Solved ie redirects; hijack this not run; no safe mode or sys restore

ocean · 2010/10/12

[Resolved] ie redirects; hijack this not run; no safe mode or sys restore

Hi,

I have a win xp pc with ZoneAlarm. While using FlashGet to download mp3 from www.abc.net.au, there is a sudden refresh from deshtop & then five ie shortcuts appeared. All 5 re-direct to chinese web sites because it ask me to install chinese simplified characters which I refused. They can not be deleted with error message "can not delete ie: it is being used by another person or progam. close any programs that might be using the file & try again ". I used Unlock to unlock then delete them but all 5 comes back after reboot.

At that time, there are only two applications open, int explorer & win explorer, I also noticed the win ex shortcut had been deleted. Even if I created a new one later, it just diappears.

I try to run Hijack This & Ad-Aware but nothing happens. Unable to go to safe mode even if selected & pc always back to normal logon screen. System restore not available since nothing happens when double clicks. Run Spybot Search & Destroy to fix trojans but also back after reboot. But no virus detected after running AVG. Please help.

The following are the log files from dds

DDS (Ver_10-10-10.03) - NTFSx86
Run by binh at 15:23:41.90 on Tue 12/10/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.895.527 [GMT 10:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\explorer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\ad hijack\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.9384.com/?100077
BHO: BHOApp Class: {ce7c3cef-4b15-11d1-abed-fa4c0c0931ed} - c:\windows\system32\bhoexe.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe "
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe "
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WMC_AutoUpdate]
mRun: [KAV] c:\windows\system32\kav.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe "
mRun: [CreateCD50] c:\progra~1\common~1\adapte~1\createcd\CREATE~1.EXE -r
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\TSPS.lnk -
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: N/A: {59dabd72-6a3f-47c0-90e6-23022b72d463} - c:\documents and settings\aaa\application data\Dk.sys
IFEO: 360delays.exe - svchost.exe
IFEO: 360realpro.exe - svchost.exe
IFEO: 360rp.exe - ntsd -d
IFEO: 360rpt.exe - ntsd -d
IFEO: 360Safe.exe - ntsd -d

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 127.0.0.2 cnzz.1075.info
Hosts: 127.0.0.2 msn.1075.info

============= SERVICES / DRIVERS ===============

R0 PrtSeqRd;PrtSeqRd;c:\windows\system32\drivers\PrtSeqRd.sys [2001-5-15 12224]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2010-8-8 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2010-8-8 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2010-8-8 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2010-8-8 10760]
R1 cdudf;cdudf;c:\windows\system32\drivers\Cdudf.sys [2001-5-17 229664]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-8-7 394192]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2010-8-8 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2010-8-8 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2010-8-8 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2010-8-8 4960]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 12800]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ApsX85;Driver for ApsX85 Device;c:\windows\system32\drivers\ApsX85.sys [2010-10-10 9088]
S2 MnetFream;Microsoft .NET Framework v4.2.58373_x86;c:\windows\system32\mrinet.exe [2010-10-10 32768]
S2 WinHelp64;Windows Help System;c:\windows\system32\WinHelp64.exe [2010-10-12 17920]

=============== Created Last 30 ================

2010-10-12 02:42:03 75776 ----a-w- C:\ugn32x.exe
2010-10-12 02:41:28 138372 ----a-w- c:\docume~1\aaa\applic~1\Dk.New
2010-10-12 00:11:58 138372 ----a-w- c:\docume~1\aaa\applic~1\Dk.sys
2010-10-11 23:52:46 17920 ----a-w- c:\windows\system32\WinHelp64.exe
2010-10-11 02:07:39 -------- d-----w- c:\windows\system32\NtmsData
2010-10-11 01:09:18 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-10-11 01:09:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-10-11 00:51:42 -------- d-----w- c:\program files\Unlocker
2010-10-10 06:55:30 2112 --sha-w- c:\windows\system32\drivers\kpscc.sys
2010-10-10 06:55:29 9088 ----a-w- c:\windows\system32\drivers\ApsX85.sys
2010-10-10 06:48:38 138372 ----a-w- c:\docume~1\aaa\applic~1\Dk.Tmp
2010-10-10 06:45:36 32768 ----a-w- c:\windows\system32\mrinet.exe
2010-10-10 06:32:38 37376 ----a-w- c:\docume~1\aaa\applic~1\f.exe
2010-10-10 06:31:06 -------- d-----w- c:\program files\ATI
2010-10-10 06:31:00 37376 ----a-w- c:\windows\system32\kav.exe
2010-10-08 05:18:14 -------- d-----w- c:\docume~1\aaa\locals~1\applic~1\Help
2010-10-03 12:30:57 272896 -c--a-w- c:\windows\system32\dllcache\pinball.exe
2010-10-03 12:01:19 -------- d-----w- c:\windows\system32\Logfiles
2010-10-03 10:36:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-03 10:36:25 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-02 07:25:09 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-10-12 02:12:59 17920 --sh--w- c:\program files\common files\ips888.dll
2010-10-12 00:12:31 70920 ------w- c:\windows\system32\bhoexe.dll
2010-10-10 06:46:12 104960 ----a-w- c:\windows\system32\imm32.dll
2010-10-10 06:45:46 600064 ----a-w- c:\windows\system32\wininet.dll
2010-08-07 23:36:54 1409 ----a-w- c:\windows\system32\tmp956C9.FOT
2010-08-07 23:36:53 1409 ----a-w- c:\windows\system32\tmpCD4C9.FOT
2010-08-07 23:36:53 1409 ----a-w- c:\windows\system32\tmp906C9.FOT
2010-08-07 23:36:53 1409 ----a-w- c:\windows\system32\tmp2C5C9.FOT
2010-08-07 23:36:53 1409 ----a-w- c:\windows\system32\tmp275C9.FOT
2010-08-07 23:36:53 1409 ----a-w- c:\windows\system32\tmp225C9.FOT
2010-08-07 23:24:35 40960 ----a-w- c:\windows\uneng.exe
2010-08-07 23:24:34 45056 ----a-w- c:\windows\system32\cdrtc.dll
2010-08-07 23:24:34 45056 ----a-w- c:\windows\system32\cdral.dll
2010-08-06 14:17:48 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-08-06 14:17:48 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-08-06 13:53:32 1409 ----a-w- c:\windows\system32\tmpEE6B7.FOT
2010-08-06 13:53:32 1409 ----a-w- c:\windows\system32\tmpA27B7.FOT
2010-08-06 13:53:32 1409 ----a-w- c:\windows\system32\tmp676B7.FOT
2010-08-06 13:53:32 1409 ----a-w- c:\windows\system32\tmp626B7.FOT
2010-08-06 13:53:32 1409 ----a-w- c:\windows\system32\tmp3F5B7.FOT
2010-08-06 13:53:32 1409 ----a-w- c:\windows\system32\tmp2B6B7.FOT
2010-07-29 16:00:37 282624 ----a-w- c:\windows\qqlogin.dll

============= FINISH: 15:25:21.80 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/08/2010 7:49:46 AM
System Uptime: 10/12/2010 12:10:48 PM (-1413 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | 693A-596B-8671
Processor: Intel Pentium III processor | Socket 370 | 664/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 8.42 GiB free.
D: is FIXED (FAT32) - 28 GiB total, 6.177 GiB free.
E: is FIXED (FAT32) - 28 GiB total, 1.145 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 0.982 GiB free.
G: is CDROM ()
I: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP62: 3/10/2010 9:32:18 PM - Installed Windows Media Player 10
RP63: 3/10/2010 10:42:12 PM - Installed Windows Media Format Runtime
RP64: 5/10/2010 6:24:45 PM - System Checkpoint
RP65: 7/10/2010 9:23:04 PM - System Checkpoint
RP66: 9/10/2010 12:54:31 PM - System Checkpoint
RP67: 10/10/2010 7:47:00 PM - System Checkpoint

==== Image File Execution Options =============

IFEO: 360delays.exe - svchost.exe
IFEO: 360realpro.exe - svchost.exe
IFEO: 360rp.exe - ntsd -d
IFEO: 360rpt.exe - ntsd -d
IFEO: 360Safe.exe - ntsd -d
IFEO: 360Safebox.exe - ntsd -d
IFEO: 360sd.exe - ntsd -d
IFEO: 360sdrun.exe - ntsd -d
IFEO: 360SoftMgrSvc.exe - svchost.exe
IFEO: 360tray.exe - ntsd -d
IFEO: 799d.exe - ntsd -d
IFEO: adam.exe - ntsd -d
IFEO: AgentSvr.exe - ntsd -d
IFEO: alg.exe - svchost.exe
IFEO: antiarp.exe - svchost.exe
IFEO: AntiU.exe - ntsd -d
IFEO: AoYun.exe - ntsd -d
IFEO: appdllman.exe - ntsd -d
IFEO: AppSvc32.exe - ntsd -d
IFEO: ArSwp.exe - ntsd -d
IFEO: ArSwp2.exe - ntsd -d
IFEO: ArSwp3.exe - ntsd -d
IFEO: AST.exe - ntsd -d
IFEO: atpup.exe - ntsd -d
IFEO: auto.exe - ntsd -d
IFEO: AutoRun.exe - ntsd -d
IFEO: autoruns.exe - ntsd -d
IFEO: av.exe - ntsd -d
IFEO: AvastU3.exe - ntsd -d
IFEO: avconsol.exe - ntsd -d
IFEO: avgrssvc.exe - ntsd -d
IFEO: AvMonitor.exe - ntsd -d
IFEO: avp.com - ntsd -d
IFEO: avp.exe - ntsd -d
IFEO: AvU3Launcher.exe - ntsd -d
IFEO: bdagent.exe - svchost.exe
IFEO: ccapp.exe - svchost.exe
IFEO: CCenter.exe - ntsd -d
IFEO: ccEvtMgr.exe - svchost.exe
IFEO: ccSetMgr.exe - svchost.exe
IFEO: ccSvcHst.exe - ntsd -d
IFEO: cross.exe - ntsd -d
IFEO: defwatch.exe - svchost.exe
IFEO: Discovery.exe - ntsd -d
IFEO: DrUpdate.exe - svchost.exe
IFEO: DrvAnti.exe - svchost.exe
IFEO: DSMain.exe - ntsd -d
IFEO: EGHOST.exe - ntsd -d
IFEO: egui.exe - svchost.exe
IFEO: ekrn.exe - svchost.exe
IFEO: engineserver.exe - svchost.exe
IFEO: FileDsty.exe - ntsd -d
IFEO: filmst.exe - ntsd -d
IFEO: FrameworkService.exe - svchost.exe
IFEO: FTCleanerShell.exe - ntsd -d
IFEO: FYFireWall.exe - ntsd -d
IFEO: ghost.exe - ntsd -d
IFEO: guangd.exe - ntsd -d
IFEO: HijackThis.exe - ntsd -d
IFEO: IceSword.exe - ntsd -d
IFEO: iparmo.exe - ntsd -d
IFEO: Iparmor.exe - ntsd -d
IFEO: irsetup.exe - ntsd -d
IFEO: isPwdSvc.exe - ntsd -d
IFEO: jisu.exe - ntsd -d
IFEO: KABackReport.exe - svchost.exe
IFEO: kabaload.exe - ntsd -d
IFEO: kaccore.exe - svchost.exe
IFEO: KaScrScn.SCR - ntsd -d
IFEO: KASMain.exe - ntsd -d
IFEO: KASTask.exe - ntsd -d
IFEO: KAV32.exe - ntsd -d
IFEO: KAVDX.exe - ntsd -d
IFEO: KAVPF.exe - ntsd -d
IFEO: KAVPFW.exe - ntsd -d
IFEO: KAVSetup.exe - ntsd -d
IFEO: kavstart.exe - ntsd -d
IFEO: kernelwind32.exe - ntsd -d
IFEO: KISLnchr.exe - ntsd -d
IFEO: KISSvc.exe - ntsd -d
IFEO: kmailmon.exe - ntsd -d
IFEO: KMFilter.exe - ntsd -d
IFEO: KPFW32.exe - ntsd -d
IFEO: KPFW32X.exe - ntsd -d
IFEO: KPfwSvc.exe - ntsd -d
IFEO: kppserv.exe - svchost.exe
IFEO: KPPTray.exe - svchost.exe
IFEO: KRegEx.exe - ntsd -d
IFEO: KRepair.com - ntsd -d
IFEO: KSafeSvc.exe - svchost.exe
IFEO: KSafeTray.exe - svchost.exe
IFEO: KsLoader.exe - ntsd -d
IFEO: KSWebShield.exe - ntsd -d
IFEO: KVCenter.kxp - ntsd -d
IFEO: KvDetect.exe - ntsd -d
IFEO: KvfwMcl.exe - ntsd -d
IFEO: KVMonXP.kxp - ntsd -d
IFEO: KVMonXP_1.kxp - ntsd -d
IFEO: kvol.exe - ntsd -d
IFEO: kvolself.exe - ntsd -d
IFEO: KvReport.kxp - ntsd -d
IFEO: KVScan.kxp - ntsd -d
IFEO: KVSrvXP.exe - ntsd -d
IFEO: KVStub.kxp - ntsd -d
IFEO: kvupload.exe - ntsd -d
IFEO: kvwsc.exe - ntsd -d
IFEO: KvXP.kxp - ntsd -d
IFEO: KvXP_1.kxp - ntsd -d
IFEO: KWatch.exe - ntsd -d
IFEO: KWatch9x.exe - ntsd -d
IFEO: KWatchX.exe - ntsd -d
IFEO: KWSMain.exe - ntsd -d
IFEO: kwstray.exe - ntsd -d
IFEO: KWSUpd.exe - ntsd -d
IFEO: kxedefend.exe - svchost.exe
IFEO: kxesapp.exe - svchost.exe
IFEO: kxescore.exe - svchost.exe
IFEO: kxeserv.exe - svchost.exe
IFEO: kxetray.exe - svchost.exe
IFEO: livesrv.exe - svchost.exe
IFEO: LiveUpdate360.exe - svchost.exe
IFEO: loaddll.exe - ntsd -d
IFEO: logogo.exe - ntsd -d
IFEO: MagicSet.exe - ntsd -d
IFEO: mcagent.exe - svchost.exe
IFEO: mcconsol.exe - ntsd -d
IFEO: mcinsupd.exe - svchost.exe
IFEO: mcmscsvc.exe - svchost.exe
IFEO: mcnasvc.exe - svchost.exe
IFEO: McProxy.exe - svchost.exe
IFEO: mcshell.exe - svchost.exe
IFEO: mcshield.exe - svchost.exe
IFEO: mcsysmon.exe - svchost.exe
IFEO: McTray.exe - svchost.exe
IFEO: mcupdmgr.exe - svchost.exe
IFEO: mfeann.exe - svchost.exe
IFEO: mfevtps.exe - svchost.exe
IFEO: mmqczj.exe - ntsd -d
IFEO: mmsk.exe - ntsd -d
IFEO: MpfSrv.exe - svchost.exe
IFEO: MPMon.exe - svchost.exe
IFEO: MPSVC.exe - svchost.exe
IFEO: MPSVC1.exe - svchost.exe
IFEO: MPSVC2.exe - svchost.exe
IFEO: naPrdMgr.exe - svchost.exe
IFEO: Navapsvc.exe - ntsd -d
IFEO: Navapw32.exe - ntsd -d
IFEO: NAVSetup.exe - ntsd -d
IFEO: nbmanti.exe - svchost.exe
IFEO: niu.exe - ntsd -d
IFEO: nod32.exe - ntsd -d
IFEO: nod32krn.exe - ntsd -d
IFEO: nod32kui.exe - ntsd -d
IFEO: NPFMntor.exe - ntsd -d
IFEO: pagefile.exe - ntsd -d
IFEO: pagefile.pif - ntsd -d
IFEO: pfserver.exe - ntsd -d
IFEO: PFW.exe - ntsd -d
IFEO: PFWLiveUpdate.exe - ntsd -d
IFEO: qheart.exe - ntsd -d
IFEO: QHSET.exe - ntsd -d
IFEO: QQDoctor.exe - ntsd -d
IFEO: QQDoctorMain.exe - ntsd -d
IFEO: QQDoctorRtp.exe - ntsd -d
IFEO: QQDrNetMon.exe - svchost.exe
IFEO: QQKav.exe - ntsd -d
IFEO: QQPCMgr.exe - ntsd -d
IFEO: QQPCRTP.exe - ntsd -d
IFEO: QQPCSmashFile.exe - ntsd -d
IFEO: QQPCTray.exe - ntsd -d
IFEO: QQSC.exe - ntsd -d
IFEO: qsetup.exe - ntsd -d
IFEO: qutmserv.exe - svchost.exe
IFEO: Ras.exe - ntsd -d
IFEO: Rav.exe - ntsd -d
IFEO: ravcopy.exe - ntsd -d
IFEO: RavMon.exe - ntsd -d
IFEO: RavMonD.exe - ntsd -d
IFEO: RavStub.exe - ntsd -d
IFEO: RavTask.exe - ntsd -d
IFEO: RegClean.exe - ntsd -d
IFEO: RegGuide.exe - svchost.exe
IFEO: rfwcfg.exe - ntsd -d
IFEO: rfwmain.exe - ntsd -d
IFEO: rfwProxy.exe - ntsd -d
IFEO: rfwsrv.exe - ntsd -d
IFEO: RsAgent.exe - ntsd -d
IFEO: Rsaupd.exe - ntsd -d
IFEO: rsnetsvr.exe - ntsd -d
IFEO: rssafety.exe - svchost.exe
IFEO: RsTray.exe - ntsd -d
IFEO: rstrui.exe - ntsd -d
IFEO: rtvscan.exe - svchost.exe
IFEO: runiep.exe - ntsd -d
IFEO: safeboxTray.exe - ntsd -d
IFEO: safelive.exe - ntsd -d
IFEO: scan32.exe - ntsd -d
IFEO: ScanFrm.exe - ntsd -d
IFEO: ScanU3.exe - ntsd -d
IFEO: SDGames.exe - ntsd -d
IFEO: SelfUpdate.exe - ntsd -d
IFEO: servet.exe - ntsd -d
IFEO: shcfg32.exe - ntsd -d
IFEO: SHSTAT.exe - svchost.exe
IFEO: SmartUp.exe - ntsd -d
IFEO: sos.exe - ntsd -d
IFEO: SREng.EXE - ntsd -d
IFEO: SREngPS.EXE - ntsd -d
IFEO: stormii.exe - ntsd -d
IFEO: sxgame.exe - ntsd -d
IFEO: symlcsvc.exe - ntsd -d
IFEO: SysSafe.exe - ntsd -d
IFEO: tmp.exe - ntsd -d
IFEO: TNT.Exe - ntsd -d
IFEO: TrojanDetector.exe - ntsd -d
IFEO: Trojanwall.exe - ntsd -d
IFEO: TrojDie.kxp - ntsd -d
IFEO: TxoMoU.Exe - ntsd -d
IFEO: udaterui.exe - svchost.exe
IFEO: UFO.exe - ntsd -d
IFEO: UIHost.exe - ntsd -d
IFEO: UmxAgent.exe - ntsd -d
IFEO: UmxAttachment.exe - ntsd -d
IFEO: UmxCfg.exe - ntsd -d
IFEO: UmxFwHlp.exe - ntsd -d
IFEO: UmxPol.exe - ntsd -d
IFEO: upiea.exe - ntsd -d
IFEO: Uplive.exe - ntsd -d
IFEO: upsvc.exe - svchost.exe
IFEO: USBCleaner.exe - ntsd -d
IFEO: vptray.exe - svchost.exe
IFEO: vsserv.exe - svchost.exe
IFEO: vsstat.exe - ntsd -d
IFEO: vstskmgr.exe - svchost.exe
IFEO: wbapp.exe - ntsd -d
IFEO: webscanx.exe - ntsd -d
IFEO: WoptiClean.exe - ntsd -d
IFEO: Wsyscheck.exe - ntsd -d
IFEO: xcommsvr.exe - svchost.exe
IFEO: XDelBox.exe - ntsd -d
IFEO: XP.exe - ntsd -d
IFEO: XsClient.exe - svchost.exe
IFEO: zhudongfangyu.exe - ntsd -d
IFEO: zjb.exe - ntsd -d
IFEO: zxsweep.exe - ntsd -d
IFEO: ~.exe - ntsd -d

