Solved Windows Task Manager has been disabled

myfama · 2009/01/29

[Resolved] Windows Task Manager has been disabled

Task Manager has been disabled on my machine. I've run the dds as instructed and the lof files are as follows:

DDS (Ver_09-01-19.01) - NTFSx86
Run by Fairuz Azmi at 10:09:19,70 on 30/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1273 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Oracle\Ora92\bin\omtsreco.exe
C:\Oracle\Ora92\bin\agntsrvc.exe
C:\Oracle\Ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Oracle\Ora92\bin\dbsnmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\IngresII\ingres\vdba\ivm.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Documents and Settings\Fairuz Azmi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://imis-203/amps/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe "
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe "
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe "
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe "
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [pdfFactory Pro Dispatcher v2] "c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe" /source=HKLM
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe "
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [SYS1] c:\windows\system32\system.exe
mRun: [SYS2] c:\windows\system32\bad1.exe
mRun: [SYS3] c:\windows\system32\bad2.exe
mRun: [SYS4] c:\windows\system32\bad3.exe
mRun: [Msmsgs] c:\windows\system32\Msmsgs.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\fairuz~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ingres~1.lnk - c:\windows\system32\ingwrap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoFind = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: imis-203
Trusted Zone: localhost
Trusted Zone: mbfcards.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCDF} - hxxp://download.excelforce.com.my/aib/cab/csoex_aib.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194242816093
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://jumboplay.bluehyppo.com/class/DragonbackCtl.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} - hxxp://download.excelforce.com.my/aib/cab/cswx.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fairuz~1\applic~1\mozilla\firefox\profiles\p14w3m3f.default\
FF - prefs.js: browser.search.selectedEngine - Google

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-29 96520]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-29 26824]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 231192]
R4 Ingres_Database_II;Ingres Intelligent Database [II];c:\ingresii\ingres\bin\servproc.exe [2003-5-14 24576]
R4 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2002-9-20 53248]
R4 OracleOraHome92Agent;OracleOraHome92Agent;c:\oracle\ora92\bin\agntsrvc.exe [2002-4-26 28944]
R4 OracleServiceFAMPS;OracleServiceFAMPS;c:\oracle\ora92\bin\oracle.exe famps --> c:\oracle\ora92\bin\ORACLE.EXE FAMPS [?]
S3 ADEListener;ADEListener;c:\windows\system32\ADEListener.exe [2006-4-5 28672]
S3 adiusbae;ADSL USB MODEM LAN ADAPTER;c:\windows\system32\drivers\adiusbae.sys --> c:\windows\system32\drivers\adiusbae.sys [?]
S3 AMPS Email Processor;AMPS Email Processor;c:\windows\system32\EmailProcessor.exe [2007-3-6 45056]
S3 FSDFileWatcher;FSDFileWatcher;c:\windows\system32\FSDFileWatcher.exe [2005-11-7 49152]
S3 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;c:\oracle\ora92\apache\apache\Apache.exe [2002-4-18 4096]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;c:\oracle\ora92\bin\encsvc.exe [2002-2-13 187392]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;c:\oracle\ora92\bin\agntsvc.exe [2002-2-13 254464]
S3 SCAMS_FileWatcher;SCAMS_FileWatcher;c:\windows\system32\SCAMS_FileWatcher.exe [2007-11-5 69632]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "

=============== Created Last 30 ================

2009-01-29 08:50 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 08:50 96,520 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 08:50 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-29 08:50 <DIR> --d----- c:\program files\AVG
2009-01-29 08:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-15 14:55 0 a------- c:\windows\system32\bad2.exe
2009-01-15 14:55 0 a------- c:\windows\system32\bad1.exe
2009-01-15 14:55 0 a------- c:\windows\system32\bad3.exe
2009-01-15 14:54 215,456 a--shr-- c:\windows\system32\msmsgs.exe
2009-01-15 14:54 131 a--shr-- c:\windows\autorun.inf
2009-01-08 14:12 <DIR> --d----- c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP

==================== Find3M ====================

2009-01-05 02:58 190,157 a------- c:\windows\system32\nvModes.dat
2008-12-31 00:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-22 05:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-22 05:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-22 05:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-22 05:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-22 05:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-22 05:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2007-12-04 10:46 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-09-18 13:08 215,456 a--shr-- c:\windows\system32\msmsgs.exe
2008-08-11 09:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081120080812\index.dat

============= FINISH: 10:09:46,40 ===============

myfama · 2009/01/29

wrong post..ATTACH log

noahdfear · 2009/01/31

Hi myfama,

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

myfama · 2009/02/01

ComboFix 09-02-01.01 - Fairuz Azmi 2009-02-02 9:50:11.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1212 [GMT 8:00]
Running from: c:\documents and settings\Fairuz Azmi\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\autorun.inf
c:\windows\system32\bad1.exe
c:\windows\system32\bad2.exe
c:\windows\system32\bad3.exe
c:\windows\system32\msmsgs.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.

2009-01-29 08:50 . 2009-02-02 08:56 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-29 08:50 . 2009-01-29 08:50 <DIR> d-------- c:\program files\AVG
2009-01-29 08:50 . 2009-01-30 23:28 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-29 08:50 . 2009-01-30 23:28 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-29 08:32 . 2009-01-30 23:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-15 03:50 . 2009-01-15 03:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\DivX
2009-01-08 14:12 . 2009-01-08 14:12 <DIR> d-------- c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 01:46 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\uTorrent
2009-01-30 02:48 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\Orbit
2008-12-30 16:13 --------- d-----w c:\program files\Java
2008-12-19 23:22 --------- d-----w c:\program files\DivX
2008-12-19 07:17 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\AdobeUM
2008-12-18 01:48 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\TextPad
2008-12-18 01:47 --------- d-----w c:\program files\TextPad 4
2008-12-05 09:07 --------- d-----w c:\program files\trend micro
2007-12-04 02:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-11 01:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"Search Protection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"uTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2008-01-05 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig "= "c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"OrderReminder "= "c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-21 98304]
"pdfFactory Pro Dispatcher v2 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-05-31 483328]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"Easy-PrintToolBox "= "c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"nwiz "= "nwiz.exe" [2007-05-11 c:\windows\system32\nwiz.exe]
"NVHotkey "= "nvHotkey.dll" [2007-05-11 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp "= "stsystra.exe" [2007-05-06 c:\windows\stsystra.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Fairuz Azmi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Ingres Visual Manager [ II ].lnk - c:\windows\system32\ingwrap.exe [2003-05-14 19:32:18 20480]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-16 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 23:28 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Oracle\\Ora92\\Apache\\Apache\\Apache.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe "=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"d:\\Data\\ActiveSync_Remote_Display\\ASRDisp.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"12741:TCP "= 12741:TCP:utorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-29 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
R2 Ingres_Database_II;Ingres Intelligent Database [II];c:\ingresii\ingres\bin\servproc.exe [2003-05-14 19:03:48 24576]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
R2 OracleOraHome92Agent;OracleOraHome92Agent;c:\oracle\Ora92\bin\agntsrvc.exe [2002-04-26 28944]
R2 OracleServiceFAMPS;OracleServiceFAMPS;c:\oracle\ora92\bin\ORACLE.EXE FAMPS --> c:\oracle\ora92\bin\ORACLE.EXE FAMPS [?]
S3 ADEListener;ADEListener;c:\windows\system32\ADEListener.exe [2006-04-05 28672]
S3 adiusbae;ADSL USB MODEM LAN ADAPTER;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]
S3 AMPS Email Processor;AMPS Email Processor;c:\windows\system32\EmailProcessor.exe [2007-03-06 45056]
S3 FSDFileWatcher;FSDFileWatcher;c:\windows\system32\FSDFileWatcher.exe [2005-11-07 49152]
S3 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;c:\oracle\Ora92\Apache\Apache\Apache.exe [2002-04-18 4096]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;c:\oracle\Ora92\bin\encsvc.exe [2002-02-13 187392]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;c:\oracle\Ora92\bin\agntsvc.exe [2002-02-13 254464]
S3 SCAMS_FileWatcher;SCAMS_FileWatcher;c:\windows\system32\SCAMS_FileWatcher.exe [2007-11-05 69632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10505254-7eed-11dd-96ae-001c26f066af}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e94b57-dddc-11dc-94af-001c26f066af}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9888eaf3-d0f6-11dd-97c3-001c26f066af}]
\Shell\AutoRun\command - F:\hpkq.cmd
\Shell\explore\Command - F:\hpkq.cmd
\Shell\open\Command - F:\hpkq.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4ba1a14-ed20-11dd-9811-001c26f066af}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://imis-203/amps/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: imis-203
Trusted Zone: localhost
Trusted Zone: mbfcards.com\www
DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCDF} - hxxp://download.excelforce.com.my/aib/cab/csoex_aib.cab
DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} - hxxp://download.excelforce.com.my/aib/cab/cswx.cab
FF - ProfilePath - c:\documents and settings\Fairuz Azmi\Application Data\Mozilla\Firefox\Profiles\p14w3m3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 09:59:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome92PagingServer]
"ImagePath "= "c:\oracle\Ora92/bin/pagntsrv.exe "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome92TNSListener]
"ImagePath "= "c:\oracle\Ora92\BIN\TNSLSNR "
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\oracle\Ora92\bin\omtsreco.exe
c:\oracle\Ora92\bin\TNSLSNR.EXE
c:\oracle\Ora92\bin\oracle.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1005MC.EXE
c:\oracle\Ora92\bin\dbsnmp.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\ingresii\ingres\bin\iigcn.exe
c:\ingresii\ingres\bin\iigcc.exe
c:\ingresii\ingres\bin\iigworad.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\ingresii\ingres\vdba\ivm.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2009-02-02 10:02:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-02 02:02:32
ComboFix2.txt 2008-12-17 08:55:35

