_n]

Hey for several days since i installed the spybot search&destroy, i wasn't getting that ad at http://www.google.co.in/ for google chrome on the top-right corner. Today i got it after combofix / or the other runs.