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
AVG Free Edition
DivX 4.12 Codec
Easy CD Creator 5 Platinum
FlashGet 1.9.6.1073
Glary Utilities 2.28.0.1011
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Photo and Imaging 1.2 - Scanjet 4570c Series
iTunes
Microsoft Office 2000 Premium
QuickTime
RealPlayer
RealUpgrade 1.0
ShareIns
Spybot - Search & Destroy
Unlocker 1.9.0
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Media Format Runtime
Windows XP Service Pack 1a
ZoneAlarm

==== Event Viewer Messages From Past Week ========

13/10/2010 12:53:55 AM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 8 time(s).
13/10/2010 12:33:50 AM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 7 time(s).
13/10/2010 1:14:01 AM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 9 time(s).
12/10/2010 9:30:59 PM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 6 time(s).
12/10/2010 9:01:59 AM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: All pipe instances are busy.
12/10/2010 9:01:59 AM, error: DCOM [10005] - DCOM got error "%231" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/10/2010 9:01:59 AM, error: DCOM [10005] - DCOM got error "%231" attempting to start the service netman with arguments " " in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
12/10/2010 8:14:07 PM, error: Service Control Manager [7034] - The Windows Help System service terminated unexpectedly. It has done this 2 time(s).
12/10/2010 8:02:28 PM, error: NLA [0] -
12/10/2010 8:02:26 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Nla service.
12/10/2010 8:02:26 PM, error: Service Control Manager [7000] - The Network Location Awareness (NLA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/10/2010 7:57:37 PM, error: Service Control Manager [7034] - The Windows Help System service terminated unexpectedly. It has done this 1 time(s).
12/10/2010 7:37:36 PM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 5 time(s).
12/10/2010 7:17:29 PM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 4 time(s).
12/10/2010 12:41:02 AM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
12/10/2010 12:41:02 AM, error: Service Control Manager [7000] - The Telephony service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/10/2010 12:41:01 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the TapiSrv service.
12/10/2010 12:38:31 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the TermService service.
12/10/2010 12:38:31 AM, error: Service Control Manager [7000] - The Terminal Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/10/2010 9:39:02 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0040F4B3DC49 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/10/2010 9:12:28 AM, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: The parameter is incorrect.
11/10/2010 9:12:27 AM, error: Rasman [20031] - Remote Access Connection Manager failed to start because it could not locate port information from media DLLs. The parameter is incorrect.
11/10/2010 9:12:15 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RasMan service.
11/10/2010 9:12:15 AM, error: Service Control Manager [7000] - The Remote Access Connection Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/10/2010 9:03:59 PM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 3 time(s).
11/10/2010 9:01:14 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
11/10/2010 8:55:01 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/10/2010 8:44:08 PM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 2 time(s).
11/10/2010 6:11:33 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments " " in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/10/2010 6:10:33 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
11/10/2010 6:09:33 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
11/10/2010 6:09:33 AM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/10/2010 6:09:33 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/10/2010 6:08:03 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wuauserv service.
11/10/2010 6:07:03 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the dmserver service.
11/10/2010 6:04:33 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
11/10/2010 6:04:03 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
11/10/2010 6:03:33 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.
11/10/2010 2:46:07 AM, error: Service Control Manager [7034] - The Microsoft .NET Framework v4.2.58373_x86 service terminated unexpectedly. It has done this 1 time(s).
11/10/2010 2:06:09 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
11/10/2010 2:06:09 AM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/10/2010 12:08:39 AM, error: ACPI [5] - AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x4d1), which lies in the 0x4d0 - 0x4d1 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
11/10/2010 12:08:39 AM, error: ACPI [4] - AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x4d1), which lies in the 0x4d0 - 0x4d1 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.

==== End Of File ===========================

Hi,

I also noticed something strange on win ex, there are 2 sections : Folders & Name. A list of folders appears on the Folders section but on Name section there is same list of folders but in "shadow or lighter colours" plus an strange name folder "{¾«²ÃŠÃŠÃ“Ã†µ}" plus another list of same folders, all size 74KB, application type. Hope this is helpful.

Thanks.

broni · 2010/10/12

Welcome aboard

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

===============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

ocean · 2010/10/13

Hi,

Thanks very much for your advice.

I downloaded MBRCheck & Combofix & run them. I have disabled Unlock, ZoneAlarm, AVG & TeaTimer. During the ComboFix scanning, there is an error message "C:\boot.ini is not correctly formatted ". I ok the error & click 'yes' to continue scanning for malware. After deeper scan & re-boot by Combofix, ZA & AVG re-appear on task bar. While Combofix prepares log report, I notice that there are 1x win ex icon + 4 x ie short cuts on desktop. I delete them without using Unlock after Combofix log report is generated.

I also notice something abnormal while waiting for the log. There are three ZA alerts : "win ex wants to accept connections from the trust zone" (not completely sure about this, select 'deny'); Breathe.dat & TPONSCR.exe (select 'remember this setting & deny'). What are they ? Am I correct to select deny ? I also created a shortcut for win ex.

I then re-activate TeaTimer & re-boot. Unfortunately, win ex sc disappears by itself again & all 4 ie sc re-appear & still re-direct.

Here are the log files

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 1 (build 2600)
Logical Drives Mask: 0x0000017d

Kernel Drivers (total 120):
0x804D4000 \WINDOWS\system32\ntoskrnl.exe
0x806C7000 \WINDOWS\system32\hal.dll
0xF79AF000 \WINDOWS\system32\KDCOM.DLL
0xF78BF000 \WINDOWS\system32\BOOTVID.dll
0xF7462000 ACPI.sys
0xF79B1000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF74AF000 pci.sys
0xF74BF000 isapnp.sys
0xF79B3000 viaide.sys
0xF772F000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF74CF000 MountMgr.sys
0xF7443000 ftdisk.sys
0xF79B5000 dmload.sys
0xF741F000 dmio.sys
0xF7737000 PartMgr.sys
0xF74DF000 VolSnap.sys
0xF7409000 atapi.sys
0xF74EF000 disk.sys
0xF74FF000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF73F8000 sr.sys
0xF78C3000 PrtSeqRd.sys
0xF73E4000 KSecDD.sys
0xF735A000 Ntfs.sys
0xF7331000 NDIS.sys
0xF773F000 viaagp.sys
0xF731D000 srescan.sys
0xF7303000 Mup.sys
0xF76CF000 \SystemRoot\System32\DRIVERS\p3.sys
0xF7208000 \SystemRoot\System32\DRIVERS\nv4.sys
0xF71F6000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF77B7000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF76DF000 \SystemRoot\System32\DRIVERS\serial.sys
0xF798B000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF71E3000 \SystemRoot\System32\DRIVERS\parport.sys
0xF76EF000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF77BF000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF77C7000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF76FF000 \SystemRoot\System32\Drivers\Imapi.SYS
0xF770F000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF771F000 \SystemRoot\System32\Drivers\Cdr4_2K.SYS
0xF752F000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF753F000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF71C2000 \SystemRoot\System32\DRIVERS\ks.sys
0xF77CF000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF754F000 \SystemRoot\System32\Drivers\pwd_2K.SYS
0xF77D7000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF77DF000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF7185000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF755F000 \SystemRoot\system32\drivers\es1371mp.sys
0xF7164000 \SystemRoot\system32\drivers\portcls.sys
0xF756F000 \SystemRoot\system32\drivers\drmk.sys
0xF7997000 \SystemRoot\System32\DRIVERS\ApsX85.sys
0xF7A7C000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF757F000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF799B000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF714E000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF758F000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF759F000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF799F000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF709D000 \SystemRoot\System32\DRIVERS\psched.sys
0xF75AF000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF77E7000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF77EF000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7048000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF75BF000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7AE7000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7026000 \SystemRoot\System32\DRIVERS\update.sys
0xF77F7000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF72C3000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF75CF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7807000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF75FF000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF79ED000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF79EF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C03000 \SystemRoot\System32\Drivers\Null.SYS
0xF79F1000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7C04000 \SystemRoot\System32\Drivers\avgclean.sys
0xF7817000 \SystemRoot\System32\drivers\vga.sys
0xF79F3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79F5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF5FA5000 \SystemRoot\System32\Drivers\cdudf.SYS
0xF781F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7827000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF5F5E000 \SystemRoot\System32\Drivers\UdfReadr.SYS
0xF7973000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF760F000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF5EFA000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF5ED3000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF5E74000 \SystemRoot\System32\vsdatant.sys
0xF761F000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF5E24000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF5DC0000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF762F000 \SystemRoot\System32\Drivers\Fips.SYS
0xF763F000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF5C57000 \SystemRoot\System32\Drivers\avg7core.sys
0xF79F7000 \SystemRoot\System32\Drivers\avg7rsw.sys
0xF783F000 \SystemRoot\System32\Drivers\avg7rsxp.sys
0xF5C33000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF5C1D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A05000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF72DF000 \SystemRoot\System32\watchdog.sys
0xF72CB000 \SystemRoot\System32\drivers\Dxapi.sys
0xBFF80000 \SystemRoot\System32\drivers\dxg.sys
0xF7B32000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFDB0000 \SystemRoot\System32\nv4.dll
0xF35B6000 \SystemRoot\System32\drivers\afd.sys
0xF36CF000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF31F3000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF79EB000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF3118000 \SystemRoot\system32\drivers\wdmaud.sys
0xF3436000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7B19000 \??\C:\WINDOWS\System32\drivers\kpscc.sys
0xF3153000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7A31000 \SystemRoot\System32\Drivers\avgtdi.sys
0xF2F3C000 \SystemRoot\System32\DRIVERS\srv.sys
0xF2653000 \SystemRoot\system32\drivers\kmixer.sys
0xF7787000
0x77F50000 \WINDOWS\system32\ntdll.dll
0x00400000 \WINDOWS\system32\ntoskrnl.exe

Processes (total 36):
0 System Idle Process
4 System
420 C:\WINDOWS\system32\smss.exe
476 C:\WINDOWS\system32\csrss.exe
500 C:\WINDOWS\system32\winlogon.exe
544 C:\WINDOWS\system32\services.exe
556 C:\WINDOWS\system32\lsass.exe
712 C:\WINDOWS\system32\svchost.exe
756 C:\WINDOWS\system32\svchost.exe
824 C:\WINDOWS\system32\svchost.exe
836 C:\WINDOWS\system32\svchost.exe
892 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1024 C:\WINDOWS\system32\userinit.exe
1148 C:\WINDOWS\explorer.exe
1248 C:\WINDOWS\system32\spoolsv.exe
1332 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
1344 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
1376 C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
1396 C:\Program Files\QuickTime\qttask.exe
1424 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1444 C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
1484 C:\Program Files\Unlocker\UnlockerAssistant.exe
1496 C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
1504 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
1520 C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
1572 C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
1732 C:\WINDOWS\system32\svchost.exe
1780 C:\WINDOWS\system32\tcpsvcs.exe
1832 C:\WINDOWS\system32\svchost.exe
1864 C:\WINDOWS\system32\wdfmgr.exe
136 C:\WINDOWS\system32\svchost.exe
228 C:\WINDOWS\lsass.exe
216 C:\Program Files\Common Files\Microsoft Shared\explorer.exe
300 C:\Program Files\iPod\bin\iPodService.exe
1036 C:\WINDOWS\system32\taskmgr.exe
3904 C:\Documents and Settings\aaa\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000004`a8537e00 (FAT32)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000000b`a4cffe00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`007e0000 (FAT32)

PhysicalDrive0 Model Number: WDCWD800BB-00JHA0, Rev: 05.01C05
PhysicalDrive1 Model Number: ST320423A, Rev: 3.02

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
19 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

ComboFix 10-10-12.01 - binh 13/10/2010 13:49:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.895.653 [GMT 10:00]
Running from: c:\documents and settings\aaa\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\aaa\LOCALS~1\Temp\taskmgr.exe
c:\documents and settings\aaa\Application Data\Dk.sys
c:\documents and settings\aaa\Application Data\Dk.Tmp
c:\documents and settings\aaa\Application Data\f.exe
c:\documents and settings\aaa\My Documents\DPE.DUS
c:\documents and settings\All Users.WINDOWS\Desktop\¸Ã„±Ã¤Ã„Ã£µÃ„Ã’»Ã‰Ãº.url
c:\documents and settings\All Users.WINDOWS\Desktop\ÃŒÃ”±¦¹ºÃŽÃ¯A.url
c:\documents and settings\All Users.WINDOWS\Desktop\ÃƒÃ¢·Ã‘µÃ§Ã“°C.url
c:\documents and settings\All Users.WINDOWS\Desktop\Intennet Exploner.lnk
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\ATI\ApsX85.dll
c:\program files\ATI\ApsX85.inf
c:\program files\ATI\ApsX85.sys
c:\program files\Common Files\Microsoft Shared\explorer.exe
c:\windows\lsass.exe
c:\windows\system32\20101013084838.dll
c:\windows\system32\AttackSet.dat
c:\windows\system32\drivers\ApsX85.sys
c:\windows\system32\DRIVERS\winyyy.sys
c:\windows\system32\kav.exe
c:\windows\system32\sysdrvd.cio
c:\windows\system32\winldr.atd
c:\windows\system32\winoer.dat
c:\windows\winhost.exe
F:\backup.exe
F:\My Pictures.exe
F:\xp.exe

Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imm32.dll

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\qmgr.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOGKILLER
-------\Legacy_MYPROT
-------\Legacy_WINMSS
-------\Service_MyProt
-------\Service_WinMSS
-------\Service_ApsX85

((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-12 22:48 . 2010-10-12 22:48 11264 ----a-w- c:\windows\system32\msawmgj32.dll
2010-10-12 22:45 . 2010-10-13 03:45 103936 --sh--r- c:\windows\tposdsvc.exe
2010-10-11 23:52 . 2010-10-13 03:45 17920 ----a-w- c:\windows\system32\WinHelp64.exe
2010-10-11 02:07 . 2010-10-11 02:09 -------- d-----w- c:\windows\system32\NtmsData
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-10-11 00:51 . 2010-10-11 00:52 -------- d-----w- c:\program files\Unlocker
2010-10-10 06:55 . 2010-10-10 06:55 2112 --sha-w- c:\windows\system32\drivers\kpscc.sys
2010-10-10 06:45 . 2010-10-13 02:18 32768 ----a-w- c:\windows\system32\mrinet.exe
2010-10-10 06:31 . 2010-10-13 03:56 -------- d-----w- c:\program files\ATI
2010-10-08 05:18 . 2010-10-08 05:18 -------- d-----w- c:\documents and settings\aaa\Local Settings\Application Data\Help
2010-10-03 12:30 . 2001-08-23 12:00 272896 -c--a-w- c:\windows\system32\dllcache\pinball.exe
2010-10-03 12:01 . 2010-10-03 12:01 -------- d-----w- c:\windows\system32\Logfiles
2010-10-03 10:36 . 2010-10-03 10:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-02 07:25 . 2010-10-02 07:25 1409 ----a-w- c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2010-10-10 . B2B0B4939D54FB08F0EDA790A8C3DB24 . 600064 . . [6.00.2800.1106] . . c:\windows\system32\wininet.dll
[7] 2002-08-29 . F3587750A7481DCCBEA13D473A0700BE . 599040 . . [6.00.2800.1106] . . c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2001-08-23 . CF9F1EEF71F42EDE71B6F4AA05D5CA1A . 593920 . . [6.00.2600.0000] . . c:\windows\$NtServicePackUninstall$\wininet.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7C3CEF-4B15-11D1-ABED-FA4C0C0931ED}]
2010-10-12 00:12 70920 ------w- c:\windows\system32\bhoexe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"AdaptecDirectCD "= "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-05-17 643072]
"AVG7_CC "= "c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2010-08-08 590848]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-02-08 278528]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-08-08 155648]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-08 202256]
"UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"ThinksPower "= "c:\windows\TPOSDSVC.exe" [2010-10-13 103936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]
"AVG7_Run "= "c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2010-08-08 219136]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
tposdsvc.exe [2010-10-13 103936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360sd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360sdrun.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\799d.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AgentSvr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AntiU.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AoYun.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\appdllman.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AppSvc32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp2.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp3.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AST.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\atpup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\auto.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\av.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastU3.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvU3Launcher.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSvcHst.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cross.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Discovery.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DSMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FileDsty.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filmst.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FTCleanerShell.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FYFireWall.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ghost.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guangd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\irsetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\isPwdSvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\jisu.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KaScrScn.SCR]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPF.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kernelwind32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KISLnchr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMailMon.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMFilter.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRepair.com]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KsLoader.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KSWebShield.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvfwMcl.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP_1.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvReport.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVScan.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVStub.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP_1.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch9x.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchX.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWSMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwstray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWSUpd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\logogo.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapw32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\niu.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NPFMntor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pagefile.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pagefile.pif]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfserver.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\qheart.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QHSET.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctorMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctorRtp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQKav.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCMgr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCRTP.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCSmashFile.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCTray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQSC.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\qsetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravcopy.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegClean.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsTray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safelive.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanFrm.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanU3.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SDGames.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SelfUpdate.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\servet.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\shcfg32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sos.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngPS.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\stormii.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sxgame.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\symlcsvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SysSafe.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tmp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TNT.Exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TxoMoU.Exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UFO.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAgent.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAttachment.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxCfg.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxFwHlp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxPol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\upiea.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\USBCleaner.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsstat.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wbapp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\webscanx.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Wsyscheck.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XDelBox.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XP.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zhudongfangyu.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zjb.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IridiumTimeWizard]
2008-09-20 05:54 245760 ----a-w- f:\xp\misc\Iridium.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 10:41 1511453 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
2006-07-19 22:50 1761280 ----a-w- c:\program files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Share-to-Web Namespace Daemon "=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

R0 PrtSeqRd;PrtSeqRd;c:\windows\system32\drivers\PrtSeqRd.sys [15/05/2001 4:48 PM 12224]
R1 cdudf;cdudf;c:\windows\system32\drivers\Cdudf.sys [17/05/2001 3:28 PM 229664]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [23/08/2001 10:00 PM 12800]
S2 MnetFream;Microsoft .NET Framework v4.2.58373_x86;c:\windows\system32\mrinet.exe [10/10/2010 4:45 PM 32768]
S2 WinHelp64;Windows Help System;c:\windows\system32\WinHelp64.exe [12/10/2010 9:52 AM 17920]
.
Contents of the 'Scheduled Tasks' folder

2010-10-13 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-05 00:32]

2010-10-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]

2010-10-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://www.9384.com/?100077
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WMC_AutoUpdate - (no file)
HKLM-Run-KAV - c:\windows\System32\kav.exe
ShellExecuteHooks-{59DABD72-6A3F-47C0-90E6-23022B72D463} - c:\documents and settings\aaa\Application Data\Dk.sys
SafeBoot-Lavasoft Ad-Aware Service

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(620)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(7708)
c:\windows\System32\msi.dll
f:\temporary\KB970588.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
c:\docume~1\aaa\LOCALS~1\Temp\Breathe.dat
c:\docume~1\aaa\LOCALS~1\Temp\TPONSCR.exe
.
**************************************************************************
.
Completion time: 2010-10-13 14:11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-13 04:11

Pre-Run: 8,942,225,408 bytes free
Post-Run: 8,706,028,032 bytes free

- - End Of File - - EB5F3B28557AB6FD3AB1E85C0A1AD242

broni · 2010/10/13

Please, accept recovery console installation on next Combofix run.

==================================================================

Please, uninstall Uniblue Registry Booster.
Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

================================================================

AVG 7 is not updated anymore. Please, uninstall it.
Don't install any other AV program yet.

Regarding ZoneAlarm...is it firewall only?

==================================================================

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\msawmgj32.dll
c:\windows\tposdsvc.exe
c:\windows\system32\WinHelp64.exe
c:\windows\system32\drivers\kpscc.sys
c:\windows\system32\mrinet.exe
c:\windows\system32\bhoexe.dll
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\tposdsvc.exe


FCopy::
c:\windows\ServicePackFiles\i386\wininet.dll | c:\windows\system32\wininet.dll

MIA::
c:\windows\System32\wscntfy.exe
c:\windows\System32\xmlprov.dll


Driver::
Iprip
MnetFream
WinHelp64

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7C3CEF-4B15-11D1-ABED-FA4C0C0931ED}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
 "DisableRegistryTools "=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
 "DisableRegistryTools "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

ocean · 2010/10/13

broni,
Thanks. I have uninstalled AVG7 but couldn't find Uniblue Registry Booster in Add & Remove Programs. Trying to manual remove it from C:\Program folder but IT IS NOT THERE IN C:\.

Disabled all anti virus and anti malware programs & run ComboFix with CFScript.txt. An error message "C:\boot.ini is not correctly formatted" re-appears. After deep scan, all 4 ie sc disappear. Unfortunately, All 4 are there again after re-boot by ComboFix while it generates log.

Here is the log

ComboFix 10-10-12.03 - binh 14/10/2010 13:42:50.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.895.609 [GMT 10:00]
Running from: c:\documents and settings\aaa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\aaa\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\tposdsvc.exe "
"c:\windows\system32\bhoexe.dll "
"c:\windows\system32\drivers\kpscc.sys "
"c:\windows\system32\mrinet.exe "
"c:\windows\system32\msawmgj32.dll "
"c:\windows\system32\WinHelp64.exe "
"c:\windows\tposdsvc.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Desktop\¸Ã„±Ã¤Ã„Ã£µÃ„Ã’»Ã‰Ãº.url
c:\documents and settings\All Users.WINDOWS\Desktop\ÃŒÃ”±¦¹ºÃŽÃ¯A.url
c:\documents and settings\All Users.WINDOWS\Desktop\ÃƒÃ¢·Ã‘µÃ§Ã“°C.url
c:\documents and settings\All Users.WINDOWS\Desktop\Intennet Exploner.lnk
c:\program files\Common Files\Microsoft Shared\explorer.exe
c:\windows\system32\bhoexe.dll
c:\windows\system32\drivers\kpscc.sys
c:\windows\system32\mrinet.exe
c:\windows\system32\msawmgj32.dll
c:\windows\system32\WinHelp64.exe
F:\backup.exe
F:\My Pictures.exe
F:\xp.exe

----- File Replicators -----

c:\program files\Common Files\Microsoft Shared\explorer.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP66\A0049611.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP66\A0049621.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP66\A0049643.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0049667.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0049682.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0049724.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0050724.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051724.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051739.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051753.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051850.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051866.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051911.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051926.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051940.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051979.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051992.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0052979.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0052989.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0053987.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0054059.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0054073.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055073.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055183.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055194.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055291.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055305.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055396.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055407.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056405.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056464.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056501.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056577.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056607.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056624.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056892.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056912.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0057022.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0057103.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP69\A0057127.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP69\A0057154.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP69\A0058154.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP69\A0058207.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP69\A0058232.exe
c:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP70\A0058411.exe
D:\My Documents.exe .. failed to delete
E:\My Documents.exe .. failed to delete
F:\0shortcuts.exe .. failed to delete
F:\230204.exe .. failed to delete
F:\ad hijack.exe .. failed to delete
F:\afr.exe .. failed to delete
F:\backup.exe
F:\buy.exe .. failed to delete
F:\doc.exe .. failed to delete
F:\free121203.exe .. failed to delete
F:\My Documents.exe .. failed to delete
F:\My Pictures.exe
F:\mydoc.exe .. failed to delete
F:\NEWS.exe .. failed to delete
F:\Parallel Parking.exe .. failed to delete
F:\Qoobox.exe
F:\Restoration.exe .. failed to delete
F:\SiSoft Sandra MAX3.exe .. failed to delete
F:\SpywareGuard.exe .. failed to delete
F:\Starter.exe .. failed to delete
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055078.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055079.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055080.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055287.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055288.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056469.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056470.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056471.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056894.EXE
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056895.exe
f:\system volume information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056896.EXE
F:\temp.exe .. failed to delete
F:\Temporary.exe .. failed to delete
F:\video capture.exe .. failed to delete
F:\xp.exe
F:\yatama.exe .. failed to delete
.
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll

c:\windows\System32\wscntfy.exe . . . is missing!!

c:\windows\System32\xmlprov.dll . . . is missing!!

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\wininet.dll --> c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_MNETFREAM
-------\Legacy_WINHELP64
-------\Service_Iprip
-------\Service_MnetFream
-------\Service_WinHelp64

((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 01:18 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-10-14 01:18 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-10-14 01:18 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-10-11 02:07 . 2010-10-11 02:09 -------- d-----w- c:\windows\system32\NtmsData
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-10-11 00:51 . 2010-10-11 00:52 -------- d-----w- c:\program files\Unlocker
2010-10-10 06:49 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-10-10 06:49 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-10-10 06:49 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-10-10 06:49 . 2010-10-14 03:57 -------- d-sh--w- C:\TSTP
2010-10-10 06:49 . 2010-10-14 03:56 17920 --sh--w- c:\program files\Common Files\ips888.dll
2010-10-10 06:31 . 2010-10-13 03:56 -------- d-----w- c:\program files\ATI
2010-10-08 05:18 . 2010-10-08 05:18 -------- d-----w- c:\documents and settings\aaa\Local Settings\Application Data\Help
2010-10-03 12:30 . 2001-08-23 12:00 272896 -c--a-w- c:\windows\system32\dllcache\pinball.exe
2010-10-03 12:01 . 2010-10-03 12:01 -------- d-----w- c:\windows\system32\Logfiles
2010-10-03 10:36 . 2010-10-03 10:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-02 07:25 . 2010-10-02 07:25 1409 ----a-w- c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-13_04.01.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-08-06 11:49 . 2010-10-13 03:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-06 11:49 . 2010-10-14 03:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-08-06 11:49 . 2010-10-13 03:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-08-06 11:49 . 2010-10-14 03:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-08-06 11:49 . 2010-10-14 03:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-08-06 11:49 . 2010-10-13 03:59 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-08-08 13:23 . 2002-08-29 10:41 599040 c:\windows\system32\dllcache\wininet.dll
+ 2010-09-26 05:01 . 2010-10-13 06:36 266240 c:\windows\system32\config\systemprofile\ntuser.dat
- 2010-09-26 05:01 . 2010-10-13 03:47 266240 c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"AdaptecDirectCD "= "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-05-17 643072]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-02-08 278528]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-08-08 155648]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-08 202256]
"UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"WMC_AutoUpdate "=" " [BU]
"KAV "= "c:\windows\System32\kav.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360sd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360sdrun.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\799d.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AgentSvr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AntiU.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AoYun.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\appdllman.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AppSvc32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp2.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp3.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AST.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\atpup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\auto.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\av.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastU3.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvU3Launcher.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSvcHst.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cross.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Discovery.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DSMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FileDsty.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filmst.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FTCleanerShell.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FYFireWall.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ghost.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guangd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\irsetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\isPwdSvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\jisu.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KaScrScn.SCR]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPF.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVSetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kernelwind32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KISLnchr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMailMon.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KMFilter.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRepair.com]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KsLoader.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KSWebShield.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvfwMcl.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP_1.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvReport.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVScan.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVStub.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP_1.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatch9x.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWatchX.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWSMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwstray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KWSUpd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\logogo.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapw32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\niu.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NPFMntor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pagefile.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pagefile.pif]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfserver.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\qheart.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QHSET.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctorMain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctorRtp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQKav.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCMgr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCRTP.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCSmashFile.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQPCTray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQSC.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\qsetup.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravcopy.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegClean.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAgent.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rsaupd.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsTray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safelive.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanFrm.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ScanU3.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SDGames.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SelfUpdate.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\servet.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\shcfg32.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sos.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngPS.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\stormii.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sxgame.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\symlcsvc.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SysSafe.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tmp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TNT.Exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TxoMoU.Exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UFO.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UIHost.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAgent.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxAttachment.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxCfg.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxFwHlp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxPol.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\upiea.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\USBCleaner.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsstat.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wbapp.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\webscanx.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Wsyscheck.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XDelBox.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XP.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zhudongfangyu.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zjb.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IridiumTimeWizard]
2008-09-20 05:54 245760 ----a-w- f:\xp\misc\Iridium.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 10:41 1511453 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
2006-07-19 22:50 1761280 ----a-w- c:\program files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Share-to-Web Namespace Daemon "=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

R0 PrtSeqRd;PrtSeqRd;c:\windows\system32\drivers\PrtSeqRd.sys [15/05/2001 4:48 PM 12224]
R1 cdudf;cdudf;c:\windows\system32\drivers\Cdudf.sys [17/05/2001 3:28 PM 229664]
.
Contents of the 'Scheduled Tasks' folder

2010-10-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-05 00:32]

2010-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]

2010-10-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://www.9384.com/?100077
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(612)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(7924)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\tcpsvcs.exe
c:\progra~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
c:\windows\System32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-14 14:06:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-14 04:04
ComboFix2.txt 2010-10-13 07:24

Pre-Run: 8,640,795,136 bytes free
Post-Run: 8,620,559,360 bytes free

- - End Of File - - 1FF23D691F5C56C3B1E152F2283D80EE

broni · 2010/10/13

Please, download and install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

After updating the program, run full scan.
Report on findings.

ocean · 2010/10/14

broni,
I did full system scan after dwonloaded the lastest virus definition of Avast V5.0.677. There were 242 infected files. I then select "show results" & apply "move to chest ". All sucessful except three below :

1st file name on list
C:\Program files\common files\ips888.dll
last 2 file names on list
C:\Program files\common files\microsoft shared\explorer.exe|>[UPX]|>Embedded_R#IEFILE
C:\windows\system32\drivers\kpscc.sys

all has high severity; Threat:Win32:Malware-gen; result: Error: the system cannot find the file specified (2)

Thanks.

broni · 2010/10/14

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box into the main textfield:
Code:
:filefind
DesktopLayer.exe
Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

ocean · 2010/10/14

broni,
Sorry! another problem. It seems that since Avast V5.0.667 installed, the pc takes a long time to boot up, about 15min. And it also take a long time to get any programs to respond initially! win ex or ie opens up but then non responsive about 5min. This is very weird ! Is it Avast try to check every progams ? I also noticed that Avast in error state = undsecured & hit "fix now" button nothing happening. Is there a way to get pc bootup & ie respond faster ?

I'll run SystemLook & post log next. Thanks.

Here is the log

SystemLook 04.09.10 by jpshortstuff
Log created at 12:21 on 15/10/2010 by binh
Administrator - Elevation successful

========== filefind ==========

Searching for "DesktopLayer.exe "
No files found.

-= EOF =-

Thanks for your help.

broni · 2010/10/15

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

ocean · 2010/10/15

broni,

This is the ESETScan log.

C:\Documents and Settings\aaa\Application Data\f.exe probably a variant of Win32/AntiAV.NEV trojan
C:\Documents and Settings\aaa\Local Settings\temp\8067480.dll Win32/AntiAV.NFH trojan
C:\Documents and Settings\aaa\Start Menu\eBay.lnk Win32/Adware.ADON application
C:\Documents and Settings\All Users.WINDOWS\Desktop\¸Ã„±Ã¤Ã„Ã£µÃ„Ã’»Ã‰Ãº.url Win32/StartPage.NSJ trojan
C:\Documents and Settings\All Users.WINDOWS\Desktop\ÃŒÃ”±¦¹ºÃŽÃ¯A.url Win32/StartPage.NUJ trojan
C:\Program Files\Common Files\Microsoft Shared\explorer.exe a variant of Win32/AutoRun.Delf.HK worm
C:\Program Files\PConPoint\PConPoint.exe a variant of Win32/Adware.ErrorClean application
C:\Qoobox\Quarantine\[4]-Submit_2010-10-14_13.42.34.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\aaa\Application Data\Dk.sys.vir probably a variant of Win32/Genetik trojan
C:\Qoobox\Quarantine\C\Documents and Settings\aaa\Application Data\Dk.Tmp.vir probably a variant of Win32/Genetik trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Desktop\¸Ã„±Ã¤Ã„Ã£µÃ„Ã’»Ã‰Ãº.url.vir Win32/StartPage.NSJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Desktop\ÃŒÃ”±¦¹ºÃŽÃ¯A.url.vir Win32/StartPage.NUJ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\20101013084838.dll.vir a variant of Win32/PSW.OnLineGames.PEA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\imm32.dll.vir Win32/Agent.RYG trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wininet.dll.vir Win32/Patched.GA trojan
C:\Qoobox\Quarantine\F\av1.zip a variant of Win32/AutoRun.Delf.HK worm
C:\Qoobox\Quarantine\F\av2.zip a variant of Win32/AutoRun.Delf.HK worm
C:\WINDOWS\Fonts\pci.sys Win32/AntiAV.NFJ trojan
C:\WINDOWS\system32\drivers\kpscc.sys Win32/Rootkit.Agent.NTQ trojan
D:\My Documents.exe a variant of Win32/AutoRun.Delf.HK worm
D:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058717.exe a variant of Win32/AutoRun.Delf.HK worm
D:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058718.EXE probably a variant of Win32/Agent.NFZCMP trojan
D:\XP SW\PC on Point\pconpoint.exe a variant of Win32/Adware.ErrorClean application
D:\web hijack\Win32.Mydoom.I-Worm\noadware.exe Win32/NoAdware application
E:\My Documents.exe a variant of Win32/AutoRun.Delf.HK worm
E:\XP SW\PC on Point\pconpoint.exe a variant of Win32/Adware.ErrorClean application
E:\System Volume Information\_restore{6AEBBE71-8241-48CA-900F-3B60DD95C0B4}\RP1206\A0874409.exe a variant of Win32/Adware.RegistryEasy application
E:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058721.EXE probably a variant of Win32/Agent.NFZCMP trojan
E:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058722.exe a variant of Win32/AutoRun.Delf.HK worm
E:\web hijack\Win32.Mydoom.I-Worm\noadware.exe Win32/NoAdware application
F:\backup.exe a variant of Win32/AutoRun.Delf.HK worm
F:\doc.exe a variant of Win32/AutoRun.Delf.HK worm
F:\{¾«²ÃŠÃŠÃ“Ã†µ}.exe a variant of Win32/AutoRun.Delf.HK worm
F:\My Documents.exe a variant of Win32/AutoRun.Delf.HK worm
F:\Temporary.exe a variant of Win32/AutoRun.Delf.HK worm
F:\NEWS.exe a variant of Win32/AutoRun.Delf.HK worm
F:\230204.exe a variant of Win32/AutoRun.Delf.HK worm
F:\mydoc.exe a variant of Win32/AutoRun.Delf.HK worm
F:\xp.exe a variant of Win32/AutoRun.Delf.HK worm
F:\ad hijack.exe a variant of Win32/AutoRun.Delf.HK worm
F:\My Pictures.exe a variant of Win32/AutoRun.Delf.HK worm
F:\temp.exe a variant of Win32/AutoRun.Delf.HK worm
F:\Parallel Parking.exe a variant of Win32/AutoRun.Delf.HK worm
F:\Restoration.exe a variant of Win32/AutoRun.Delf.HK worm
F:\SpywareGuard.exe a variant of Win32/AutoRun.Delf.HK worm
F:\Qoobox.exe a variant of Win32/AutoRun.Delf.HK worm
F:\free121203.exe a variant of Win32/AutoRun.Delf.HK worm
F:\buy.exe a variant of Win32/AutoRun.Delf.HK worm
F:\Starter.exe a variant of Win32/AutoRun.Delf.HK worm
F:\afr.exe a variant of Win32/AutoRun.Delf.HK worm
F:\yatama.exe a variant of Win32/AutoRun.Delf.HK worm
F:\SiSoft Sandra MAX3.exe a variant of Win32/AutoRun.Delf.HK worm
F:\video capture.exe a variant of Win32/AutoRun.Delf.HK worm
F:\0shortcuts.exe a variant of Win32/AutoRun.Delf.HK worm
F:\NEWS\today's NYT\unlocker1.9.0.exe Win32/Adware.ADON application
F:\xp\Glary Utilities2.13.0.278\gusetup.exe Win32/Induc virus
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP66\A0049629.DLL probably a variant of Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051766.DLL probably a variant of Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051771.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051870.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051875.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051945.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051951.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051994.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051995.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051997.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0051998.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0053992.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0053993.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0053995.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0053996.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055089.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055092.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055093.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP67\A0055095.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055201.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055202.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055205.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055206.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055317.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055318.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055320.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0055321.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056453.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056454.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056455.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056457.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP68\A0056458.DLL Win32/PSW.WOW.NSN trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058723.DLL Win32/PSW.OnLineGames.PEK trojan
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058724.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058725.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058726.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058727.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058728.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058729.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058730.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058731.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058732.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058733.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058734.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058735.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058736.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058737.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058738.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058739.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058740.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058741.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058742.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058743.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058744.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058745.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058746.exe a variant of Win32/AutoRun.Delf.HK worm
F:\System Volume Information\_restore{32F2E97D-A842-4A4D-8181-C5DC84287FC2}\RP71\A0058747.exe a variant of Win32/AutoRun.Delf.HK worm
Operating memory a variant of Win32/AutoRun.Delf.HK worm

Thank you.

broni · 2010/10/15

What is F drive?

Uninstall Uniblue Registry Booster
Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

===============================================================

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\program files\Common Files\ips888.dll
D:\My Documents.exe
E:\My Documents.exe
F:\0shortcuts.exe
F:\230204.exe
F:\ad hijack.exe
F:\afr.exe
F:\buy.exe
F:\doc.exe
F:\free121203.exe
F:\My Documents.exe
F:\mydoc.exe
F:\NEWS.exe
F:\Parallel Parking.exe
F:\Restoration.exe
F:\SiSoft Sandra MAX3.exe
F:\SpywareGuard.exe
F:\temp.exe
F:\Temporary.exe
F:\video capture.exe
F:\yatama.exe
F:\Starter.exe
c:\windows\System32\kav.exe
C:\Documents and Settings\aaa\Application Data\f.exe 
C:\Documents and Settings\aaa\Local Settings\temp\8067480.dll 
C:\Documents and Settings\aaa\Start Menu\eBay.lnk 
C:\Documents and Settings\All Users.WINDOWS\Desktop\¸Ã„±Ã¤Ã„Ã£µÃ„Ã’»Ã‰Ãº.url 
C:\Documents and Settings\All Users.WINDOWS\Desktop\ÃŒÃ”±¦¹ºÃŽÃ¯A.url 
C:\Program Files\Common Files\Microsoft Shared\explorer.exe 
C:\Program Files\PConPoint\PConPoint.exe
C:\WINDOWS\system32\drivers\kpscc.sys 
D:\My Documents.exe
D:\XP SW\PC on Point\pconpoint.exe 
D:\web hijack\Win32.Mydoom.I-Worm\noadware.exe 
E:\My Documents.exe 
E:\XP SW\PC on Point\pconpoint.exe
E:\web hijack\Win32.Mydoom.I-Worm\noadware.exe 
F:\backup.exe 
F:\doc.exe 
F:\{¾«²ÃŠÃŠÃ“Ã†µ}.exe 
F:\My Documents.exe 
F:\Temporary.exe 
F:\NEWS.exe 
F:\230204.exe 
F:\mydoc.exe 
F:\xp.exe 
F:\ad hijack.exe 
F:\My Pictures.exe 
F:\temp.exe 
F:\Parallel Parking.exe 
F:\Restoration.exe 
F:\SpywareGuard.exe 
F:\Qoobox.exe 
F:\free121203.exe 
F:\buy.exe 
F:\Starter.exe 
F:\afr.exe 
F:\yatama.exe 
F:\SiSoft Sandra MAX3.exe 
F:\video capture.exe 
F:\0shortcuts.exe 
F:\NEWS\today's NYT\unlocker1.9.0.exe
F:\xp\Glary Utilities2.13.0.278\gusetup.exe

Folder::

Driver::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "WMC_AutoUpdate "=-
 "KAV "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
 "DisableRegistryTools "=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
 "DisableRegistryTools "=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

ocean · 2010/10/15

broni,
F: is a logical hard dirve which was opened at the time pc was infected. This is the problematic drive I mention back in 13 oct. "I also noticed something strange on win ex, there are 2 sections : Folders & Name. A list of folders appears on the Folders section but on Name section there is same list of folders but in "shadow or lighter colours" plus an strange name folder "{¾«²ÃŠÃŠÃ“Ã†µ}" plus another list of same folders, all size 74KB, application type. Hope this is helpful. "

Sorry, I tried but is same as my reply yesterday. "couldn't find Uniblue Registry Booster in Add & Remove Programs. Trying to manual remove it from C:\Program folder but IT IS NOT THERE IN C:\." Do you know any other way to uninstall it? Please let me know, thanks.

I will run ComboFix + CFScript & post log next.

broni · 2010/10/15

Ok

ocean · 2010/10/15

broni,
The 4x ie sc disappeared for good. F:\ back to normal without those 74k applications & funny name folder move to chest by Avast. Uninstalled Uniblue Registry Booster sucessfully via C:\program folder. It looks trojan is gone. Many thanks.

Here is the ComboFix log :

ComboFix 10-10-15.01 - binh 16/10/2010 10:30:06.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.895.561 [GMT 10:00]
Running from: c:\documents and settings\aaa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\aaa\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\aaa\Application Data\f.exe "
"c:\documents and settings\aaa\Local Settings\temp\8067480.dll "
"c:\documents and settings\aaa\Start Menu\eBay.lnk "
"c:\documents and settings\All Users.WINDOWS\Desktop\¸Ã„±Ã¤Ã„Ã£µÃ„Ã’»Ã‰Ãº.url "
"c:\documents and settings\All Users.WINDOWS\Desktop\ÃŒÃ”±¦¹ºÃŽÃ¯A.url "
"c:\program files\Common Files\ips888.dll "
"c:\program files\Common Files\Microsoft Shared\explorer.exe "
"c:\program files\PConPoint\PConPoint.exe "
"c:\windows\system32\drivers\kpscc.sys "
"c:\windows\System32\kav.exe "
"D:\My Documents.exe "
"d:\web hijack\Win32.Mydoom.I-Worm\noadware.exe "
"d:\xp sw\PC on Point\pconpoint.exe "
"E:\My Documents.exe "
"e:\web hijack\Win32.Mydoom.I-Worm\noadware.exe "
"e:\xp sw\PC on Point\pconpoint.exe "
"F:\{¾«²ÃŠÃŠÃ“Ã†µ}.exe "
"F:\0shortcuts.exe "
"F:\230204.exe "
"F:\ad hijack.exe "
"F:\afr.exe "
"F:\backup.exe "
"F:\buy.exe "
"F:\doc.exe "
"F:\free121203.exe "
"F:\My Documents.exe "
"F:\My Pictures.exe "
"F:\mydoc.exe "
"F:\NEWS.exe "
"f:\news\today's NYT\unlocker1.9.0.exe "
"F:\Parallel Parking.exe "
"F:\Qoobox.exe "
"F:\Restoration.exe "
"F:\SiSoft Sandra MAX3.exe "
"F:\SpywareGuard.exe "
"F:\Starter.exe "
"F:\temp.exe "
"F:\Temporary.exe "
"F:\video capture.exe "
"F:\xp.exe "
"f:\xp\Glary Utilities2.13.0.278\gusetup.exe "
"F:\yatama.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\aaa\Application Data\f.exe
c:\documents and settings\aaa\Local Settings\temp\8067480.dll
c:\documents and settings\aaa\Start Menu\eBay.lnk
c:\documents and settings\All Users.WINDOWS\Desktop\¸Ã„±Ã¤Ã„Ã£µÃ„Ã’»Ã‰Ãº.url
c:\documents and settings\All Users.WINDOWS\Desktop\ÃŒÃ”±¦¹ºÃŽÃ¯A.url
c:\documents and settings\All Users.WINDOWS\Desktop\ÃƒÃ¢·Ã‘µÃ§Ã“°C.url
c:\documents and settings\All Users.WINDOWS\Desktop\Intennet Exploner.lnk
c:\program files\Common Files\Microsoft Shared\explorer.exe
c:\program files\PConPoint\PConPoint.exe
c:\windows\Fonts\pci.sys
c:\windows\system32\drivers\kpscc.sys
D:\My Documents.exe
d:\web hijack\Win32.Mydoom.I-Worm\noadware.exe
d:\xp sw\PC on Point\pconpoint.exe
E:\My Documents.exe
e:\web hijack\Win32.Mydoom.I-Worm\noadware.exe
e:\xp sw\PC on Point\pconpoint.exe
F:\0shortcuts.exe
F:\230204.exe
F:\ad hijack.exe
F:\afr.exe
F:\backup.exe
F:\buy.exe
F:\doc.exe
F:\free121203.exe
F:\My Documents.exe
F:\My Pictures.exe
F:\mydoc.exe
F:\NEWS.exe
f:\news\today's NYT\unlocker1.9.0.exe
F:\Parallel Parking.exe
F:\Qoobox.exe
F:\Restoration.exe
F:\SiSoft Sandra MAX3.exe
F:\SpywareGuard.exe
F:\Starter.exe
F:\temp.exe
F:\Temporary.exe
F:\video capture.exe
F:\xp.exe
f:\xp\Glary Utilities2.13.0.278\gusetup.exe
F:\yatama.exe

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_acde

((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.

2010-10-15 23:25 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-15 23:25 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-15 23:25 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-15 23:25 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-15 23:25 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-15 23:25 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-15 23:24 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-15 23:24 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-15 06:49 . 2010-10-15 06:49 -------- d-----w- c:\program files\ESET
2010-10-14 07:57 . 2010-10-15 23:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-10-14 07:57 . 2010-10-14 07:57 -------- d-----w- c:\program files\Alwil Software
2010-10-14 01:18 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-10-14 01:18 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-10-14 01:18 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-10-11 02:07 . 2010-10-11 02:09 -------- d-----w- c:\windows\system32\NtmsData
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-10-11 00:51 . 2010-10-11 00:52 -------- d-----w- c:\program files\Unlocker
2010-10-10 06:49 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-10-10 06:49 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-10-10 06:49 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-10-10 06:49 . 2010-10-16 00:41 -------- d-----w- C:\TSTP
2010-10-10 06:31 . 2010-10-13 03:56 -------- d-----w- c:\program files\ATI
2010-10-08 05:18 . 2010-10-08 05:18 -------- d-----w- c:\documents and settings\aaa\Local Settings\Application Data\Help
2010-10-03 12:30 . 2001-08-23 12:00 272896 -c--a-w- c:\windows\system32\dllcache\pinball.exe
2010-10-03 12:01 . 2010-10-03 12:01 -------- d-----w- c:\windows\system32\Logfiles
2010-10-03 10:36 . 2010-10-03 10:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-02 07:25 . 2010-10-02 07:25 1409 ----a-w- c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"AdaptecDirectCD "= "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-05-17 643072]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-02-08 278528]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-08-08 155648]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-08 202256]
"UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"avast5 "= "c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastU3.exe]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IridiumTimeWizard]
2008-09-20 05:54 245760 ----a-w- f:\xp\misc\Iridium.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 10:41 1511453 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
2006-07-19 22:50 1761280 ----a-w- c:\program files\Uniblue\Registry Booster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Share-to-Web Namespace Daemon "=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

R0 PrtSeqRd;PrtSeqRd;c:\windows\system32\drivers\PrtSeqRd.sys [15/05/2001 4:48 PM 12224]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [16/10/2010 9:25 AM 165584]
R1 cdudf;cdudf;c:\windows\system32\drivers\Cdudf.sys [17/05/2001 3:28 PM 229664]
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-05 00:32]

2010-10-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]

2010-10-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://www.9384.com/?100077
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.
- - - - ORPHANS REMOVED - - - -

BHO-{CE7C3CEF-4B15-11D1-ABED-FA4C0C0931ED} - (no file)

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(6848)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\wdfmgr.exe
c:\progra~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Alwil Software\Avast5\setup\avast.setup
.
**************************************************************************
.
Completion time: 2010-10-16 10:52:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-16 00:50
ComboFix2.txt 2010-10-14 04:06
ComboFix3.txt 2010-10-13 07:24

Pre-Run: 8,193,488,896 bytes free
Post-Run: 8,121,259,008 bytes free

- - End Of File - - 78CADEFCA0C4F44AE867393B31D55717

Please let me know any other action required.

broni · 2010/10/15

I'm glad to see things looking better, but we're far from being done.
Your computer was very seriously infected and we have to run more checks.

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

ocean · 2010/10/15

broni,
Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4843

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

16/10/2010 12:32:15 PM
mbam-log-2010-10-16 (12-32-15).txt

Scan type: Quick scan
Objects scanned: 179153
Time elapsed: 14 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{67631ec8-241f-475e-adce-a1a777d744fe} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastu3.exe (Security.Hijack) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\(default) (Hijack.HomePage) -> Bad: ( "c:\program files\internet explorer\iexplore.exe" http://www.9384.com/?100077) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijacked.Startpage) -> Bad: (http://www.9384.com/?100077) Good: (http://www.Google.com) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\TSPS.lnk (Malware.Trace) -> Quarantined and deleted successfully.

broni · 2010/10/15

Good

Now, delete your Combofix file, download fresh one and post new log.

ocean · 2010/10/16

broni,
Here is the log from new ComboFix :

ComboFix 10-10-15.03 - binh 16/10/2010 14:32:15.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.895.587 [GMT 10:00]
Running from: c:\documents and settings\aaa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.

2010-10-16 02:12 . 2010-10-16 02:12 -------- d-----w- c:\documents and settings\aaa\Application Data\Malwarebytes
2010-10-16 02:12 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-16 02:11 . 2010-10-16 02:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-16 02:11 . 2010-10-16 02:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-10-16 02:11 . 2010-04-29 05:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 23:25 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-15 23:25 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-15 23:25 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-15 23:25 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-15 23:25 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-15 23:25 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-15 23:24 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-15 23:24 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-15 06:49 . 2010-10-15 06:49 -------- d-----w- c:\program files\ESET
2010-10-14 07:57 . 2010-10-15 23:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-10-14 07:57 . 2010-10-14 07:57 -------- d-----w- c:\program files\Alwil Software
2010-10-14 01:18 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-10-14 01:18 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-10-14 01:18 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-10-14 01:18 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-10-11 02:07 . 2010-10-11 02:09 -------- d-----w- c:\windows\system32\NtmsData
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-10-11 01:09 . 2010-10-11 01:09 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-10-11 00:51 . 2010-10-11 00:52 -------- d-----w- c:\program files\Unlocker
2010-10-10 06:49 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-10-10 06:49 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-10-10 06:49 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-10-10 06:49 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-10-10 06:49 . 2010-10-16 00:41 -------- d-----w- C:\TSTP
2010-10-10 06:31 . 2010-10-13 03:56 -------- d-----w- c:\program files\ATI
2010-10-08 05:18 . 2010-10-08 05:18 -------- d-----w- c:\documents and settings\aaa\Local Settings\Application Data\Help
2010-10-03 12:30 . 2001-08-23 12:00 272896 -c--a-w- c:\windows\system32\dllcache\pinball.exe
2010-10-03 12:01 . 2010-10-03 12:01 -------- d-----w- c:\windows\system32\Logfiles
2010-10-03 10:36 . 2010-10-03 10:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-02 07:25 . 2010-10-02 07:25 1409 ----a-w- c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"AdaptecDirectCD "= "c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-05-17 643072]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-02-08 278528]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-08-08 155648]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-08 202256]
"UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"avast5 "= "c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"WMC_AutoUpdate "=" " [BU]
"KAV "= "c:\windows\System32\kav.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IridiumTimeWizard]
2008-09-20 05:54 245760 ----a-w- f:\xp\misc\Iridium.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 10:41 1511453 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Share-to-Web Namespace Daemon "=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

R0 PrtSeqRd;PrtSeqRd;c:\windows\system32\drivers\PrtSeqRd.sys [15/05/2001 4:48 PM 12224]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [16/10/2010 9:25 AM 165584]
R1 cdudf;cdudf;c:\windows\system32\drivers\Cdudf.sys [17/05/2001 3:28 PM 229664]
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-05 00:32]

2010-10-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]

2010-10-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1383384898-1957994488-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 17:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://www.Google.com
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.
- - - - ORPHANS REMOVED - - - -

BHO-{CE7C3CEF-4B15-11D1-ABED-FA4C0C0931ED} - (no file)
MSConfigStartUp-Uniblue Registry Booster - c:\program files\Uniblue\Registry Booster\RegistryBooster.exe

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3652)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\wdfmgr.exe
c:\progra~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-16 14:59:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-16 04:59
ComboFix2.txt 2010-10-14 04:06
ComboFix3.txt 2010-10-13 07:24

Pre-Run: 8,061,519,872 bytes free
Post-Run: 8,044,752,896 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - 91F67FC06A0C806D3484CA5E51B48CF0

broni · 2010/10/16

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\System32\kav.exe


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "WMC_AutoUpdate "=-
 "KAV "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Log in or Sign up

Solved ie redirects; hijack this not run; no safe mode or sys restore

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved ie redirects; hijack this not run; no safe mode or sys restore

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

ocean Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches