malware attack

A

anshula

New member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:06 PM, on 10/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\HOME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HOME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HOME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HOME\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: eslprintables Toolbar - {e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - C:\Program Files\eslprintables\tbeslp.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: eslprintables Toolbar - {e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - C:\Program Files\eslprintables\tbeslp.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eslprintables Toolbar - {e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - C:\Program Files\eslprintables\tbeslp.dll
O4 - HKLM\..\Run: [ResumeQuickupDownload] acappaa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9E6AE02-8C64-49F2-B479-E9EF23B2EEA0}: NameServer = 59.179.243.70,203.94.243.70
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7291 bytes
 
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

  • If you don't know or understand something please don't hesitate to ask
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

1 - download and run RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

2 - Status Check
Please reply with

the logs from RSIT (log.txt ,info.txt)

description of any problems you are having with your PC

Thanks peku006
 
thanks....but the downloading is not happening...i cant download anything ....

it says that

on google chrome:-
Oops! This link appears to be broken.
Suggestions:
Go to malwareremoval. com
Search on Google:


on IE:-
Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

but my internet is working all fine..
 
its still not working..
it says (in a dialog box)

Internet Explorer cannot download RSIT.exe from images.malwareremoval.com,
This site was not found. Make sure that the address is correct, and try again
 
Hi anshula

Let´s try this......

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Thanks peku006
 
Extras.Txt

OTL logfile created on: 10/16/2009 12:16:13 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\HOME\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

247.48 Mb Total Physical Memory | 68.29 Mb Available Physical Memory | 27.59% Memory free
606.89 Mb Paging File | 441.39 Mb Available in Paging File | 72.73% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.64 Gb Total Space | 0.80 Gb Free Space | 5.46% Space Free | Partition Type: FAT32
Drive D: | 22.60 Gb Total Space | 13.87 Gb Free Space | 61.35% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CO
Current User Name: HOME
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\HOME\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (aswUpdSv [Auto | Stopped]) -- File not found
SRV - (avast! Antivirus [Auto | Stopped]) -- File not found
SRV - (avast! Mail Scanner [On_Demand | Stopped]) -- File not found
SRV - (avast! Web Scanner [On_Demand | Stopped]) -- File not found
SRV - (fbpxdcw [Auto | Stopped]) -- C:\WINDOWS\System32\ilpmszte.dll ()
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (ServiceLayer [On_Demand | Stopped]) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (YahooAUService [Auto | Running]) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