Pre-Run: 24.538.873.856 bytes free
Post-Run: 25,236,635,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

233 --- E O F --- 2008-08-10 14:54:54

noahdfear · 2009/02/02

You have another flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Plug in your USB flash drive.

Double-click Flash_Disinfector.exe to run it.

Follow any prompts that may appear.

Your desktop will vanish for a while, and then reappear. This is normal.

Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Please leave the flash drive plugged in while completing the following.

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
F:\system.exe
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10505254-7eed-11dd-96ae-001c26f066af}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e94b57-dddc-11dc-94af-001c26f066af}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9888eaf3-d0f6-11dd-97c3-001c26f066af}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4ba1a14-ed20-11dd-9811-001c26f066af}]
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

myfama · 2009/02/03

ComboFix 09-02-02.04 - Fairuz Azmi 2009-02-04 10:32:40.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1273 [GMT 8:00]
Running from: c:\documents and settings\Fairuz Azmi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fairuz Azmi\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point

FILE ::
F:\system.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Backup.exe
G:\autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-01-29 08:50 . 2009-02-04 09:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-29 08:50 . 2009-01-29 08:50 <DIR> d-------- c:\program files\AVG
2009-01-29 08:50 . 2009-01-30 23:28 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-29 08:50 . 2009-01-30 23:28 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-29 08:32 . 2009-01-30 23:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-15 03:50 . 2009-01-15 03:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\DivX
2009-01-08 14:12 . 2009-01-08 14:12 <DIR> d-------- c:\windows\9B12DDD3F1BE4FB69FD2308549244609.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 01:45 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\uTorrent
2009-01-30 02:48 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\Orbit
2008-12-30 16:13 --------- d-----w c:\program files\Java
2008-12-19 23:22 --------- d-----w c:\program files\DivX
2008-12-19 07:17 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\AdobeUM
2008-12-18 01:48 --------- d-----w c:\documents and settings\Fairuz Azmi\Application Data\TextPad
2008-12-18 01:47 --------- d-----w c:\program files\TextPad 4
2008-12-05 09:07 --------- d-----w c:\program files\trend micro
2007-12-04 02:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-11 01:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-02_10.01.45.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 00:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 00:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-02-02 01:59:06 232,302 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-04 02:36:47 232,307 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-04 02:36:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_380.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent "= "c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]
"Search Protection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"uTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2008-01-05 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig "= "c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray "= "c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"OrderReminder "= "c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-21 98304]
"pdfFactory Pro Dispatcher v2 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-05-31 483328]
"YSearchProtection "= "c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"Easy-PrintToolBox "= "c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"nwiz "= "nwiz.exe" [2007-05-11 c:\windows\system32\nwiz.exe]
"NVHotkey "= "nvHotkey.dll" [2007-05-11 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp "= "stsystra.exe" [2007-05-06 c:\windows\stsystra.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Fairuz Azmi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Ingres Visual Manager [ II ].lnk - c:\windows\system32\ingwrap.exe [2003-05-14 19:32:18 20480]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-16 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 23:28 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Oracle\\Ora92\\Apache\\Apache\\Apache.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe "=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"d:\\Data\\ActiveSync_Remote_Display\\ASRDisp.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"12741:TCP "= 12741:TCP:utorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-29 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
R2 Ingres_Database_II;Ingres Intelligent Database [II];c:\ingresii\ingres\bin\servproc.exe [2003-05-14 19:03:48 24576]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
R2 OracleOraHome92Agent;OracleOraHome92Agent;c:\oracle\Ora92\bin\agntsrvc.exe [2002-04-26 28944]
R2 OracleServiceFAMPS;OracleServiceFAMPS;c:\oracle\ora92\bin\ORACLE.EXE FAMPS --> c:\oracle\ora92\bin\ORACLE.EXE FAMPS [?]
S3 ADEListener;ADEListener;c:\windows\system32\ADEListener.exe [2006-04-05 28672]
S3 adiusbae;ADSL USB MODEM LAN ADAPTER;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]
S3 AMPS Email Processor;AMPS Email Processor;c:\windows\system32\EmailProcessor.exe [2007-03-06 45056]
S3 FSDFileWatcher;FSDFileWatcher;c:\windows\system32\FSDFileWatcher.exe [2005-11-07 49152]
S3 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;c:\oracle\Ora92\Apache\Apache\Apache.exe [2002-04-18 4096]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;c:\oracle\Ora92\bin\encsvc.exe [2002-02-13 187392]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;c:\oracle\Ora92\bin\agntsvc.exe [2002-02-13 254464]
S3 SCAMS_FileWatcher;SCAMS_FileWatcher;c:\windows\system32\SCAMS_FileWatcher.exe [2007-11-05 69632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10505254-7eed-11dd-96ae-001c26f066af}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9888eaf3-d0f6-11dd-97c3-001c26f066af}]
\Shell\AutoRun\command - F:\hpkq.cmd
\Shell\explore\Command - F:\hpkq.cmd
\Shell\open\Command - F:\hpkq.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://imis-203/amps/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: imis-203
Trusted Zone: localhost
Trusted Zone: mbfcards.com\www
DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCDF} - hxxp://download.excelforce.com.my/aib/cab/csoex_aib.cab
DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} - hxxp://download.excelforce.com.my/aib/cab/cswx.cab
FF - ProfilePath - c:\documents and settings\Fairuz Azmi\Application Data\Mozilla\Firefox\Profiles\p14w3m3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 10:37:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome92PagingServer]
"ImagePath "= "c:\oracle\Ora92/bin/pagntsrv.exe "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\OracleOraHome92TNSListener]
"ImagePath "= "c:\oracle\Ora92\BIN\TNSLSNR "
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\oracle\Ora92\bin\omtsreco.exe
c:\oracle\Ora92\bin\TNSLSNR.EXE
c:\oracle\Ora92\bin\oracle.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1005MC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\oracle\Ora92\bin\dbsnmp.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wdfmgr.exe
c:\ingresii\ingres\bin\iigcn.exe
c:\ingresii\ingres\bin\iigcc.exe
c:\ingresii\ingres\bin\iigworad.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\ingresii\ingres\vdba\ivm.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-02-04 10:41:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 02:41:19
ComboFix2.txt 2009-02-02 02:02:35
ComboFix3.txt 2008-12-17 08:55:35

Pre-Run: 25.447.673.856 bytes free
Post-Run: 25,469,128,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

229 --- E O F --- 2008-08-10 14:54:54

noahdfear · 2009/02/04

This concerns me a bit.

G:\autorun.inf . . . . failed to delete

What is drive G:
If it's a flash drive, is there data on it that would prevent you from formatting it?

Highlight and copy the contents of the code box below.
Code:
reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2 /f
exit
cls
Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
The command will execute very quickly and the command window will close on it's own.

myfama · 2009/02/04

Actually i'm currently using two pendrives and both are remained plugged in while completing the process (ComboFix). Now I still can see the G:\autorun.inf (which is created by Flash_Disinfector) in one of the pendrive only. I can simply delete the data in it since got a backup, so should I format the drive?

bdmoh · 2009/02/09

I think you have a virus called Sality, it's very annoying and it makes you unable to delete the autorun.inf
Try to install Kaspersky and run a full scan, if installing Kaspersky failed for some reason, tell me I have a few other maneuvers.

noahdfear · 2009/02/10

That autorun.inf file is fine .... no need to format the usb drive. Things are looking good so lets get an online scan now. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

myfama · 2009/02/11

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 11, 2009 02:44:38
Records in database: 1780352
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 193731
Threat name: 4
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 04:38:49

File name / Threat name / Threats count
C:\Documents and Settings\Fairuz Azmi\Local Settings\Temporary Internet Files\Content.IE5\MC1K98MF\PopularScreenSaversInitialSetup1.0.1.1[1].exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bn 1
C:\Qoobox\Quarantine\C\WINDOWS\autorun.inf.vir Infected: Worm.Win32.AutoIt.i 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_msmsgs_.exe.zip Infected: Worm.Win32.AutoIt.i 1
C:\Qoobox\Quarantine\C\WINDOWS\_autorun_.inf.zip Infected: Worm.Win32.AutoIt.i 1
C:\Qoobox\Quarantine\G\av8.zip Infected: Worm.Win32.AutoIt.i 1
C:\Qoobox\Quarantine\G\_autorun_.inf.zip Infected: Worm.Win32.AutoIt.i 1
D:\Data\Documents and Settings_Fairuz Azmi\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst Infected: Virus.VBS.Redlof.l 1
D:\Data\Documents and Settings_Fairuz Azmi\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst Infected: Virus.VBS.Redlof.a 1

The selected area was scanned.

noahdfear · 2009/02/12

You've got some infected emails though the online scan did not identify which ones. I'd recommend trying the Kaspersky Virus Removal Tool.

Upon running the tool, you will be prompted to run it in safe mode, which should not be necessary so just click OK.

Select Mail Databases from the Automatic Scan tab, then click Scan.

When the scan completes you will be given an option to Neutralize all threats or right click any threat for further options.

After use, uninstall the tool and delete the setup file.

Otherwise I believe it's safe to cleanup our tools. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Delete dds.scr from the desktop.
You can delete any other logs that were created/saved too.
Empty the recycle bin when done.

Uninstall all old Java components via Add/Remove Programs then install the latest JRE 6 Update 12 from here

myfama · 2009/02/20

I've followed everything as been instructed. Thank you for your time and advise.

noahdfear · 2009/02/22

Happy to help.

Log in or Sign up

Solved Windows Task Manager has been disabled

myfama Inactive Thread Starter

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

bdmoh Inactive

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved Windows Task Manager has been disabled

myfama Inactive Thread Starter

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

bdmoh Inactive

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

myfama Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches