Active When AVG removes virus PC restarts, after restart the problem is..

alfa032 · 2008/12/22

[Active] When AVG removes virus PC restarts, after restart the problem is..

When PC starts AVG finds Trojan horse Downloader.Generic, after removing PC restarts, and problem is still there. When I disable AVG PC works fine, but on my drive C: there are some unknown exe files (I guess virus is there, but AVG is disabled and it is not trying to remove it). Here is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:05, on 22.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Caffe\Server.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\csrcs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Caffe-Server] C:\Program Files\Caffe\Server.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe "
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229341992953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229341973875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A852589-AE34-48DA-8B29-892DC13BF279}: NameServer = 195.222.32.10 195.222.32.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AD6BE85-45CB-4571-B310-C6C7019543CD}: NameServer = 195.222.32.10,195.222.32.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A852589-AE34-48DA-8B29-892DC13BF279}: NameServer = 195.222.32.10 195.222.32.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A852589-AE34-48DA-8B29-892DC13BF279}: NameServer = 195.222.32.10 195.222.32.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5708 bytes

Aaflac · 2008/12/22

Let's do the following:

Temporarily disable real-time protection applications as they may interfere with running programs needed to eradicate infections. Check the list in How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs for any programs run.

Please download ComboFix
Save to the Desktop <<< Important!!

Now, close all open windows

Double-click combofix.exe to run the program

Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

CF may reboot the computer and resume running when it restarts.

When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

alfa032 · 2008/12/24

In the meantime, while I was waiting response, I removed AVG and installed Avira free and it moved suspicious exe files to qarantine, and PC worked fine, but it keeps showing me security message that there is a virus in "csrcs.exe. I know about windows process csrss.exe, but there is difference s=c... Because of all this I am posting HijackThis log file again and Combofix log as you asked:

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:17, on 24.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Caffe-Server] C:\Program Files\Caffe\Server.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229341992953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229341973875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AD6BE85-45CB-4571-B310-C6C7019543CD}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5095 bytes

Combofix log:

ComboFix 08-12-21.04 - glava 2008-12-24 10:43:09.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.295 [GMT 1:00]
Running from: c:\documents and settings\glava\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\lsass.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\csrcs.exe
c:\windows\system32\TDSSbrsr.dat
c:\windows\system32\TDSSfpmp.dat
c:\windows\system32\TDSSfrsr.dat
c:\windows\system32\TDSSkpjp.dll
c:\windows\system32\TDSSkpjp.log
c:\windows\system32\TDSSnmxh.dll
c:\windows\system32\TDSSnrsr.dat
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSStkdv.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-23 11:01 . 2008-12-23 11:01 <DIR> d--hs---- C:\FOUND.004
2008-12-22 15:33 . 2008-12-22 15:33 230 --a------ c:\windows\system32\spupdsvc.inf
2008-12-22 15:13 . 2008-12-22 15:13 <DIR> d-------- c:\program files\Avira
2008-12-22 15:13 . 2008-12-22 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-22 15:12 . 2008-12-22 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-22 13:27 . 2008-12-22 13:27 <DIR> d-------- c:\program files\RegCure
2008-12-22 12:26 . 2008-12-22 12:26 0 -rahs---- C:\khs
2008-12-22 12:12 . 2008-12-22 12:12 <DIR> d--hs---- C:\FOUND.003
2008-12-22 11:51 . 2008-12-22 11:51 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 11:12 . 2008-12-22 11:12 5,503 --a------ c:\documents and settings\glava\12600.DAT
2008-12-22 11:10 . 2008-12-22 11:10 <DIR> d--hs---- C:\FOUND.002
2008-12-22 11:07 . 2008-12-22 12:18 2 --a------ C:\942549858
2008-12-22 11:03 . 2008-12-22 11:03 5,503 --a------ c:\documents and settings\glava\10720.DAT
2008-12-22 11:01 . 2008-12-22 11:01 <DIR> d--hs---- C:\FOUND.001
2008-12-22 10:54 . 2008-12-22 10:54 5,503 --a------ c:\documents and settings\glava\10400.DAT
2008-12-21 12:37 . 2008-12-21 12:37 <DIR> d-------- c:\program files\BitTorrent
2008-12-21 12:37 . 2008-12-21 12:37 <DIR> d-------- c:\documents and settings\glava\Application Data\BitTorrent
2008-12-21 12:00 . 2008-12-21 20:11 112 --a------ c:\windows\system32\xyzwm.ini
2008-12-21 11:29 . 2008-12-21 11:29 <DIR> d-------- c:\documents and settings\glava\Application Data\Kingston
2008-12-20 16:32 . 2008-12-20 16:32 <DIR> d-------- c:\program files\YouTube Downloader
2008-12-18 14:11 . 2008-12-18 14:11 <DIR> d-------- c:\documents and settings\glava\Contacts
2008-12-17 12:02 . 2008-12-17 12:02 <DIR> d--hs---- C:\Recycled
2008-12-17 11:48 . 2008-12-17 11:48 <DIR> d-------- c:\documents and settings\glava\Application Data\ABBYY
2008-12-17 11:01 . 2008-12-17 11:01 <DIR> d-------- c:\program files\Common Files\ABBYY
2008-12-17 10:57 . 2008-12-17 10:57 <DIR> d-------- c:\program files\ABBYY FineReader 9.0
2008-12-17 10:57 . 2008-12-17 10:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\ABBYY
2008-12-17 10:32 . 2008-12-17 10:32 5,503 --a------ c:\documents and settings\glava\2560.DAT
2008-12-16 22:03 . 2008-12-16 22:03 <DIR> d-------- c:\windows\Sun
2008-12-16 21:55 . 2008-12-16 21:54 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 21:55 . 2008-12-16 21:54 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-16 21:54 . 2008-12-16 21:54 <DIR> d-------- c:\program files\Java
2008-12-16 20:47 . 2008-12-16 20:47 <DIR> d--hs---- c:\windows\ftpcache
2008-12-16 16:36 . 2008-12-20 16:43 116 --a------ c:\windows\NeroDigital.ini
2008-12-16 14:05 . 2008-12-16 14:05 <DIR> d-------- c:\documents and settings\glava\Application Data\Ahead
2008-12-16 14:03 . 2008-12-16 14:03 <DIR> d-------- c:\program files\Nero
2008-12-16 14:03 . 2008-12-16 14:03 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-16 10:44 . 2008-12-16 10:44 1,454 -rahs---- c:\windows\system32\autorun.in
2008-12-16 10:44 . 2008-12-16 10:44 1,304 -rahs---- c:\windows\system32\autorun.i
2008-12-15 14:54 . 2008-10-16 21:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-15 14:54 . 2008-10-16 21:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-15 14:53 . 2008-10-16 21:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-15 14:53 . 2007-04-17 10:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-15 14:53 . 2007-03-08 06:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-15 14:53 . 2008-10-16 21:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-15 14:53 . 2008-10-16 21:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-15 14:53 . 2008-10-16 21:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-15 14:53 . 2008-10-16 14:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-15 14:34 . 2008-10-24 12:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-15 14:33 . 2008-08-14 11:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-15 14:33 . 2008-08-14 11:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-15 14:33 . 2008-08-14 10:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-15 14:33 . 2008-08-14 10:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-15 13:47 . 2008-12-15 13:48 <DIR> d-------- c:\documents and settings\Administrator
2008-12-15 13:41 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-15 13:41 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-15 13:05 . 2008-12-15 13:05 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-15 13:05 . 2006-09-06 17:43 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-15 12:54 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-15 12:54 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-15 12:54 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-15 12:54 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-15 12:54 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-15 12:51 . 2008-12-15 12:51 <DIR> d--hs---- c:\documents and settings\glava\UserData
2008-12-15 12:08 . 2008-12-15 12:08 <DIR> d--hs---- C:\FOUND.000
2008-12-15 12:00 . 2008-12-15 12:00 5,503 --a------ c:\documents and settings\glava\13360.DAT
2008-12-15 10:56 . 2008-12-15 10:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-15 05:23 . 2008-12-15 05:23 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-15 04:13 . 2008-12-24 10:38 495 --a------ c:\windows\system32\SP701ASM.dat
2008-12-15 04:12 . 2008-12-15 04:12 <DIR> d-------- C:\FBBM
2008-12-15 03:56 . 2008-12-15 03:56 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-15 03:53 . 2008-12-15 03:53 <DIR> d-------- c:\program files\Realtek Sound Manager
2008-12-15 03:53 . 2008-12-15 03:53 <DIR> d-------- c:\program files\AvRack
2008-12-15 03:53 . 2004-11-17 16:08 16,162,816 --a------ c:\windows\system32\ALSNDMGR.CPL
2008-12-15 03:53 . 2004-11-17 16:11 9,319,936 --a------ c:\windows\system32\RTLCPL.EXE
2008-12-15 03:53 . 2004-11-17 19:05 2,297,664 --a------ c:\windows\system32\drivers\ALCXWDM.SYS
2008-12-15 03:53 . 2004-11-05 16:29 208,896 --------- c:\windows\alcupd.exe
2008-12-15 03:53 . 2004-09-07 14:23 156,672 --a------ c:\windows\system32\RtlCPAPI.dll
2008-12-15 03:53 . 2002-02-05 13:54 141,016 --a------ c:\windows\system32\ALSNDMGR.WAV
2008-12-15 03:53 . 2004-09-01 20:04 139,264 --------- c:\windows\alcrmv.exe
2008-12-15 03:53 . 2004-11-15 18:20 77,824 --a------ c:\windows\SOUNDMAN.EXE
2008-12-15 03:53 . 2004-10-27 15:47 40,960 --------- c:\windows\system32\ChCfg.exe
2008-12-15 03:53 . 2005-01-14 14:07 744 --------- c:\windows\system32\drivers\alcxinit.dat
2008-12-15 03:53 . 2001-07-06 00:19 164 --------- c:\windows\avrack.ini
2008-12-15 03:51 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-15 03:45 . 2008-12-15 03:45 <DIR> d-------- c:\program files\Microsoft Works
2008-12-15 03:44 . 2008-12-15 03:44 <DIR> d-------- c:\program files\MSBuild
2008-12-15 03:34 . 2008-12-15 03:34 <DIR> d-------- c:\windows\SHELLNEW
2008-12-15 03:33 . 2008-12-15 03:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-15 03:31 . 2008-12-15 03:31 <DIR> dr-h----- C:\MSOCache
2008-12-15 03:21 . 2008-12-15 03:21 <DIR> d-------- c:\program files\Caffe
2008-12-15 03:17 . 2008-04-14 06:42 741,376 --a------ c:\windows\system32\dllcache\sapi.dll
2008-12-15 03:17 . 2008-04-14 06:42 155,648 --a------ c:\windows\system32\dllcache\sapi.cpl
2008-12-15 03:10 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-15 03:10 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d-------- c:\program files\LINKMAGIC
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-15 03:05 . 2008-12-15 03:05 <DIR> d-------- c:\windows\system32\DRVSTORE
2008-12-15 03:05 . 2004-12-02 10:00 6,656 -ra------ c:\windows\system32\kbdcr.dll
2008-12-15 03:05 . 2008-12-15 03:06 268 --ah----- C:\sqmdata00.sqm
2008-12-15 03:05 . 2008-12-15 03:06 244 --ah----- C:\sqmnoopt00.sqm
2008-12-15 03:04 . 2008-12-15 03:04 <DIR> d-------- c:\program files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 01:33 --------- d-----w c:\program files\microsoft frontpage
2008-11-07 15:45 2,174,976 ----a-w c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 13:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Caffe-Server "= "c:\program files\Caffe\Server.exe" [2008-12-15 2087424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan "= "SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LINKMAGIC.lnk]
backup=c:\windows\pss\LINKMAGIC.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-11-24 15:38 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Caffe\\Server.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=

R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service; "c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe" -service [2007-12-06 660768]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; "c:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883b6a2e-ca4a-11dd-b25a-0013d4b1cf3b}]
\Shell\AutoRun\command - F:\ctdddg.exe
\Shell\explore\Command - F:\ctdddg.exe
\Shell\open\Command - F:\ctdddg.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-12-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {9AD6BE85-45CB-4571-B310-C6C7019543CD} = 195.222.32.10,195.222.32.20
FF - ProfilePath - c:\documents and settings\glava\Application Data\Mozilla\Firefox\Profiles\bfu5bsg1.default\
FF - prefs.js: browser.startup.homepage - www.google.ba
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 10:44:51
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-24 10:45:43
ComboFix-quarantined-files.txt 2008-12-24 09:45:42

Pre-Run: 6,389,612,544 bytes free
Post-Run: 6,396,248,064 bytes free

231

Aaflac · 2008/12/24

Looks as if you ran HijackThis before ComboFix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:17, on 24.12.2008

ComboFix: 2008-12-24 10:43:09.1

However, please do the following, and it will also provide a HijackThis log, as well as additional information:

Download Random's System Information Tool (RSIT)

Save it to the Desktop

Double click on RSIT.exe to run the program

Click Continue at the disclaimer screen

Once the tool finishes, two logs open. Log.txt is maximized , and Info.txt is minimized. (The logs are also contained in C:\rsit)

~~~~
Please provide the RSIT: Log.txt and Info.txt reports in your reply.

You may need to do consecutive posts (one after the other) right in this thread, if the logs are too long.

alfa032 · 2008/12/25

As you said part 1 of log file:

Logfile of random's system information tool 1.05 (written by random/random)
Run by glava at 2008-12-25 10:40:03
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (30%) free of 20 GB
Total RAM: 511 MB (48% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:10, on 25.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Caffe\Server.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\glava\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\glava.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Caffe-Server] C:\Program Files\Caffe\Server.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229341992953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229341973875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A852589-AE34-48DA-8B29-892DC13BF279}: NameServer = 195.222.32.10 195.222.32.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AD6BE85-45CB-4571-B310-C6C7019543CD}: NameServer = 195.222.32.10,195.222.32.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A852589-AE34-48DA-8B29-892DC13BF279}: NameServer = 195.222.32.10 195.222.32.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5644 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\RegCure Program Check.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-16 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-16 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-16 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan "=C:\WINDOWS\SOUNDMAN.EXE [2004-11-15 77824]
"SunJavaUpdateSched "=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-16 136600]
"avgnt "=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Caffe-Server "=C:\Program Files\Caffe\Server.exe [2008-12-15 2087424]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe [2005-11-24 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LINKMAGIC.lnk]
C:\PROGRA~1\LINKMA~1\LINKMA~1.EXE [2006-03-10 1810432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"C:\Program Files\Caffe\Server.exe "= "C:\Program Files\Caffe\Server.exe:*:Enabled:Server "
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE "= "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook "
"C:\Program Files\Microsoft Office\Office12\groove.exe "= "C:\Program Files\Microsoft Office\Office12\groove.exe:*:Enabled:Microsoft Office Groove "
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE "= "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote "
"C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe "= "C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe:*:Enabled:Nero ShowTime "
"C:\Program Files\Java\jre6\bin\java.exe "= "C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary "
"C:\Program Files\Mozilla Firefox\firefox.exe "= "C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox "
"C:\Program Files\BitTorrent\bittorrent.exe "= "C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883b6a2e-ca4a-11dd-b25a-0013d4b1cf3b}]
shell\AutoRun\command - F:\fpdppr.exe
shell\explore\command - F:\fpdppr.exe
shell\open\command - F:\fpdppr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a439044f-d1b5-11dd-b27a-0013d4b1cf3b}]
shell\AutoRun\command - F:\****rz.exe
shell\explore\command - F:\****rz.exe
shell\open\command - F:\****rz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1e20164-cd39-11dd-b26f-0013d4b1cf3b}]
shell\AutoRun\command - F:\ctdddg.exe
shell\explore\command - F:\ctdddg.exe
shell\open\command - F:\ctdddg.exe

alfa032 · 2008/12/25

PArt 2:

======List of files/folders created in the last 1 months======

2008-12-25 10:40:03 ----D---- C:\rsit
2008-12-24 11:18:18 ----A---- C:\ComboFix.txt
2008-12-24 11:15:25 ----A---- C:\Boot.bak
2008-12-24 11:15:23 ----RASHD---- C:\cmdcons
2008-12-24 10:39:53 ----A---- C:\WINDOWS\zip.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\VFIND.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\SWSC.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\SWREG.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\sed.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\grep.exe
2008-12-24 10:39:53 ----A---- C:\WINDOWS\fdsv.exe
2008-12-24 10:39:49 ----D---- C:\WINDOWS\ERDNT
2008-12-24 10:39:49 ----D---- C:\Qoobox
2008-12-23 11:01:48 ----SHD---- C:\FOUND.004
2008-12-22 15:13:25 ----D---- C:\Program Files\Avira
2008-12-22 15:13:25 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-12-22 15:12:46 ----D---- C:\Documents and Settings\All Users\Application Data\Avg8
2008-12-22 13:27:39 ----D---- C:\Program Files\RegCure
2008-12-22 12:12:48 ----SHD---- C:\FOUND.003
2008-12-22 11:51:18 ----D---- C:\Program Files\Trend Micro
2008-12-22 11:10:32 ----SHD---- C:\FOUND.002
2008-12-22 11:01:46 ----D---- C:\WINDOWS\Minidump
2008-12-22 11:01:20 ----SHD---- C:\FOUND.001
2008-12-21 12:37:45 ----D---- C:\Documents and Settings\glava\Application Data\BitTorrent
2008-12-21 12:37:13 ----D---- C:\Program Files\BitTorrent
2008-12-21 12:00:37 ----A---- C:\WINDOWS\system32\xyzwm.ini
2008-12-21 11:29:38 ----D---- C:\Documents and Settings\glava\Application Data\Kingston
2008-12-20 16:32:10 ----D---- C:\Program Files\YouTube Downloader
2008-12-17 13:22:06 ----D---- C:\WINDOWS\pss
2008-12-17 12:02:29 ----SHD---- C:\Recycled
2008-12-17 11:48:26 ----D---- C:\Documents and Settings\glava\Application Data\ABBYY
2008-12-17 11:01:24 ----D---- C:\Program Files\Common Files\ABBYY
2008-12-17 10:57:33 ----D---- C:\Program Files\ABBYY FineReader 9.0
2008-12-17 10:57:33 ----D---- C:\Documents and Settings\All Users\Application Data\ABBYY
2008-12-16 22:03:56 ----D---- C:\WINDOWS\Sun
2008-12-16 21:55:03 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-16 21:55:03 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-16 21:55:03 ----A---- C:\WINDOWS\system32\java.exe
2008-12-16 21:55:03 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-16 21:54:49 ----D---- C:\Program Files\Java
2008-12-16 21:53:15 ----D---- C:\Documents and Settings\glava\Application Data\Sun
2008-12-16 20:47:14 ----SHD---- C:\WINDOWS\ftpcache
2008-12-16 16:36:17 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-16 14:05:10 ----D---- C:\Documents and Settings\glava\Application Data\Ahead
2008-12-16 14:03:45 ----D---- C:\Program Files\Nero
2008-12-16 14:03:45 ----D---- C:\Program Files\Common Files\Ahead
2008-12-15 14:59:00 ----HD---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-15 14:58:46 ----HD---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-15 14:58:38 ----HD---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-15 14:58:28 ----HD---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-15 14:58:21 ----HD---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-15 14:58:12 ----HD---- C:\WINDOWS\$NtUninstallKB954459$
2008-12-15 14:58:03 ----HD---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-15 14:57:54 ----HD---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-15 14:57:46 ----HD---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-15 14:57:36 ----HD---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-15 14:57:27 ----HD---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-15 14:57:19 ----HD---- C:\WINDOWS\$NtUninstallKB956391$
2008-12-15 14:57:10 ----HD---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-15 14:56:36 ----HD---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-15 14:56:28 ----HD---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-15 14:56:19 ----HD---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-15 14:56:11 ----HD---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-15 14:56:03 ----HD---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-15 14:55:55 ----HD---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-15 14:55:45 ----HD---- C:\WINDOWS\$NtUninstallKB951978$
2008-12-15 14:55:36 ----HD---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-15 14:55:28 ----HD---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-15 14:55:20 ----HD---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-15 14:54:13 ----D---- C:\WINDOWS\ie7updates
2008-12-15 14:53:40 ----D---- C:\WINDOWS\WBEM
2008-12-15 14:52:21 ----HD---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-12-15 14:52:01 ----HD---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-12-15 14:49:26 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-15 13:47:36 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-15 13:06:29 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-12-15 13:05:51 ----D---- C:\WINDOWS\system32\PreInstall
2008-12-15 13:05:50 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-12-15 13:05:49 ----HD---- C:\WINDOWS\$NtUninstallKB898461$
2008-12-15 13:05:49 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-15 13:05:43 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-12-15 12:54:12 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-12-15 12:54:12 ----A---- C:\WINDOWS\system32\wups2.dll
2008-12-15 12:54:11 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-12-15 12:54:11 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-12-15 12:54:10 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-12-15 12:08:06 ----SHD---- C:\FOUND.000
2008-12-15 10:56:16 ----HD---- C:\$AVG8.VAULT$
2008-12-15 05:23:01 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-15 04:12:01 ----D---- C:\FBBM
2008-12-15 03:56:14 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-15 03:56:08 ----D---- C:\Program Files\Common Files\Adobe
2008-12-15 03:56:08 ----D---- C:\Program Files\Adobe
2008-12-15 03:53:53 ----D---- C:\Program Files\Realtek Sound Manager
2008-12-15 03:53:52 ----N---- C:\WINDOWS\avrack.ini
2008-12-15 03:53:52 ----D---- C:\Program Files\AvRack
2008-12-15 03:53:50 ----N---- C:\WINDOWS\system32\ChCfg.exe
2008-12-15 03:53:50 ----A---- C:\WINDOWS\system32\RTLCPL.EXE
2008-12-15 03:53:50 ----A---- C:\WINDOWS\system32\RtlCPAPI.dll
2008-12-15 03:53:50 ----A---- C:\WINDOWS\SOUNDMAN.EXE
2008-12-15 03:53:49 ----N---- C:\WINDOWS\alcupd.exe
2008-12-15 03:53:49 ----N---- C:\WINDOWS\alcrmv.exe
2008-12-15 03:51:26 ----A---- C:\WINDOWS\system32\msonpmon.dll
2008-12-15 03:45:20 ----D---- C:\Program Files\Microsoft Works
2008-12-15 03:44:54 ----D---- C:\Program Files\MSBuild
2008-12-15 03:43:51 ----D---- C:\Program Files\Microsoft Visual Studio
2008-12-15 03:43:50 ----D---- C:\Program Files\Common Files\DESIGNER
2008-12-15 03:34:24 ----D---- C:\WINDOWS\SHELLNEW
2008-12-15 03:33:22 ----D---- C:\Program Files\Microsoft Office
2008-12-15 03:33:18 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-15 03:31:57 ----RHD---- C:\MSOCache
2008-12-15 03:23:33 ----D---- C:\Documents and Settings\glava\Application Data\Macromedia
2008-12-15 03:23:32 ----D---- C:\Documents and Settings\glava\Application Data\Adobe
2008-12-15 03:21:28 ----D---- C:\Program Files\Caffe
2008-12-15 03:20:21 ----D---- C:\Program Files\WinRAR
2008-12-15 03:09:38 ----D---- C:\LinkMagic
2008-12-15 03:09:35 ----A---- C:\WINDOWS\install.ini
2008-12-15 03:09:34 ----A---- C:\WINDOWS\system32\SP701ASM.exe
2008-12-15 03:09:34 ----A---- C:\WINDOWS\system32\SP701ALM.dll
2008-12-15 03:09:33 ----N---- C:\WINDOWS\rmreg.exe
2008-12-15 03:09:33 ----N---- C:\WINDOWS\Cm3.ini
2008-12-15 03:09:33 ----A---- C:\WINDOWS\rmdrv98.exe
2008-12-15 03:09:33 ----A---- C:\WINDOWS\rmdrv2k.exe
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\lttwn12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\ltkrn12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\ltimg12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\ltfil12n.DLL
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\ltefx12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\LTDIS12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\lftif12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\lftga12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\lfpcx12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\lfimg12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\lffax12n.dll
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\LFCMP12n.DLL
2008-12-15 03:09:32 ----N---- C:\WINDOWS\system32\lfbmp12n.dll
2008-12-15 03:09:31 ----D---- C:\Program Files\LINKMAGIC
2008-12-15 03:09:30 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-15 03:09:16 ----D---- C:\Program Files\Common Files\InstallShield
2008-12-15 03:05:35 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2008-12-15 03:05:02 ----D---- C:\WINDOWS\system32\DRVSTORE
2008-12-15 03:04:47 ----D---- C:\Program Files\MSN Messenger
2008-12-15 03:03:33 ----D---- C:\Program Files\WinZip
2008-12-15 02:58:39 ----D---- C:\Documents and Settings\glava\Application Data\Mozilla
2008-12-15 02:57:49 ----D---- C:\Program Files\Mozilla Firefox
2008-12-15 02:51:21 ----RA---- C:\WINDOWS\system32\Audio3D.dll
2008-12-15 02:51:02 ----RA---- C:\WINDOWS\system32\a3d.dll
2008-12-15 02:51:01 ----RA---- C:\WINDOWS\system32\udaprop.dll
2008-12-15 02:51:01 ----RA---- C:\WINDOWS\system32\cmuda.dll
2008-12-15 02:50:59 ----A---- C:\WINDOWS\system32\ksuser.dll
2008-12-15 02:48:58 ----A---- C:\WINDOWS\Ascd_tmp.ini
2008-12-15 02:43:10 ----D---- C:\Documents and Settings\glava\Application Data\Identities
2008-12-15 02:43:08 ----HD---- C:\Program Files\Uninstall Information
2008-12-15 02:42:56 ----ASH---- C:\Documents and Settings\glava\Application Data\desktop.ini
2008-12-15 02:42:55 ----SD---- C:\Documents and Settings\glava\Application Data\Microsoft
2008-12-15 02:41:49 ----SHD---- C:\System Volume Information
2008-12-15 02:41:49 ----D---- C:\WINDOWS\SoftwareDistribution
2008-12-15 02:40:42 ----D---- C:\WINDOWS\Prefetch
2008-12-15 02:40:41 ----SD---- C:\WINDOWS\system32\Microsoft
2008-12-15 02:40:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-15 02:33:46 ----D---- C:\WINDOWS\system32\xircom
2008-12-15 02:33:46 ----D---- C:\Program Files\xerox
2008-12-15 02:33:46 ----D---- C:\Program Files\microsoft frontpage
2008-12-15 02:33:14 ----A---- C:\WINDOWS\control.ini
2008-12-15 02:33:14 ----A---- C:\AUTOEXEC.BAT
2008-12-15 02:32:56 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-15 02:32:53 ----A---- C:\WINDOWS\system32\mapi32.dll
2008-12-15 02:31:36 ----RD---- C:\WINDOWS\Offline Web Pages
2008-12-15 02:31:35 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-15 02:31:35 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-12-15 02:31:26 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-12-15 02:31:20 ----HD---- C:\Program Files\WindowsUpdate
2008-12-15 02:30:52 ----D---- C:\WINDOWS\system32\DirectX
2008-12-15 02:30:42 ----A---- C:\WINDOWS\system32\atrace.dll
2008-12-15 02:30:39 ----A---- C:\WINDOWS\system32\desktop.ini
2008-12-15 02:30:39 ----A---- C:\WINDOWS\desktop.ini
2008-12-15 02:30:31 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2008-12-15 02:30:30 ----A---- C:\WINDOWS\system32\acctres.dll
2008-12-15 02:30:29 ----D---- C:\Program Files\Common Files\Services
2008-12-15 02:30:25 ----SD---- C:\WINDOWS\Tasks
2008-12-15 02:30:25 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2008-12-15 02:30:24 ----D---- C:\Program Files\Common Files\MSSoap
2008-12-15 02:30:20 ----D---- C:\WINDOWS\srchasst
2008-12-15 02:30:18 ----D---- C:\WINDOWS\system32\Macromed
2008-12-15 02:30:15 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-12-15 02:30:15 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-12-15 02:30:15 ----A---- C:\WINDOWS\system32\wuauserv.dll
2008-12-15 02:30:15 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2008-12-15 02:30:14 ----A---- C:\WINDOWS\system32\wups.dll
2008-12-15 02:30:14 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-12-15 02:30:14 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2008-12-15 02:30:14 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-12-15 02:30:14 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-12-15 02:30:13 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2008-12-15 02:30:13 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-12-15 02:30:13 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2008-12-15 02:30:13 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2008-12-15 02:30:13 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2008-12-15 02:30:08 ----D---- C:\Program Files\Movie Maker
2008-12-15 02:29:44 ----A---- C:\WINDOWS\system32\safrslv.dll
2008-12-15 02:29:44 ----A---- C:\WINDOWS\system32\safrdm.dll
2008-12-15 02:29:44 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2008-12-15 02:29:44 ----A---- C:\WINDOWS\system32\racpldlg.dll
2008-12-15 02:29:39 ----A---- C:\WINDOWS\system32\fltMc.exe
2008-12-15 02:29:39 ----A---- C:\WINDOWS\system32\fltlib.dll
2008-12-15 02:29:38 ----D---- C:\WINDOWS\system32\Restore
2008-12-15 02:29:38 ----A---- C:\WINDOWS\system32\srsvc.dll
2008-12-15 02:29:38 ----A---- C:\WINDOWS\system32\srrstr.dll
2008-12-15 02:29:38 ----A---- C:\WINDOWS\system32\srclient.dll
2008-12-15 02:29:37 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2008-12-15 02:29:37 ----A---- C:\WINDOWS\system32\mnmdd.dll
2008-12-15 02:29:37 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2008-12-15 02:29:37 ----A---- C:\WINDOWS\system32\ils.dll
2008-12-15 02:29:36 ----A---- C:\WINDOWS\system32\msconf.dll
2008-12-15 02:29:36 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2008-12-15 02:29:33 ----D---- C:\Program Files\NetMeeting
2008-12-15 02:29:33 ----A---- C:\WINDOWS\system32\msoert2.dll
2008-12-15 02:29:32 ----A---- C:\WINDOWS\system32\msoeacct.dll
2008-12-15 02:29:31 ----A---- C:\WINDOWS\system32\inetres.dll
2008-12-15 02:29:31 ----A---- C:\WINDOWS\system32\inetcomm.dll
2008-12-15 02:29:28 ----D---- C:\Program Files\Outlook Express
2008-12-15 02:29:28 ----A---- C:\WINDOWS\system32\schedsvc.dll
2008-12-15 02:29:28 ----A---- C:\WINDOWS\system32\mstinit.exe
2008-12-15 02:29:28 ----A---- C:\WINDOWS\system32\mstask.dll
2008-12-15 02:29:28 ----A---- C:\WINDOWS\system32\icwphbk.dll
2008-12-15 02:29:27 ----A---- C:\WINDOWS\system32\isign32.dll
2008-12-15 02:29:27 ----A---- C:\WINDOWS\system32\inetcfg.dll
2008-12-15 02:29:27 ----A---- C:\WINDOWS\system32\icwdial.dll
2008-12-15 02:29:20 ----D---- C:\Program Files\Common Files\System
2008-12-15 02:29:18 ----D---- C:\Program Files\Internet Explorer
2008-12-15 02:28:11 ----D---- C:\Program Files\ComPlus Applications
2008-12-15 02:28:10 ----A---- C:\WINDOWS\vbaddin.ini
2008-12-15 02:28:10 ----A---- C:\WINDOWS\vb.ini
2008-12-15 02:28:05 ----D---- C:\WINDOWS\Registration
2008-12-15 02:27:59 ----D---- C:\Program Files\Online Services
2008-12-15 02:27:58 ----D---- C:\Program Files\Windows Media Player
2008-12-15 02:27:49 ----D---- C:\Program Files\Messenger
2008-12-15 02:27:45 ----D---- C:\Program Files\MSN Gaming Zone
2008-12-15 02:27:45 ----A---- C:\WINDOWS\system32\write.exe
2008-12-15 02:27:32 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-12-15 02:27:32 ----A---- C:\WINDOWS\system32\hticons.dll
2008-12-15 02:27:32 ----A---- C:\WINDOWS\system32\avwav.dll
2008-12-15 02:27:32 ----A---- C:\WINDOWS\system32\avmeter.dll
2008-12-15 02:27:31 ----A---- C:\WINDOWS\system32\winchat.exe
2008-12-15 02:27:31 ----A---- C:\WINDOWS\system32\avtapi.dll
2008-12-15 02:27:22 ----A---- C:\WINDOWS\system32\getuname.dll
2008-12-15 02:27:22 ----A---- C:\WINDOWS\system32\charmap.exe
2008-12-15 02:27:22 ----A---- C:\WINDOWS\system32\calc.exe
2008-12-15 02:27:21 ----A---- C:\WINDOWS\system32\winmine.exe
2008-12-15 02:27:21 ----A---- C:\WINDOWS\system32\sol.exe
2008-12-15 02:27:21 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\tslabels.ini
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\tskill.exe
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\tscon.exe
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\reset.exe
2008-12-15 02:27:20 ----A---- C:\WINDOWS\system32\freecell.exe
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\shadow.exe
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\rwinsta.exe
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\regini.exe
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\qwinsta.exe
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\qappsrv.exe
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\msg.exe
2008-12-15 02:27:19 ----A---- C:\WINDOWS\system32\logoff.exe
2008-12-15 02:27:18 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2008-12-15 02:27:18 ----A---- C:\WINDOWS\system32\cdmodem.dll
2008-12-15 02:27:11 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2008-12-15 02:26:59 ----D---- C:\Program Files\MSN
2008-12-15 02:26:58 ----A---- C:\WINDOWS\system32\sndrec32.exe
2008-12-15 02:26:58 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-12-15 02:26:58 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-12-15 02:26:57 ----D---- C:\Program Files\Windows NT
2008-12-15 02:26:57 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-12-15 02:26:57 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-12-15 02:26:56 ----A---- C:\WINDOWS\system32\spider.exe
2008-12-15 02:26:56 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-12-15 02:26:55 ----D---- C:\WINDOWS\system32\en-US
2008-12-15 02:26:55 ----A---- C:\WINDOWS\system32\tsgqec.dll
2008-12-15 02:26:55 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2008-12-15 02:26:54 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2008-12-15 02:26:54 ----A---- C:\WINDOWS\system32\aaclient.dll
2008-12-15 02:26:53 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-12-15 02:26:53 ----A---- C:\WINDOWS\system32\remotepg.dll
2008-12-15 02:26:53 ----A---- C:\WINDOWS\system32\rdshost.exe
2008-12-15 02:26:53 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2008-12-15 02:26:53 ----A---- C:\WINDOWS\system32\mstscax.dll
2008-12-15 02:26:53 ----A---- C:\WINDOWS\system32\mstsc.exe
2008-12-15 02:26:52 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-12-15 02:26:52 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2008-12-15 02:26:52 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2008-12-15 02:26:52 ----A---- C:\WINDOWS\system32\rdpclip.exe
2008-12-15 02:26:52 ----A---- C:\WINDOWS\system32\rdchost.dll
2008-12-15 02:26:52 ----A---- C:\WINDOWS\system32\qprocess.exe
2008-12-15 02:26:52 ----A---- C:\WINDOWS\system32\icaapi.dll
2008-12-15 02:26:51 ----D---- C:\WINDOWS\system32\MsDtc
2008-12-15 02:26:51 ----A---- C:\WINDOWS\system32\mtxoci.dll
2008-12-15 02:26:51 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2008-12-15 02:26:51 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2008-12-15 02:26:51 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2008-12-15 02:26:50 ----A---- C:\WINDOWS\system32\xolehlp.dll
2008-12-15 02:26:50 ----A---- C:\WINDOWS\system32\msdtctm.dll
2008-12-15 02:26:50 ----A---- C:\WINDOWS\system32\msdtclog.dll
2008-12-15 02:26:50 ----A---- C:\WINDOWS\system32\msdtc.exe
2008-12-15 02:26:49 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2008-12-15 02:26:49 ----A---- C:\WINDOWS\system32\mtxex.dll
2008-12-15 02:26:49 ----A---- C:\WINDOWS\system32\mtxdm.dll
2008-12-15 02:26:49 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2008-12-15 02:26:48 ----D---- C:\WINDOWS\system32\Com
2008-12-15 02:26:48 ----A---- C:\WINDOWS\system32\stclient.dll
2008-12-15 02:26:48 ----A---- C:\WINDOWS\system32\comrepl.dll
2008-12-15 02:26:48 ----A---- C:\WINDOWS\system32\comaddin.dll
2008-12-15 02:26:48 ----A---- C:\WINDOWS\system32\colbact.dll
2008-12-15 02:26:48 ----A---- C:\WINDOWS\system32\clbcatex.dll
2008-12-15 02:26:48 ----A---- C:\WINDOWS\system32\catsrvps.dll
2008-12-15 02:26:47 ----A---- C:\WINDOWS\system32\comsvcs.dll
2008-12-15 02:26:47 ----A---- C:\WINDOWS\system32\catsrvut.dll
2008-12-15 02:26:47 ----A---- C:\WINDOWS\system32\catsrv.dll
2008-12-15 02:26:46 ----A---- C:\WINDOWS\system32\comuid.dll
2008-12-15 02:26:46 ----A---- C:\WINDOWS\system32\comsnap.dll
2008-12-15 02:26:46 ----A---- C:\WINDOWS\system32\clbcatq.dll
2008-12-15 02:26:38 ----A---- C:\WINDOWS\system32\servdeps.dll
2008-12-15 02:26:38 ----A---- C:\WINDOWS\system32\mmfutil.dll
2008-12-15 02:26:38 ----A---- C:\WINDOWS\system32\licwmi.dll
2008-12-15 02:26:38 ----A---- C:\WINDOWS\system32\cmprops.dll
2008-12-15 02:24:15 ----A---- C:\WINDOWS\system32\h323log.txt
2008-12-15 02:19:34 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2008-12-15 02:19:26 ----A---- C:\WINDOWS\system32\usbui.dll
2008-12-15 02:18:04 ----A---- C:\WINDOWS\imsins.BAK
2008-12-15 02:18:01 ----SHD---- C:\WINDOWS\Installer
2008-12-15 02:18:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-15 02:18:00 ----D---- C:\Program Files\Common Files\ODBC
2008-12-15 02:18:00 ----A---- C:\WINDOWS\ODBCINST.INI
2008-12-15 02:17:56 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-12-15 02:17:55 ----RD---- C:\Program Files
2008-12-15 02:17:55 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-15 02:17:55 ----D---- C:\Program Files\Common Files
2008-12-15 02:17:45 ----A---- C:\WINDOWS\system32\irclass.dll
2008-12-15 02:17:45 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2008-12-15 02:17:44 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-12-15 02:17:44 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2008-12-15 02:17:44 ----A---- C:\WINDOWS\system32\dgsetup.dll
2008-12-15 02:17:41 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2008-12-15 02:17:41 ----A---- C:\WINDOWS\TASKMAN.EXE
2008-12-15 02:17:41 ----A---- C:\WINDOWS\system32\batt.dll
2008-12-15 02:17:40 ----A---- C:\WINDOWS\NOTEPAD.EXE
2008-12-15 02:17:36 ----A---- C:\WINDOWS\system32\storprop.dll
2008-12-15 02:17:27 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-12-15 02:15:19 ----RA---- C:\WINDOWS\SET8.tmp
2008-12-15 02:15:17 ----RA---- C:\WINDOWS\SET4.tmp
2008-12-15 02:15:15 ----RA---- C:\WINDOWS\SET3.tmp
2008-12-15 02:15:09 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-15 02:15:09 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-15 02:15:03 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-15 02:14:44 ----A---- C:\WINDOWS\setuplog.txt
2008-12-15 02:14:41 ----D---- C:\Documents and Settings
2008-12-15 02:14:10 ----RASH---- C:\boot.ini
2008-12-15 02:09:47 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-12-15 02:09:47 ----RSD---- C:\WINDOWS\Fonts
2008-12-15 02:09:47 ----RD---- C:\WINDOWS\Web
2008-12-15 02:09:47 ----HD---- C:\WINDOWS\inf
2008-12-15 02:09:47 ----D---- C:\WINDOWS\WinSxS
2008-12-15 02:09:47 ----D---- C:\WINDOWS\twain_32
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Temp
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\wins
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\wbem
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\usmt
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\spool
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\ShellExt
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\Setup
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\scripting
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\ras
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\oobe
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\npp
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\mui
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\inetsrv
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\IME
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\icsxml
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\ias
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\export
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\en
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\drivers
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\dhcp
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\config
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\3com_dmi
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\3076
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\2052
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1054
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1042
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1041
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1037
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1033
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1031
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1028
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32\1025
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system32
2008-12-15 02:09:47 ----D---- C:\WINDOWS\system
2008-12-15 02:09:47 ----D---- C:\WINDOWS\security
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Resources
2008-12-15 02:09:47 ----D---- C:\WINDOWS\repair
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Provisioning
2008-12-15 02:09:47 ----D---- C:\WINDOWS\PeerNet
2008-12-15 02:09:47 ----D---- C:\WINDOWS\pchealth
2008-12-15 02:09:47 ----D---- C:\WINDOWS\NLDRV
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Network Diagnostic
2008-12-15 02:09:47 ----D---- C:\WINDOWS\mui
2008-12-15 02:09:47 ----D---- C:\WINDOWS\msapps
2008-12-15 02:09:47 ----D---- C:\WINDOWS\msagent
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Media
2008-12-15 02:09:47 ----D---- C:\WINDOWS\L2Schemas
2008-12-15 02:09:47 ----D---- C:\WINDOWS\java
2008-12-15 02:09:47 ----D---- C:\WINDOWS\ime
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Help
2008-12-15 02:09:47 ----D---- C:\WINDOWS\ehome
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Driver Cache
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Debug
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Cursors
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Connection Wizard
2008-12-15 02:09:47 ----D---- C:\WINDOWS\Config
2008-12-15 02:09:47 ----D---- C:\WINDOWS\AppPatch
2008-12-15 02:09:47 ----D---- C:\WINDOWS\addins
2008-12-15 02:09:47 ----D---- C:\WINDOWS

======List of files/folders modified in the last 1 months======

2008-12-24 11:17:28 ----A---- C:\WINDOWS\system.ini
2008-12-17 13:29:44 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-11-17 2297664]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-04-13 1897408]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2008-04-13 32768]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\glava\LOCALS~1\Temp\catchme.sys []
S3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2002-11-01 451599]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service; C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-16 152984]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

alfa032 · 2008/12/25

info.txt:

info.txt logfile of random's system information tool 1.05 2008-12-25 10:40:15

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 9.0 Professional Edition-->MsiExec.exe /I{F9000000-0001-0000-0000-074957833700}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
HijackThis 2.0.2--> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)--> "C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe "
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Microsoft Internationalized Domain Names Mitigation APIs--> "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe "
Microsoft National Language Support Downlevel APIs--> "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe "
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007--> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (Croatian) 2007-->MsiExec.exe /X{90120000-001F-041A-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Demo-->MsiExec.exe /I{D3492D9E-7FBB-1DF6-F759-2A37FA231033}
PagePro 1380 MF-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF8EC04D-9544-11D9-AAFC-0050BA1ACA6F}\setup.exe"
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RegCure 1.5.0.0-->C:\Program Files\RegCure\uninst.exe
Security Update for Windows Media Player (KB952069)--> "C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe "
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)--> "C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe "
Security Update for Windows XP (KB946648)--> "C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe "
Security Update for Windows XP (KB950762)--> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe "
Security Update for Windows XP (KB950974)--> "C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe "
Security Update for Windows XP (KB951066)--> "C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe "
Security Update for Windows XP (KB951376-v2)--> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe "
Security Update for Windows XP (KB951698)--> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe "
Security Update for Windows XP (KB952954)--> "C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe "
Security Update for Windows XP (KB954211)--> "C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe "
Security Update for Windows XP (KB954459)--> "C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe "
Security Update for Windows XP (KB954600)--> "C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe "
Security Update for Windows XP (KB955069)--> "C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe "
Security Update for Windows XP (KB956391)--> "C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe "
Security Update for Windows XP (KB956802)--> "C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe "
Security Update for Windows XP (KB956803)--> "C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe "
Security Update for Windows XP (KB956841)--> "C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe "
Security Update for Windows XP (KB957095)--> "C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe "
Security Update for Windows XP (KB957097)--> "C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe "
Security Update for Windows XP (KB958644)--> "C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe "
Update for Windows XP (KB898461)--> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe "
Update for Windows XP (KB951978)--> "C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe "
Update for Windows XP (KB955839)--> "C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe "
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip--> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

======Security center information======

AV: Avira AntiVir PersonalEdition

System event log

Computer Name: SERVER
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0013D4B1CF3B. The IP address being used is 169.254.233.122.

Record Number: 5
Source Name: Dhcp
Time Written: 20081215022554.000000+060
Event Type: warning
User:

Computer Name: SERVER
Event Code: 6011
Message: The NetBIOS name and DNS host name of this machine have been changed from MACHINENAME to SERVER.

Record Number: 4
Source Name: EventLog
Time Written: 20081215022436.000000+060
Event Type: information
User:

Computer Name: MACHINENAME
Event Code: 2
Message: While validating that \Device\Serial0 was really a serial port, a fifo was detected. The fifo will be used.

Record Number: 3
Source Name: Serial
Time Written: 20081215031507.000000+060
Event Type: information
User:

Computer Name: MACHINENAME
Event Code: 6005
Message: The Event log service was started.

Record Number: 2
Source Name: EventLog
Time Written: 20081215031446.000000+060
Event Type: information
User:

Computer Name: MACHINENAME
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free.

Record Number: 1
Source Name: EventLog
Time Written: 20081215031446.000000+060
Event Type: information
User:

Application event log

Computer Name: SERVER
Event Code: 1000
Message: Performance counters for the MSDTC (MSDTC) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 5
Source Name: LoadPerf
Time Written: 20081215022801.000000+060
Event Type: information
User:

Computer Name: SERVER
Event Code: 1000
Message: Performance counters for the TermService (Terminal Services) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 4
Source Name: LoadPerf
Time Written: 20081215022758.000000+060
Event Type: information
User:

Computer Name: SERVER
Event Code: 1000
Message: Performance counters for the RemoteAccess (Routing and Remote Access) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 3
Source Name: LoadPerf
Time Written: 20081215022620.000000+060
Event Type: information
User:

Computer Name: SERVER
Event Code: 1000
Message: Performance counters for the PSched (PSched) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20081215022603.000000+060
Event Type: information
User:

Computer Name: SERVER
Event Code: 1000
Message: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 1
Source Name: LoadPerf
Time Written: 20081215022449.000000+060
Event Type: information
User:

======Environment variables======

"ComSpec "=%SystemRoot%\system32\cmd.exe
"Path "=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir "=%SystemRoot%
"FP_NO_HOST_CHECK "=NO
"OS "=Windows_NT
"PROCESSOR_ARCHITECTURE "=x86
"PROCESSOR_LEVEL "=15
"PROCESSOR_IDENTIFIER "=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION "=0102
"NUMBER_OF_PROCESSORS "=1
"PATHEXT "=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP "=%SystemRoot%\TEMP
"TMP "=%SystemRoot%\TEMP

-----------------EOF-----------------

alfa032 · 2008/12/25

Whwrw is part 1?

Aaflac · 2008/12/25

You are OK. We have all the info needed!

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the entire text inside the code box below to Notepad:
Code:
File::
F:\ctdddg.exe
F:\fpdppr.exe
F:\****rz.exe
Registry::
[-HKEY_CURRENT_USER\software\Microsoft\windows\currentversion\explorer\mountpoints2\{883b6a2e-ca4a-11dd-b25a-0013d4b1cf3b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a439044f-d1b5-11dd-b27a-0013d4b1cf3b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1e20164-cd39-11dd-b26f-0013d4b1cf3b}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
 "Shell "= "Explorer.exe "
Save as CFScript.txt <-Important!!
Change the Save as type to: All Files
Save it to the Desktop.

Now, on the Desktop, using the left mouse button,
drag the CFScript.txt onto >>> ComboFix.exe, and drop it.

ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the ComboFix.txt, and the new HijackThis log in your reply.

alfa032 · 2008/12/26

ComboFix 08-12-21.04 - glava 2008-12-26 11:20:33.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.212 [GMT 1:00]
Running from: c:\documents and settings\glava\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\glava\Desktop\CFScript.txt
* Created a new restore point

FILE ::
F:\ctdddg.exe
F:\fpdppr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\csrcs.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2008-12-26 11:06 . 2008-12-26 11:06 5,503 --a----t- c:\documents and settings\glava\3440.DAT
2008-12-25 10:40 . 2008-12-25 10:40 <DIR> d-------- C:\rsit
2008-12-23 11:01 . 2008-12-23 11:01 <DIR> d--hs---- C:\FOUND.004
2008-12-22 15:33 . 2008-12-22 15:33 230 --a------ c:\windows\system32\spupdsvc.inf
2008-12-22 15:13 . 2008-12-22 15:13 <DIR> d-------- c:\program files\Avira
2008-12-22 15:13 . 2008-12-22 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-22 15:12 . 2008-12-22 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-22 13:27 . 2008-12-22 13:27 <DIR> d-------- c:\program files\RegCure
2008-12-22 12:26 . 2008-12-22 12:26 0 -rahs---- C:\khs
2008-12-22 12:12 . 2008-12-22 12:12 <DIR> d--hs---- C:\FOUND.003
2008-12-22 11:51 . 2008-12-22 11:51 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 11:12 . 2008-12-22 11:12 5,503 --a------ c:\documents and settings\glava\12600.DAT
2008-12-22 11:10 . 2008-12-22 11:10 <DIR> d--hs---- C:\FOUND.002
2008-12-22 11:07 . 2008-12-22 12:18 2 --a------ C:\942549858
2008-12-22 11:03 . 2008-12-22 11:03 5,503 --a------ c:\documents and settings\glava\10720.DAT
2008-12-22 11:01 . 2008-12-22 11:01 <DIR> d--hs---- C:\FOUND.001
2008-12-22 10:54 . 2008-12-22 10:54 5,503 --a------ c:\documents and settings\glava\10400.DAT
2008-12-21 12:37 . 2008-12-21 12:37 <DIR> d-------- c:\program files\BitTorrent
2008-12-21 12:37 . 2008-12-21 12:37 <DIR> d-------- c:\documents and settings\glava\Application Data\BitTorrent
2008-12-21 12:00 . 2008-12-21 20:11 112 --a------ c:\windows\system32\xyzwm.ini
2008-12-21 11:29 . 2008-12-21 11:29 <DIR> d-------- c:\documents and settings\glava\Application Data\Kingston
2008-12-20 16:32 . 2008-12-20 16:32 <DIR> d-------- c:\program files\YouTube Downloader
2008-12-18 14:11 . 2008-12-18 14:11 <DIR> d-------- c:\documents and settings\glava\Contacts
2008-12-17 12:02 . 2008-12-17 12:02 <DIR> d--hs---- C:\Recycled
2008-12-17 11:48 . 2008-12-17 11:48 <DIR> d-------- c:\documents and settings\glava\Application Data\ABBYY
2008-12-17 11:01 . 2008-12-17 11:01 <DIR> d-------- c:\program files\Common Files\ABBYY
2008-12-17 10:57 . 2008-12-17 10:57 <DIR> d-------- c:\program files\ABBYY FineReader 9.0
2008-12-17 10:57 . 2008-12-17 10:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\ABBYY
2008-12-17 10:32 . 2008-12-17 10:32 5,503 --a------ c:\documents and settings\glava\2560.DAT
2008-12-16 22:03 . 2008-12-16 22:03 <DIR> d-------- c:\windows\Sun
2008-12-16 21:55 . 2008-12-16 21:54 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 21:55 . 2008-12-16 21:54 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-16 21:54 . 2008-12-16 21:54 <DIR> d-------- c:\program files\Java
2008-12-16 20:47 . 2008-12-16 20:47 <DIR> d--hs---- c:\windows\ftpcache
2008-12-16 16:36 . 2008-12-20 16:43 116 --a------ c:\windows\NeroDigital.ini
2008-12-16 14:05 . 2008-12-16 14:05 <DIR> d-------- c:\documents and settings\glava\Application Data\Ahead
2008-12-16 14:03 . 2008-12-16 14:03 <DIR> d-------- c:\program files\Nero
2008-12-16 14:03 . 2008-12-16 14:03 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-16 10:44 . 2008-12-16 10:44 1,454 -rahs---- c:\windows\system32\autorun.in
2008-12-16 10:44 . 2008-12-16 10:44 1,304 -rahs---- c:\windows\system32\autorun.i
2008-12-15 14:54 . 2008-10-16 21:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-15 14:54 . 2008-10-16 21:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-15 14:53 . 2008-10-16 21:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-15 14:53 . 2007-04-17 10:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-15 14:53 . 2007-03-08 06:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-15 14:53 . 2008-10-16 21:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-15 14:53 . 2008-10-16 21:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-15 14:53 . 2008-10-16 21:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-15 14:53 . 2008-10-16 14:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-15 14:34 . 2008-10-24 12:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-15 14:33 . 2008-08-14 11:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-15 14:33 . 2008-08-14 11:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-15 14:33 . 2008-08-14 10:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-15 14:33 . 2008-08-14 10:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-15 13:47 . 2008-12-15 13:48 <DIR> d-------- c:\documents and settings\Administrator
2008-12-15 13:41 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-15 13:41 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-15 13:05 . 2008-12-15 13:05 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-15 13:05 . 2006-09-06 17:43 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-15 12:54 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-15 12:54 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-15 12:54 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-15 12:54 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-15 12:54 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-15 12:51 . 2008-12-15 12:51 <DIR> d---s---- c:\documents and settings\glava\UserData
2008-12-15 12:08 . 2008-12-15 12:08 <DIR> d--hs---- C:\FOUND.000
2008-12-15 12:00 . 2008-12-15 12:00 5,503 --a------ c:\documents and settings\glava\13360.DAT
2008-12-15 10:56 . 2008-12-15 10:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-15 05:23 . 2008-12-15 05:23 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-15 04:13 . 2008-12-26 11:06 495 --a------ c:\windows\system32\SP701ASM.dat
2008-12-15 04:12 . 2008-12-15 04:12 <DIR> d-------- C:\FBBM
2008-12-15 03:56 . 2008-12-15 03:56 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-15 03:53 . 2008-12-15 03:53 <DIR> d-------- c:\program files\Realtek Sound Manager
2008-12-15 03:53 . 2008-12-15 03:53 <DIR> d-------- c:\program files\AvRack
2008-12-15 03:53 . 2004-11-17 16:08 16,162,816 --a------ c:\windows\system32\ALSNDMGR.CPL
2008-12-15 03:53 . 2004-11-17 16:11 9,319,936 --a------ c:\windows\system32\RTLCPL.EXE
2008-12-15 03:53 . 2004-11-17 19:05 2,297,664 --a------ c:\windows\system32\drivers\ALCXWDM.SYS
2008-12-15 03:53 . 2004-11-05 16:29 208,896 --------- c:\windows\alcupd.exe
2008-12-15 03:53 . 2004-09-07 14:23 156,672 --a------ c:\windows\system32\RtlCPAPI.dll
2008-12-15 03:53 . 2002-02-05 13:54 141,016 --a------ c:\windows\system32\ALSNDMGR.WAV
2008-12-15 03:53 . 2004-09-01 20:04 139,264 --------- c:\windows\alcrmv.exe
2008-12-15 03:53 . 2004-11-15 18:20 77,824 --a------ c:\windows\SOUNDMAN.EXE
2008-12-15 03:53 . 2004-10-27 15:47 40,960 --------- c:\windows\system32\ChCfg.exe
2008-12-15 03:53 . 2005-01-14 14:07 744 --------- c:\windows\system32\drivers\alcxinit.dat
2008-12-15 03:53 . 2001-07-06 00:19 164 --------- c:\windows\avrack.ini
2008-12-15 03:51 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-15 03:45 . 2008-12-15 03:45 <DIR> d-------- c:\program files\Microsoft Works
2008-12-15 03:44 . 2008-12-15 03:44 <DIR> d-------- c:\program files\MSBuild
2008-12-15 03:34 . 2008-12-15 03:34 <DIR> d-------- c:\windows\SHELLNEW
2008-12-15 03:33 . 2008-12-15 03:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-15 03:31 . 2008-12-15 03:31 <DIR> dr-h----- C:\MSOCache
2008-12-15 03:21 . 2008-12-15 03:21 <DIR> d-------- c:\program files\Caffe
2008-12-15 03:17 . 2008-04-14 06:42 741,376 --a------ c:\windows\system32\dllcache\sapi.dll
2008-12-15 03:17 . 2008-04-14 06:42 155,648 --a------ c:\windows\system32\dllcache\sapi.cpl
2008-12-15 03:10 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-15 03:10 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d-------- c:\program files\LINKMAGIC
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-15 03:05 . 2008-12-15 03:05 <DIR> d-------- c:\windows\system32\DRVSTORE
2008-12-15 03:05 . 2004-12-02 10:00 6,656 -ra------ c:\windows\system32\kbdcr.dll
2008-12-15 03:05 . 2008-12-15 03:06 268 --ah----- C:\sqmdata00.sqm
2008-12-15 03:05 . 2008-12-15 03:06 244 --ah----- C:\sqmnoopt00.sqm
2008-12-15 03:04 . 2008-12-15 03:04 <DIR> d-------- c:\program files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 01:33 --------- d-----w c:\program files\microsoft frontpage
2008-11-07 15:45 2,174,976 ----a-w c:\windows\system32\dllcache\WMVCore.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 13:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_10.45.05.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-26 10:06:10 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_1e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Caffe-Server "= "c:\program files\Caffe\Server.exe" [2008-12-15 2087424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan "= "SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LINKMAGIC.lnk]
backup=c:\windows\pss\LINKMAGIC.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-11-24 15:38 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Caffe\\Server.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=

R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service; "c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe" -service [2007-12-06 660768]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; "c:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c34ad8c-d275-11dd-b27b-0013d4b1cf3b}]
\Shell\AutoRun\command - F:\ctdddg.exe
\Shell\explore\Command - F:\ctdddg.exe
\Shell\open\Command - F:\ctdddg.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-12-26 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {0A852589-AE34-48DA-8B29-892DC13BF279} = 195.222.32.10 195.222.32.20
TCP: {9AD6BE85-45CB-4571-B310-C6C7019543CD} = 195.222.32.10,195.222.32.20
FF - ProfilePath - c:\documents and settings\glava\Application Data\Mozilla\Firefox\Profiles\bfu5bsg1.default\
FF - prefs.js: browser.startup.homepage - www.google.ba
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 11:22:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-26 11:23:11
ComboFix-quarantined-files.txt 2008-12-26 10:23:10
ComboFix3.txt 2008-12-24 09:45:46
ComboFix2.txt 2008-12-24 10:18:20

Pre-Run: 6,425,149,440 bytes free
Post-Run: 6,422,429,696 bytes free

227

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:55, on 26.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Caffe\Server.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Caffe-Server] C:\Program Files\Caffe\Server.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229341992953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229341973875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A852589-AE34-48DA-8B29-892DC13BF279}: NameServer = 195.222.32.10 195.222.32.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AD6BE85-45CB-4571-B310-C6C7019543CD}: NameServer = 195.222.32.10,195.222.32.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A852589-AE34-48DA-8B29-892DC13BF279}: NameServer = 195.222.32.10 195.222.32.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5306 bytes

Aaflac · 2008/12/26

Please download Flash_Disinfector
Save it to the Desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that appear.

The utility asks you to insert your flash drives.
Plug in your USB pen/flash drives, and allow the utility to clean them up.
Wait until the program has finished scanning and then exit the program.
Re-start the computer when done.

Flash_Disinfector creates a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when the program is run. Don't delete this folder...it will help protect your drives from future infection.

~~~~
Next, open Notepad onca again.
Copy/ paste the entire text inside the code box below to Notepad:
Code:
File::
F:\ctdddg.exe
Registry::
[-HKEY_CURRENT_USER\software\Microsoft\windows\currentversion\explorer\mountpoints2\{9c34ad8c-d275-11dd-b27b-0013d4b1cf3b}]
Save as CFScript.txt <-Important!!
Change the Save as type to: All Files
Save it to the Desktop.

Now, on the Desktop, using the left mouse button,
drag the CFScript.txt onto >>> ComboFix.exe, and drop it.

ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

Please provide the new ComboFix.txt in your reply.

alfa032 · 2008/12/27

ComboFix 08-12-21.04 - glava 2008-12-27 11:11:03.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.310 [GMT 1:00]
Running from: c:\documents and settings\glava\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\glava\Desktop\CFScript.txt
* Created a new restore point

FILE ::
F:\ctdddg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\csrcs.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-25 10:40 . 2008-12-25 10:40 <DIR> d-------- C:\rsit
2008-12-23 11:01 . 2008-12-23 11:01 <DIR> d--hs---- C:\FOUND.004
2008-12-22 15:33 . 2008-12-22 15:33 230 --a------ c:\windows\system32\spupdsvc.inf
2008-12-22 15:13 . 2008-12-22 15:13 <DIR> d-------- c:\program files\Avira
2008-12-22 15:13 . 2008-12-22 15:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-22 15:12 . 2008-12-22 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-22 13:27 . 2008-12-22 13:27 <DIR> d-------- c:\program files\RegCure
2008-12-22 12:26 . 2008-12-22 12:26 0 -rahs---- C:\khs
2008-12-22 12:12 . 2008-12-22 12:12 <DIR> d--hs---- C:\FOUND.003
2008-12-22 11:51 . 2008-12-22 11:51 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 11:12 . 2008-12-22 11:12 5,503 --a------ c:\documents and settings\glava\12600.DAT
2008-12-22 11:10 . 2008-12-22 11:10 <DIR> d--hs---- C:\FOUND.002
2008-12-22 11:07 . 2008-12-22 12:18 2 --a------ C:\942549858
2008-12-22 11:03 . 2008-12-22 11:03 5,503 --a------ c:\documents and settings\glava\10720.DAT
2008-12-22 11:01 . 2008-12-22 11:01 <DIR> d--hs---- C:\FOUND.001
2008-12-22 10:54 . 2008-12-22 10:54 5,503 --a------ c:\documents and settings\glava\10400.DAT
2008-12-21 12:37 . 2008-12-21 12:37 <DIR> d-------- c:\program files\BitTorrent
2008-12-21 12:37 . 2008-12-21 12:37 <DIR> d-------- c:\documents and settings\glava\Application Data\BitTorrent
2008-12-21 12:00 . 2008-12-21 20:11 112 --a------ c:\windows\system32\xyzwm.ini
2008-12-21 11:29 . 2008-12-21 11:29 <DIR> d-------- c:\documents and settings\glava\Application Data\Kingston
2008-12-20 16:32 . 2008-12-20 16:32 <DIR> d-------- c:\program files\YouTube Downloader
2008-12-18 14:11 . 2008-12-18 14:11 <DIR> d-------- c:\documents and settings\glava\Contacts
2008-12-17 12:02 . 2008-12-17 12:02 <DIR> d--hs---- C:\Recycled
2008-12-17 11:48 . 2008-12-17 11:48 <DIR> d-------- c:\documents and settings\glava\Application Data\ABBYY
2008-12-17 11:01 . 2008-12-17 11:01 <DIR> d-------- c:\program files\Common Files\ABBYY
2008-12-17 10:57 . 2008-12-17 10:57 <DIR> d-------- c:\program files\ABBYY FineReader 9.0
2008-12-17 10:57 . 2008-12-17 10:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\ABBYY
2008-12-17 10:32 . 2008-12-17 10:32 5,503 --a------ c:\documents and settings\glava\2560.DAT
2008-12-16 22:03 . 2008-12-16 22:03 <DIR> d-------- c:\windows\Sun
2008-12-16 21:55 . 2008-12-16 21:54 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 21:55 . 2008-12-16 21:54 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-16 21:54 . 2008-12-16 21:54 <DIR> d-------- c:\program files\Java
2008-12-16 20:47 . 2008-12-16 20:47 <DIR> d--hs---- c:\windows\ftpcache
2008-12-16 16:36 . 2008-12-20 16:43 116 --a------ c:\windows\NeroDigital.ini
2008-12-16 14:05 . 2008-12-16 14:05 <DIR> d-------- c:\documents and settings\glava\Application Data\Ahead
2008-12-16 14:03 . 2008-12-16 14:03 <DIR> d-------- c:\program files\Nero
2008-12-16 14:03 . 2008-12-16 14:03 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-16 10:44 . 2008-12-16 10:44 1,454 -rahs---- c:\windows\system32\autorun.in
2008-12-16 10:44 . 2008-12-16 10:44 1,304 -rahs---- c:\windows\system32\autorun.i
2008-12-15 14:54 . 2008-10-16 21:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-15 14:54 . 2008-10-16 21:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-15 14:53 . 2008-10-16 21:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-15 14:53 . 2007-04-17 10:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-15 14:53 . 2007-03-08 06:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-15 14:53 . 2008-10-16 21:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-15 14:53 . 2008-10-16 21:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-15 14:53 . 2008-10-16 21:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-15 14:53 . 2008-10-16 14:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-15 14:34 . 2008-10-24 12:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-15 14:33 . 2008-08-14 11:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-15 14:33 . 2008-08-14 11:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-15 14:33 . 2008-08-14 10:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-15 14:33 . 2008-08-14 10:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-15 13:47 . 2008-12-15 13:48 <DIR> d-------- c:\documents and settings\Administrator
2008-12-15 13:41 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-15 13:41 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-15 13:05 . 2008-12-15 13:05 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-15 13:05 . 2006-09-06 17:43 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-15 12:54 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-15 12:54 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-15 12:54 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-15 12:54 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-15 12:54 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-15 12:08 . 2008-12-15 12:08 <DIR> d--hs---- C:\FOUND.000
2008-12-15 12:00 . 2008-12-15 12:00 5,503 --a------ c:\documents and settings\glava\13360.DAT
2008-12-15 10:56 . 2008-12-15 10:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-15 05:23 . 2008-12-15 05:23 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-15 04:13 . 2008-12-27 11:08 495 --a------ c:\windows\system32\SP701ASM.dat
2008-12-15 04:12 . 2008-12-15 04:12 <DIR> d-------- C:\FBBM
2008-12-15 03:56 . 2008-12-15 03:56 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-15 03:53 . 2008-12-15 03:53 <DIR> d-------- c:\program files\Realtek Sound Manager
2008-12-15 03:53 . 2008-12-15 03:53 <DIR> d-------- c:\program files\AvRack
2008-12-15 03:53 . 2004-11-17 16:08 16,162,816 --a------ c:\windows\system32\ALSNDMGR.CPL
2008-12-15 03:53 . 2004-11-17 16:11 9,319,936 --a------ c:\windows\system32\RTLCPL.EXE
2008-12-15 03:53 . 2004-11-17 19:05 2,297,664 --a------ c:\windows\system32\drivers\ALCXWDM.SYS
2008-12-15 03:53 . 2004-11-05 16:29 208,896 --------- c:\windows\alcupd.exe
2008-12-15 03:53 . 2004-09-07 14:23 156,672 --a------ c:\windows\system32\RtlCPAPI.dll
2008-12-15 03:53 . 2002-02-05 13:54 141,016 --a------ c:\windows\system32\ALSNDMGR.WAV
2008-12-15 03:53 . 2004-09-01 20:04 139,264 --------- c:\windows\alcrmv.exe
2008-12-15 03:53 . 2004-11-15 18:20 77,824 --a------ c:\windows\SOUNDMAN.EXE
2008-12-15 03:53 . 2004-10-27 15:47 40,960 --------- c:\windows\system32\ChCfg.exe
2008-12-15 03:53 . 2005-01-14 14:07 744 --------- c:\windows\system32\drivers\alcxinit.dat
2008-12-15 03:53 . 2001-07-06 00:19 164 --------- c:\windows\avrack.ini
2008-12-15 03:51 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-15 03:45 . 2008-12-15 03:45 <DIR> d-------- c:\program files\Microsoft Works
2008-12-15 03:44 . 2008-12-15 03:44 <DIR> d-------- c:\program files\MSBuild
2008-12-15 03:34 . 2008-12-15 03:34 <DIR> d-------- c:\windows\SHELLNEW
2008-12-15 03:33 . 2008-12-15 03:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-15 03:31 . 2008-12-15 03:31 <DIR> dr-h----- C:\MSOCache
2008-12-15 03:21 . 2008-12-15 03:21 <DIR> d-------- c:\program files\Caffe
2008-12-15 03:17 . 2008-04-14 06:42 741,376 --a------ c:\windows\system32\dllcache\sapi.dll
2008-12-15 03:17 . 2008-04-14 06:42 155,648 --a------ c:\windows\system32\dllcache\sapi.cpl
2008-12-15 03:10 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-15 03:10 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d-------- c:\program files\LINKMAGIC
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-15 03:09 . 2008-12-15 03:09 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-15 03:05 . 2008-12-15 03:05 <DIR> d-------- c:\windows\system32\DRVSTORE
2008-12-15 03:05 . 2004-12-02 10:00 6,656 -ra------ c:\windows\system32\kbdcr.dll
2008-12-15 03:05 . 2008-12-15 03:06 268 --ah----- C:\sqmdata00.sqm
2008-12-15 03:05 . 2008-12-15 03:06 244 --ah----- C:\sqmnoopt00.sqm
2008-12-15 03:04 . 2008-12-15 03:04 <DIR> d-------- c:\program files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 01:33 --------- d-----w c:\program files\microsoft frontpage
2008-11-07 15:45 2,174,976 ----a-w c:\windows\system32\dllcache\WMVCore.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 13:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_10.45.05.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 09:41:00 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_1d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Caffe-Server "= "c:\program files\Caffe\Server.exe" [2008-12-15 2087424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"avgnt "= "c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan "= "SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LINKMAGIC.lnk]
backup=c:\windows\pss\LINKMAGIC.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-11-24 15:38 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Caffe\\Server.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=

R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service; "c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe" -service [2007-12-06 660768]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; "c:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-12-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {0A852589-AE34-48DA-8B29-892DC13BF279} = 195.222.32.10 195.222.32.20
TCP: {9AD6BE85-45CB-4571-B310-C6C7019543CD} = 195.222.32.10,195.222.32.20
FF - ProfilePath - c:\documents and settings\glava\Application Data\Mozilla\Firefox\Profiles\bfu5bsg1.default\
FF - prefs.js: browser.startup.homepage - www.google.ba
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 11:12:52
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-27 11:13:44
ComboFix-quarantined-files.txt 2008-12-27 10:13:44
ComboFix4.txt 2008-12-24 09:45:46
ComboFix3.txt 2008-12-24 10:18:20
ComboFix2.txt 2008-12-26 10:23:14

Pre-Run: 6,411,255,808 bytes free
Post-Run: 6,402,818,048 bytes free

221

Aaflac · 2008/12/28

Let’s see if Kaspersky picks up any infected files. There is no option to clean/disinfect, however, we can analyze the information on the report and determine whether further action is needed.

Please close all windows, and temporarily turn off the real time scanner of your antivirus program.
Then, use Internet Explorer, and do an online scan with Kaspersky WebScanner
Click: Scan Now
Then click: Accept
The program launches and downloads the latest definition files.

Once the files are downloaded, click on: Next

Under select a target to scan, select: My Computer

When the scan is done, any infection is displayed.

Click on: View scan report

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save

~~~~
Please provide the contents of the Kaspersky Online Scanner report in your reply.

Log in or Sign up

Active When AVG removes virus PC restarts, after restart the problem is..

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

alfa032 Inactive Thread Starter

alfa032 Inactive Thread Starter

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

Aaflac Inactive

Share This Page

Log in or Sign up

Active When AVG removes virus PC restarts, after restart the problem is..

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

alfa032 Inactive Thread Starter

alfa032 Inactive Thread Starter

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

Aaflac Inactive

alfa032 Inactive Thread Starter

Aaflac Inactive

Share This Page

Useful Searches