========== Driver Services (SafeList) ==========

DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (nmwcd [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\nmwcd.sys (Nokia)
DRV - (nmwcdc [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\nmwcdc.sys (Nokia)
DRV - (nmwcdcj [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\nmwcdcj.sys (Nokia)
DRV - (nmwcdcm [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\nmwcdcm.sys (Nokia)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (rtl8139 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\..\URLSearchHook: {e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - C:\Program Files\eslprintables\tbeslp.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\S-1-5-21-2025429265-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (eslprintables Toolbar) - {e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - C:\Program Files\eslprintables\tbeslp.dll (Conduit Ltd.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (eslprintables Toolbar) - {e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - C:\Program Files\eslprintables\tbeslp.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\..\Toolbar\WebBrowser: (eslprintables Toolbar) - {E47D6D44-6479-461D-BFA3-DBD0DC5A9011} - C:\Program Files\eslprintables\tbeslp.dll (Conduit Ltd.)
O4 - HKLM..\Run: [ResumeQuickupDownload] File not found
O4 - HKU\.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2025429265-1547161642-725345543-1003_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE File not found
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 59.179.243.70 202.159.219.228
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/11 21:30:26 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{e2706086-ee02-11dd-b58a-001109a7e92f}\Shell - "" = AutoRun
O33 - MountPoints2\{e2706086-ee02-11dd-b58a-001109a7e92f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/09/19 11:07:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/09/19 11:06:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/10/10 19:58:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/09/17 22:16:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HOME\Application Data\AVG8
[2009/10/10 19:59:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HOME\Local Settings\Application Data\Conduit
[2009/10/10 19:59:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HOME\Local Settings\Application Data\eslprintables
[2009/09/19 11:06:23 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2009/10/10 19:59:18 | 00,000,000 | ---D | C] -- C:\Program Files\Conduit
[2009/10/10 19:59:19 | 00,000,000 | ---D | C] -- C:\Program Files\eslprintables
[2009/10/11 16:21:57 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/10/10 19:58:21 | 00,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2009/10/16 12:14:56 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HOME\Desktop\OTL.exe
[2009/10/15 10:57:50 | 00,000,000 | -HSD | C] -- C:\FOUND.000
[2009/10/09 16:09:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/10/16 12:14:58 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HOME\Desktop\OTL.exe
[2009/10/16 12:07:16 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/16 12:07:14 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/15 23:53:48 | 03,231,690 | -H-- | M] () -- C:\Documents and Settings\HOME\Local Settings\Application Data\IconCache.db
[2009/10/11 16:22:00 | 00,001,638 | ---- | M] () -- C:\Documents and Settings\HOME\Desktop\HijackThis.lnk
[2009/10/10 18:21:40 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/09 17:22:00 | 00,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/09 17:15:40 | 00,000,604 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/09 17:15:40 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/07 21:04:48 | 00,054,784 | ---- | M] () -- C:\Documents and Settings\HOME\My Documents\observation 2.doc
[2009/10/05 19:25:04 | 00,050,176 | ---- | M] () -- C:\Documents and Settings\HOME\My Documents\observation 1.doc
[2009/09/23 18:29:44 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1547161642-725345543-1003Core.job
[2009/09/19 16:45:26 | 00,046,080 | ---- | M] () -- C:\Documents and Settings\HOME\My Documents\big idea.doc
[2009/09/19 13:16:06 | 00,043,528 | ---- | M] () -- C:\Documents and Settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/19 12:48:58 | 00,028,672 | ---- | M] () -- C:\Documents and Settings\HOME\My Documents\Big ide1.doc
[2009/09/19 12:14:52 | 00,007,792 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2009/09/17 22:06:12 | 00,192,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/17 22:02:08 | 00,000,104 | ---- | M] () -- C:\Documents and Settings\HOME\Desktop\My Network Places.lnk
[2009/09/17 08:44:58 | 00,360,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/09/17 08:44:58 | 00,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/17 08:44:58 | 00,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files - No Company Name ==========
[2009/10/11 16:21:58 | 00,001,638 | ---- | C] () -- C:\Documents and Settings\HOME\Desktop\HijackThis.lnk
[2009/10/08 13:20:12 | 03,231,690 | -H-- | C] () -- C:\Documents and Settings\HOME\Local Settings\Application Data\IconCache.db
[2009/10/05 19:25:15 | 00,054,784 | ---- | C] () -- C:\Documents and Settings\HOME\My Documents\observation 2.doc
[2009/10/05 19:25:03 | 00,050,176 | ---- | C] () -- C:\Documents and Settings\HOME\My Documents\observation 1.doc
[2009/10/05 12:42:10 | 00,000,006 | -H-- | C] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/19 12:48:57 | 00,028,672 | ---- | C] () -- C:\Documents and Settings\HOME\My Documents\Big ide1.doc
[2009/09/19 12:02:49 | 00,007,792 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2009/09/19 11:13:53 | 00,046,080 | ---- | C] () -- C:\Documents and Settings\HOME\My Documents\big idea.doc
[2009/09/17 22:02:06 | 00,000,104 | ---- | C] () -- C:\Documents and Settings\HOME\Desktop\My Network Places.lnk
[2009/05/03 20:28:05 | 00,005,632 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2009/04/29 22:41:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\BCD.INI
[2009/03/25 19:58:24 | 00,096,557 | ---- | C] () -- C:\Documents and Settings\HOME\Application Data\NMM-MetaData.db
[2008/08/02 10:54:09 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/07/26 14:10:42 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/07/26 14:04:08 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2008/07/26 13:52:53 | 00,059,392 | ---- | C] () -- C:\Documents and Settings\HOME\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/26 13:47:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\sensor.INI
[2008/07/26 13:46:19 | 00,003,368 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2008/07/26 13:46:14 | 00,000,454 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2008/07/26 13:40:10 | 00,043,528 | ---- | C] () -- C:\Documents and Settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/07/26 13:39:46 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\HOME\Application Data\desktop.ini
[2008/07/26 13:25:28 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2007/03/29 23:00:40 | 00,203,264 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2004/08/07 00:18:16 | 00,000,604 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/07 00:18:03 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/04 04:56:44 | 00,165,000 | RHS- | C] () -- C:\WINDOWS\System32\ilpmszte.dll
[2004/07/17 15:36:38 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >
 
this is Extras.Txt-notepad

OTL Extras logfile created on: 10/16/2009 12:16:13 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\HOME\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

247.48 Mb Total Physical Memory | 68.29 Mb Available Physical Memory | 27.59% Memory free
606.89 Mb Paging File | 441.39 Mb Available in Paging File | 72.73% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.64 Gb Total Space | 0.80 Gb Free Space | 5.46% Space Free | Partition Type: FAT32
Drive D: | 22.60 Gb Total Space | 13.87 Gb Free Space | 61.35% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CO
Current User Name: HOME
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"7244:TCP" = 7244:TCP:*:Enabled:lytekepv

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"D:\Program Files\BitTorrent\bittorrent.exe" = D:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"D:\Program Files\LimeWire\LimeWire.exe" = D:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{11964613-805F-432D-A12B-169554B793E7}" = Nokia Connectivity Cable Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{59359B3D-ABE7-46BF-AB55-43B67A64DC68}" = Nokia MTP driver
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{99A40651-0BC2-4095-8F9A-A40FAB224FEF}" = PC Connectivity Solution
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}" = Nokia PC Suite
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B81023A5-71ED-46EB-BE3B-9F974D1155F1}" = HP Software Update
"{F901CA6D-A074-42D3-A11D-33AAE6FFD0C1}" = HP Deskjet 3740
"0C5EDC3653FED5B121F464339EAC12534D253B25" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"4077F884D1BB007055BDB83B621D87220A73F30F" = Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"B726756F5B5A5AA9D798B399386FC6205A45F19E" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"CD8424B9400BFF7D34AA18F816C71322AC4BDAA7" = Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
"eslprintables Toolbar" = eslprintables Toolbar
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LimeWire" = LimeWire 4.18.6
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia PC Suite" = Nokia PC Suite
"Picasa2" = Picasa 2
"QuickTime" = QuickTime
"VLC media player" = VLC media player 0.9.9
"WinZip" = WinZip
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2025429265-1547161642-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 12/28/2008 7:11:10 AM | Computer Name = CO | Source = avast! | ID = 33554522
Description =

Error - 12/28/2008 7:11:14 AM | Computer Name = CO | Source = avast! | ID = 33554522
Description =

[ Application Events ]
Error - 9/19/2009 2:04:36 AM | Computer Name = CO | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/19/2009 2:04:36 AM | Computer Name = CO | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/19/2009 2:10:55 AM | Computer Name = CO | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/19/2009 2:10:55 AM | Computer Name = CO | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 9/19/2009 2:11:21 AM | Computer Name = CO | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/19/2009 2:11:21 AM | Computer Name = CO | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/19/2009 2:33:14 AM | Computer Name = CO | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/19/2009 2:33:16 AM | Computer Name = CO | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 9/19/2009 2:58:53 AM | Computer Name = CO | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/20/2009 8:56:06 AM | Computer Name = CO | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 10/15/2009 2:05:46 PM | Computer Name = CO | Source = Service Control Manager | ID = 7023
Description = The Microsoft Driver service terminated with the following error:
%%1114

Error - 10/15/2009 2:05:46 PM | Computer Name = CO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 aswSP aswTdi

Error - 10/16/2009 2:37:15 AM | Computer Name = CO | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 10/16/2009 2:37:15 AM | Computer Name = CO | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 10/16/2009 2:37:17 AM | Computer Name = CO | Source = Service Control Manager | ID = 7000
Description = The aswFsBlk service failed to start due to the following error: %%2

Error - 10/16/2009 2:37:17 AM | Computer Name = CO | Source = Service Control Manager | ID = 7000
Description = The avast! iAVS4 Control Service service failed to start due to the
following error: %%2

Error - 10/16/2009 2:37:17 AM | Computer Name = CO | Source = Service Control Manager | ID = 7000
Description = The avast! Standard Shield Support service failed to start due to
the following error: %%2

Error - 10/16/2009 2:37:17 AM | Computer Name = CO | Source = Service Control Manager | ID = 7001
Description = The avast! Antivirus service depends on the avast! Standard Shield
Support service which failed to start because of the following error: %%2

Error - 10/16/2009 2:37:17 AM | Computer Name = CO | Source = Service Control Manager | ID = 7023
Description = The Microsoft Driver service terminated with the following error:
%%1114

Error - 10/16/2009 2:37:17 AM | Computer Name = CO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 aswSP aswTdi


< End of report >
 
Hi anshula

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire


I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Make an uninstall list using HijackThis

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

uninstall-man.jpg


5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply

Thanks peku006
 
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
eslprintables Toolbar
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Deskjet 3740
HP Software Update
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 7
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero OEM
Nokia Connectivity Cable Driver
Nokia MTP driver
Nokia PC Suite
Nokia PC Suite
PC Connectivity Solution
Picasa 2
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VLC media player 0.9.9
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Internet Explorer 7
WinZip
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
 
Hi anshula

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with



1. the Malwarebytes' Anti-Malware Log
2. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006
 
Hi anshula

Let´s try this...

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006
 
here goes..the C:\COMBOFIX.TXT

ComboFix 09-10-17.01 - HOME 10/18/2009 18:50.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.82 [GMT 5.5:30]
Running from: c:\documents and settings\HOME\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 081231-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\33ecfb.msi
c:\windows\system32\ilpmszte.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FBPXDCW
-------\Service_fbpxdcw


((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-15 05:27 . 2009-10-15 05:27 -------- d-----w- C:\FOUND.000
2009-10-11 10:51 . 2009-10-11 10:51 -------- d-----w- c:\program files\Trend Micro
2009-10-10 14:30 . 2009-10-10 14:30 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-10 14:29 . 2009-10-10 14:29 -------- d-----w- c:\program files\eslprintables
2009-10-10 14:29 . 2009-10-10 14:29 -------- d-----w- c:\documents and settings\HOME\Local Settings\Application Data\eslprintables
2009-10-10 14:29 . 2009-10-10 14:29 -------- d-----w- c:\program files\Conduit
2009-10-10 14:29 . 2009-10-10 14:29 -------- d-----w- c:\documents and settings\HOME\Local Settings\Application Data\Conduit
2009-10-10 14:28 . 2009-10-10 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-10 14:28 . 2009-10-10 14:28 -------- d-----w- c:\program files\VideoLAN
2009-10-10 14:26 . 2009-10-10 14:26 -------- d-s---w- c:\documents and settings\Administrator
2009-10-10 14:26 . 2008-07-26 08:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-09-19 05:37 . 2009-09-19 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-19 05:36 . 2009-09-19 05:36 -------- d-----w- c:\program files\Common Files\iS3
2009-09-19 05:36 . 2009-09-19 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 07:46 . 2008-07-26 08:10 43528 ----a-w- c:\documents and settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 06:44 . 2009-09-19 06:32 7792 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-17 16:46 . 2009-09-17 16:46 -------- d-----w- c:\documents and settings\HOME\Application Data\AVG8
2009-05-03 14:58 . 2009-05-03 14:58 5632 --sha-w- c:\program files\Thumbs.db
2009-01-27 13:09 . 2009-01-09 12:17 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-01-27 13:09 . 2009-01-17 15:58 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e47d6d44-6479-461d-bfa3-dbd0dc5a9011}"= "c:\program files\eslprintables\tbeslp.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{e47d6d44-6479-461d-bfa3-dbd0dc5a9011}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e47d6d44-6479-461d-bfa3-dbd0dc5a9011}]
2009-09-23 06:20 2261016 ----a-w- c:\program files\eslprintables\tbeslp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e47d6d44-6479-461d-bfa3-dbd0dc5a9011}"= "c:\program files\eslprintables\tbeslp.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{e47d6d44-6479-461d-bfa3-dbd0dc5a9011}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E47D6D44-6479-461D-BFA3-DBD0DC5A9011}"= "c:\program files\eslprintables\tbeslp.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{e47d6d44-6479-461d-bfa3-dbd0dc5a9011}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-08 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7244:TCP"= 7244:TCP:lytekepv

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1547161642-725345543-1003Core.job
- c:\documents and settings\HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 17:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {F9E6AE02-8C64-49F2-B479-E9EF23B2EEA0} = 59.179.243.70,203.94.243.70
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-ResumeQuickupDownload - acappaa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 18:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\combofix\CF20448.exe
c:\program files\YAHOO!\SOFTWAREUPDATE\YAHOOAUSERVICE.EXE
.
**************************************************************************
.
Completion time: 2009-10-18 18:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 13:27

Pre-Run: 1,238,941,696 bytes free
Post-Run: 1,212,604,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

122 --- E O F --- 2009-04-25 17:20
 
one more thing..

it said that my--
AV: avast! antivirus 4.8.1296 [VPS 081231-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
is enabled..
but i could not find Avast antivirus anywhere..
 
Hi anshula

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: 
File::
c:\windows\system32\drivers\kgpcpy.cfg

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2 - Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006
 
ComboFix log

ComboFix 09-10-17.01 - HOME 10/19/2009 15:49.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.114 [GMT 5.5:30]
Running from: c:\documents and settings\HOME\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\HOME\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 081231-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\drivers\kgpcpy.cfg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AVSredirect.dll
c:\windows\system32\drivers\kgpcpy.cfg

.
((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-19 09:32 . 2009-10-19 09:32 -------- d-----w- c:\windows\LastGood
2009-10-18 14:51 . 2007-05-17 12:00 318976 ----a-w- c:\windows\system32\avisynth.dll
2009-10-18 14:51 . 2004-02-22 04:41 719872 ----a-w- c:\windows\system32\devil.dll
2009-10-18 14:51 . 2004-01-24 18:30 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2009-10-18 14:51 . 2004-01-24 18:30 70656 ----a-w- c:\windows\system32\i420vfw.dll
2009-10-18 14:51 . 2008-07-26 08:02 -------- d-----w- c:\program files\AviSynth 2.5
2009-10-18 14:51 . 2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-10-18 14:51 . 2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2009-10-18 14:51 . 2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2009-10-18 14:20 . 2009-10-18 14:20 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-10-18 14:20 . 2004-12-07 04:41 258352 ----a-w- c:\windows\system32\Unicows.dll
2009-10-18 13:58 . 2009-10-18 13:58 -------- d-----w- C:\FOUND.001
2009-10-11 10:51 . 2009-10-11 10:51 -------- d-----w- c:\program files\Trend Micro
2009-10-10 14:30 . 2009-10-10 14:30 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-10 14:29 . 2009-10-10 14:29 -------- d-----w- c:\documents and settings\HOME\Local Settings\Application Data\eslprintables
2009-10-10 14:29 . 2009-10-10 14:29 -------- d-----w- c:\program files\Conduit
2009-10-10 14:29 . 2009-10-10 14:29 -------- d-----w- c:\documents and settings\HOME\Local Settings\Application Data\Conduit
2009-10-10 14:28 . 2009-10-10 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-10 14:28 . 2009-10-10 14:28 -------- d-----w- c:\program files\VideoLAN
2009-10-10 14:26 . 2009-10-10 14:26 -------- d-s---w- c:\documents and settings\Administrator
2009-10-10 14:26 . 2008-07-26 08:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 07:46 . 2008-07-26 08:10 43528 ----a-w- c:\documents and settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 05:37 . 2009-09-19 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-19 05:36 . 2009-09-19 05:36 -------- d-----w- c:\program files\Common Files\iS3
2009-09-19 05:36 . 2009-09-19 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-17 16:46 . 2009-09-17 16:46 -------- d-----w- c:\documents and settings\HOME\Application Data\AVG8
2009-05-03 14:58 . 2009-05-03 14:58 5632 --sha-w- c:\program files\Thumbs.db
2006-05-03 09:06 . 2009-10-18 14:51 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-10-18 14:51 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-10-18 14:51 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-01-27 13:09 . 2009-01-09 12:17 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-01-27 13:09 . 2009-01-17 15:58 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-08 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7244:TCP"= 7244:TCP:lytekepv

S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1547161642-725345543-1003Core.job
- c:\documents and settings\HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 17:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {F9E6AE02-8C64-49F2-B479-E9EF23B2EEA0} = 59.179.243.70,203.94.243.70
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - c:\program files\eslprintables\tbeslp.dll
BHO-{e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - c:\program files\eslprintables\tbeslp.dll
Toolbar-{e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - c:\program files\eslprintables\tbeslp.dll
WebBrowser-{E47D6D44-6479-461D-BFA3-DBD0DC5A9011} - c:\program files\eslprintables\tbeslp.dll
AddRemove-eslprintables Toolbar - c:\progra~1\ESLPRI~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 15:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-19 15:53
ComboFix-quarantined-files.txt 2009-10-19 10:23

Pre-Run: 3,829,260,288 bytes free
Post-Run: 3,983,081,472 bytes free

111 --- E O F --- 2009-10-19 03:39
 
You must log in or register to reply here.
Back
Top