Inactive all antivirus sites blocked

dipesh · 2010/05/08

[Inactive] all antivirus sites blocked

hello i am using windows xp sp3 system with netcomputing thin clients installed. for few days all the antivirus sites when tried to access it redirects to bing search result and when the intended site is clicked the page does not display. not a single antivirus site opens . the combofix log is pasted below

ComboFix 10-05-07.07 - Sweetheart 05/08/2010 20:15:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.990.578 [GMT 5.5:30]
Running from: C:\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\021430405120070914090202.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_aic32p

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-08 14:37 . 2010-05-08 14:37 3684271 ----a-r- C:\ComboFix.exe
2010-05-08 10:48 . 2010-05-08 10:49 -------- d-----w- c:\program files\Nsasoft
2010-05-07 08:12 . 2010-05-07 08:42 -------- d-----w- c:\program files\AskBarDis
2010-05-07 08:12 . 2010-05-07 08:12 -------- d-----w- c:\program files\Foxit Software
2010-05-07 08:12 . 2010-05-07 08:12 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\Foxit
2010-05-04 11:02 . 2010-05-04 11:02 110968 ----a-w- c:\documents and settings\3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 11:02 . 2010-05-04 11:02 -------- d-----w- c:\documents and settings\3\Local Settings\Application Data\Deployment
2010-05-03 12:35 . 2010-05-03 12:35 -------- d-----w- c:\documents and settings\1\Application Data\GARMIN
2010-05-02 17:11 . 2010-05-02 17:11 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\ScanSoft
2010-05-02 17:09 . 2010-05-02 17:10 -------- d-----w- c:\program files\SPC Invoice
2010-05-02 09:00 . 2010-05-02 09:29 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\GARMIN
2010-05-02 08:58 . 2010-05-02 08:58 -------- d-----w- C:\WebUpdater
2010-05-02 08:58 . 2010-05-02 08:58 -------- d-----w- C:\Garmin
2010-05-02 08:39 . 2008-08-05 15:29 57344 ----a-w- c:\windows\system32\H1DXP.DLL
2010-04-30 12:09 . 2010-04-30 12:09 -------- d-----w- c:\documents and settings\4\Local Settings\Application Data\Ahead
2010-04-30 05:25 . 2010-04-30 05:25 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\Malwarebytes
2010-04-29 13:15 . 2010-04-29 13:15 -------- d-----r- c:\documents and settings\2\Application Data\Brother
2010-04-29 07:48 . 2008-04-14 12:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-28 11:01 . 2010-04-28 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Net Protector
2010-04-27 14:11 . 2010-04-27 14:11 -------- d-----w- c:\documents and settings\4\Application Data\Malwarebytes
2010-04-26 04:28 . 2010-04-26 04:28 -------- d-----r- c:\documents and settings\3\Application Data\Brother
2010-04-26 04:00 . 2010-04-26 04:00 -------- d-----w- c:\documents and settings\2\Application Data\U3
2010-04-26 03:45 . 2010-04-26 03:45 -------- d--h--w- c:\windows\PIF
2010-04-26 03:32 . 2010-04-26 03:32 -------- d-----w- c:\documents and settings\1\Application Data\Malwarebytes
2010-04-26 03:32 . 2010-03-29 19:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 03:32 . 2010-04-26 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 03:32 . 2010-04-26 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 03:32 . 2010-03-29 19:15 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 01:33 . 2010-05-04 10:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-25 08:23 . 2010-04-25 08:23 -------- d-----w- c:\documents and settings\4\Local Settings\Application Data\Microsoft Help
2010-04-25 06:19 . 2010-04-25 06:19 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-23 20:41 . 2010-04-23 20:41 -------- d-----w- c:\documents and settings\2\Local Settings\Application Data\Help
2010-04-22 13:42 . 2010-04-22 13:42 -------- d-----w- C:\23 April 10 PDF
2010-04-22 12:54 . 2001-07-09 06:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-04-22 08:17 . 2010-04-22 08:17 -------- d-----w- c:\documents and settings\Sweetheart\Local Settings\Application Data\Ahead
2010-04-21 15:01 . 2010-04-21 15:01 -------- d-----w- c:\windows\Sun
2010-04-20 05:30 . 2010-04-20 05:30 218920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-20 05:29 . 2010-04-20 05:29 -------- d-----w- c:\program files\MSBuild
2010-04-20 05:29 . 2010-04-20 05:29 -------- d-----w- c:\windows\system32\XPSViewer
2010-04-20 05:29 . 2010-04-20 05:29 -------- d-----w- c:\program files\Reference Assemblies
2010-04-20 05:29 . 2007-03-22 14:54 28160 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-04-20 05:28 . 2006-06-29 07:37 14048 ------w- c:\windows\system32\spmsg2.dll
2010-04-20 05:03 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-20 05:03 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-20 05:03 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-20 05:03 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-20 05:03 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-20 05:03 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-20 05:02 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-20 05:02 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-20 05:02 . 2010-04-20 05:02 -------- d-----w- c:\program files\Alwil Software
2010-04-20 05:02 . 2010-04-20 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-20 05:00 . 2010-04-20 05:00 -------- d-----w- c:\program files\Java
2010-04-20 05:00 . 2010-04-20 05:00 -------- d-----w- c:\program files\Common Files\Java
2010-04-20 04:59 . 2010-04-20 04:59 -------- d-----w- c:\documents and settings\Sweetheart\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142180}
2010-04-20 04:35 . 2010-04-20 04:35 -------- d-----w- c:\documents and settings\Sweetheart\Local Settings\Application Data\Identities
2010-04-19 15:32 . 2010-04-19 15:32 -------- d-----w- c:\documents and settings\3\Local Settings\Application Data\Mozilla
2010-04-19 14:55 . 2010-04-19 14:55 -------- d-s---w- c:\documents and settings\3\UserData
2010-04-19 04:56 . 2010-05-06 03:32 110968 ----a-w- c:\documents and settings\4\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 04:56 . 2010-04-19 04:56 -------- d-----r- c:\documents and settings\4\Application Data\Brother
2010-04-17 23:30 . 2010-04-17 23:30 -------- d-----w- c:\documents and settings\Sweetheart\Local Settings\Application Data\Mozilla
2010-04-17 21:24 . 2010-05-08 10:48 -------- d-----w- C:\Downloads
2010-04-17 21:17 . 2010-05-08 10:57 -------- d-----w- c:\program files\FlashGet
2010-04-17 14:19 . 2010-04-17 14:19 -------- d-----w- c:\documents and settings\2\Local Settings\Application Data\Mozilla
2010-04-17 04:11 . 2010-05-03 05:16 110968 ----a-w- c:\documents and settings\Sweetheart\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 01:00 . 2010-04-17 01:00 -------- d-----w- c:\documents and settings\Sweetheart\Local Settings\Application Data\Help
2010-04-16 23:35 . 2010-04-16 23:35 -------- d-----w- C:\project1
2010-04-16 21:10 . 2010-04-16 21:10 -------- d-----w- c:\documents and settings\1\Local Settings\Application Data\Mozilla
2010-04-16 20:41 . 2010-04-16 20:41 0 ----a-w- c:\windows\nsreg.dat
2010-04-16 20:41 . 2010-04-16 20:41 -------- d-----w- c:\documents and settings\4\Local Settings\Application Data\Mozilla
2010-04-16 19:58 . 2010-04-16 19:58 -------- d-----w- c:\documents and settings\4\Application Data\ScanSoft
2010-04-16 19:39 . 2010-04-16 19:39 -------- d-----w- c:\documents and settings\4\Local Settings\Application Data\Yahoo
2010-04-16 19:39 . 2010-04-16 19:39 -------- d-----w- c:\documents and settings\4\Application Data\Yahoo!
2010-04-16 00:55 . 2010-04-16 00:55 -------- d-----w- c:\documents and settings\2\Local Settings\Application Data\Yahoo
2010-04-16 00:55 . 2010-04-16 00:55 -------- d-----w- c:\documents and settings\2\Application Data\Yahoo!
2010-04-16 00:54 . 2010-04-16 00:54 -------- d-s---w- c:\documents and settings\2\UserData
2010-04-16 00:29 . 2010-04-16 00:29 -------- d-----w- c:\documents and settings\1\Local Settings\Application Data\Yahoo
2010-04-16 00:29 . 2010-04-16 00:29 -------- d-----w- c:\documents and settings\1\Application Data\Yahoo!
2010-04-15 23:48 . 2010-04-15 23:48 1956808 ----a-w- c:\documents and settings\Sweetheart\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-04-15 18:03 . 2010-04-15 18:03 -------- d-----w- c:\program files\Common Files\Nero
2010-04-15 18:01 . 2000-06-26 06:15 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-04-15 18:01 . 2004-07-27 00:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-04-15 18:01 . 2004-07-27 00:16 476320 ----a-w- c:\windows\system32\ImagXpr7.dll
2010-04-15 18:01 . 2004-07-27 00:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-04-15 18:01 . 2004-07-27 00:16 1568768 ----a-w- c:\windows\system32\ImagX7.dll
2010-04-15 18:01 . 2010-04-15 18:01 -------- d-----w- c:\program files\Common Files\Ahead
2010-04-15 18:01 . 2010-04-15 18:01 -------- d-----w- c:\program files\Ahead
2010-04-15 17:45 . 2010-04-15 17:45 -------- d-----w- c:\documents and settings\4\Local Settings\Application Data\Help
2010-04-15 17:45 . 2010-04-15 17:45 -------- d-s---w- c:\documents and settings\4\UserData
2010-04-15 17:43 . 2010-04-15 17:43 -------- d-----w- c:\documents and settings\4\Local Settings\Application Data\Opera
2010-04-15 17:36 . 2010-04-27 06:34 -------- d-----w- c:\documents and settings\4
2010-04-14 23:47 . 2010-04-14 23:47 -------- d-----w- c:\documents and settings\1\Local Settings\Application Data\Microsoft Help
2010-04-14 23:42 . 2010-04-14 23:42 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-04-14 23:40 . 2010-04-14 23:40 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-04-14 23:40 . 2010-04-14 23:43 -------- d-----w- c:\windows\SHELLNEW
2010-04-14 23:40 . 2010-04-14 23:40 -------- d-----w- c:\documents and settings\Sweetheart\Local Settings\Application Data\Microsoft Help
2010-04-14 23:39 . 2010-05-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 23:39 . 2010-04-14 23:39 -------- d-----r- C:\MSOCache
2010-04-14 23:26 . 2008-04-14 12:42 1306624 -c--a-w- c:\windows\system32\dllcache\msxml6.dll
2010-04-14 23:26 . 2008-04-14 12:42 1306624 ----a-w- c:\windows\system32\msxml6.dll
2010-04-14 23:26 . 2008-04-14 05:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-04-14 23:26 . 2008-04-14 05:57 79872 ------w- c:\windows\system32\msxml6r.dll
2010-04-14 23:24 . 2010-04-14 23:24 -------- d-----w- c:\windows\ServicePackFiles
2010-04-14 23:23 . 2008-04-14 12:42 294912 -c--a-w- c:\windows\system32\dllcache\dlimport.exe
2010-04-14 23:20 . 2007-08-11 03:46 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-04-14 23:17 . 2010-04-14 23:17 -------- d-----w- c:\windows\system32\LogFiles
2010-04-14 23:01 . 2010-04-14 23:01 -------- d-s---w- c:\documents and settings\1\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 13:04 . 2010-04-14 12:39 110968 ----a-w- c:\documents and settings\1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 08:44 . 2010-04-17 02:18 -------- d-----w- c:\program files\Kun2009
2010-04-28 11:22 . 2010-04-14 22:44 -------- d-----w- c:\program files\NetComputer
2010-04-26 04:23 . 2010-04-14 14:06 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\U3
2010-04-25 06:19 . 2010-04-14 22:44 -------- d-----w- c:\program files\Common Files\NComputer
2010-04-14 23:28 . 2010-04-14 22:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-14 22:44 . 2010-04-14 22:44 -------- d-----w- c:\program files\Microsoft Shared
2010-04-14 22:44 . 2010-04-14 22:44 -------- d-----w- c:\program files\Common Files\PCSeverics
2010-04-14 22:42 . 2010-04-14 22:42 45056 ----a-w- c:\documents and settings\Sweetheart\Application Data\Microsoft\Installer\{2764CA82-DFB9-4498-AF85-719340BF5305}\NewShortcut1_2764CA82DFB94498AF85719340BF5305.exe
2010-04-14 22:42 . 2010-04-14 22:42 10134 ----a-r- c:\documents and settings\Sweetheart\Application Data\Microsoft\Installer\{2764CA82-DFB9-4498-AF85-719340BF5305}\ARPPRODUCTICON.exe
2010-04-14 22:42 . 2010-04-14 22:42 -------- d-----w- c:\program files\Dell
2010-04-14 22:34 . 2010-04-14 22:34 -------- d-----w- c:\program files\ATI Technologies
2010-04-14 22:24 . 2010-04-14 22:24 -------- d-----w- c:\program files\Broadcom
2010-04-14 22:19 . 2010-04-14 22:19 -------- d-----w- c:\program files\microsoft frontpage
2010-04-14 22:16 . 2010-04-14 22:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-14 13:44 . 2010-04-14 13:44 -------- d-----w- c:\documents and settings\3\Application Data\Yahoo!
2010-04-14 12:45 . 2010-04-14 12:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-14 12:44 . 2010-04-14 12:44 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\InterTrust
2010-04-14 12:39 . 2010-04-14 12:39 -------- d-----r- c:\documents and settings\1\Application Data\Brother
2010-04-14 11:46 . 2010-04-14 11:46 -------- d-----w- c:\program files\Opera
2010-04-14 11:45 . 2010-04-14 11:45 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\Yahoo!
2010-04-14 11:31 . 2010-04-14 11:31 -------- d-----r- c:\documents and settings\Sweetheart\Application Data\Brother
2010-04-14 11:30 . 2010-04-14 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-14 11:30 . 2010-04-14 11:30 -------- d-----w- c:\program files\Yahoo!
2010-04-14 11:29 . 2010-04-14 11:29 50 ----a-w- c:\windows\system32\bridf08b.dat
2010-04-14 11:29 . 2010-04-14 11:28 -------- d-----w- c:\program files\Brother
2010-04-14 11:28 . 2010-04-14 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-14 11:28 . 2010-04-14 11:28 -------- d-----w- c:\documents and settings\Sweetheart\Application Data\InstallShield
2010-04-14 11:27 . 2010-04-14 11:27 10134 ----a-r- c:\documents and settings\Sweetheart\Application Data\Microsoft\Installer\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}\ARPPRODUCTICON.exe
2010-04-14 11:27 . 2010-04-14 11:27 -------- d-----w- c:\program files\Nuance
2010-04-14 11:27 . 2010-04-14 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-04-14 11:27 . 2010-04-14 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-04-14 11:27 . 2010-04-14 11:26 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-04-14 11:26 . 2010-04-14 22:33 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-14 11:26 . 2010-04-14 11:26 -------- d-----w- c:\program files\ScanSoft
2010-04-14 11:25 . 2010-04-14 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2008-04-14 12:41 . 2004-08-03 19:26 174852 --sha-r- c:\windows\system32\irzsv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 07:28 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HpMessage "= "c:\program files\NetComputer\KmMsg.exe" [2007-05-18 151552]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD "= "c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch "= "c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder "= "c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd "= "c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3 "= "c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-22 86016]
"SunJavaUpdateSched "= "c:\program files\Java\j2re1.4.2_18\bin\jusched.exe" [2008-05-27 32881]
"avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
OfficeSAS.lnk - c:\program files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe [2009-9-26 202648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\KmWinLog]
2007-12-16 05:49 405504 ----a-w- c:\windows\system32\Kmlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1a900267a

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3581:TCP "= 3581:TCP:MultiuserPortTCP3581
"3581:UDP "= 3581:UDP:MultiuserPortUDP3581
"3597:TCP "= 3597:TCP:MultiuserPortTCP3597
"3645:TCP "= 3645:TCP:MultiuserPortTCP3645
"3646:TCP "= 3646:TCP:MultiuserPortTCP3646
"1283:UDP "= 1283:UDP:MultiuserPortUDP1283
"27605:TCP "= 27605:TCP:MultiuserPortTCP27605
"27615:TCP "= 27615:TCP:MultiuserPortTCP27615
"1027:UDP "= 1027:UDP:MultiuserPortUDP1027
"4689:TCP "= 4689:TCP:iuhlbkrr

R0 HpPciVga;Multiuser PCI VGA Station Driver (MultiScreen);c:\windows\system32\drivers\KmWpsMs.sys [4/15/2010 4:15 AM 148834]
R0 HpStore;Multiuser Devices Control Service;c:\windows\system32\drivers\KmStore.sys [4/15/2010 4:15 AM 13688]
R0 HpUsbKeyboard;Multiuser USB Keyboard Class Driver;c:\windows\system32\drivers\KmKbdCls.sys [4/15/2010 4:15 AM 29601]
R0 HpUsbMouse;Multiuser USB Mouse Class Driver;c:\windows\system32\drivers\KmMouCls.sys [4/15/2010 4:15 AM 26657]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/20/2010 10:33 AM 164048]
R1 HpHelper;Multiuser User Mode Helper Driver;c:\windows\system32\drivers\KmHlprk.sys [4/15/2010 4:15 AM 23744]
R1 HpVcard;UTMA Video-Accelerator;c:\windows\system32\drivers\hpvcard.sys [4/15/2010 4:15 AM 4096]
R1 Hstd;Multiuser hstd driver;c:\windows\system32\drivers\hstd.sys [4/15/2010 4:15 AM 72464]
R2 ACWINLPT;ASCL LPT Windows Driver;c:\windows\system32\ACWINLPT.SYS [4/17/2010 7:48 AM 4080]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/20/2010 10:33 AM 19024]
R2 HpBootSrv;Multiuser Boot Server for Miniterm;c:\program files\Common Files\NComputer\bootsrv.exe [4/15/2010 4:15 AM 139264]
R2 HpLegacyKeyboard;Multiuser Legacy Keyboard Port Driver;c:\windows\system32\drivers\KmJBox.sys [4/15/2010 4:15 AM 48863]
R2 HpService;Multiuser Service;System32\KmServc.exe --> System32\KmServc.exe [?]
R3 HpXpHidCls;Multiuser HID Device Control Service;c:\windows\system32\drivers\KmHidCls.sys [4/15/2010 4:15 AM 5504]
R3 HpXpKbdPnp;Multiuser Keyboard Control Service;c:\windows\system32\drivers\KmKbdPnp.sys [4/15/2010 4:15 AM 6753]
R3 HpXpMouPnp;Multiuser mouse Control Service;c:\windows\system32\drivers\KmMouPnp.sys [4/15/2010 4:15 AM 6337]
R3 htsatran;UTSA/UTMA Virtual Transport Driver;c:\windows\system32\drivers\htsatran.sys [4/15/2010 4:15 AM 110840]
R3 htsaudio;UTMA Virtual Audio Driver;c:\windows\system32\drivers\htsaudio.sys [4/15/2010 4:15 AM 28600]
R3 HtsBusEnum;UTMA Devices Enumerator;c:\windows\system32\drivers\htsbus.sys [4/15/2010 4:15 AM 27092]
S0 etxupjkt;etxupjkt;c:\windows\system32\drivers\elvudk.sys --> c:\windows\system32\drivers\elvudk.sys [?]
S0 lhhdvrf;lhhdvrf;c:\windows\system32\drivers\vporf.sys --> c:\windows\system32\drivers\vporf.sys [?]
S2 rhpwqoi;Server Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
S3 cczvenue;cczvenue;\??\c:\windows\System32\Drivers\cczvenue.sys --> c:\windows\System32\Drivers\cczvenue.sys [?]
S3 cimytgjc;cimytgjc;\??\c:\windows\System32\Drivers\cimytgjc.sys --> c:\windows\System32\Drivers\cimytgjc.sys [?]
S3 dlkyzwqq;dlkyzwqq;\??\c:\windows\System32\Drivers\dlkyzwqq.sys --> c:\windows\System32\Drivers\dlkyzwqq.sys [?]
S3 dpeitwxw;dpeitwxw;\??\c:\windows\System32\Drivers\dpeitwxw.sys --> c:\windows\System32\Drivers\dpeitwxw.sys [?]
S3 gsyarxaa;gsyarxaa;\??\c:\windows\System32\Drivers\gsyarxaa.sys --> c:\windows\System32\Drivers\gsyarxaa.sys [?]
S3 hdgaltah;hdgaltah;\??\c:\windows\System32\Drivers\hdgaltah.sys --> c:\windows\System32\Drivers\hdgaltah.sys [?]
S3 htsxhci;Kingsem UTMA USB Host Controller;c:\windows\system32\drivers\htsxhci.sys [4/15/2010 4:15 AM 17654]
S3 iulmjkee;iulmjkee;\??\c:\windows\System32\Drivers\iulmjkee.sys --> c:\windows\System32\Drivers\iulmjkee.sys [?]
S3 mxsugeuc;mxsugeuc;\??\c:\windows\System32\Drivers\mxsugeuc.sys --> c:\windows\System32\Drivers\mxsugeuc.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:58 PM 4639136]
S3 sipepbkg;sipepbkg;\??\c:\windows\System32\Drivers\sipepbkg.sys --> c:\windows\System32\Drivers\sipepbkg.sys [?]
S3 tynsicgq;tynsicgq;\??\c:\windows\System32\Drivers\tynsicgq.sys --> c:\windows\System32\Drivers\tynsicgq.sys [?]
S3 uamfjlez;uamfjlez;\??\c:\windows\System32\Drivers\uamfjlez.sys --> c:\windows\System32\Drivers\uamfjlez.sys [?]
S3 vljjxhcs;vljjxhcs;\??\c:\windows\System32\Drivers\vljjxhcs.sys --> c:\windows\System32\Drivers\vljjxhcs.sys [?]
S3 xzczqcpn;xzczqcpn;\??\c:\windows\System32\Drivers\xzczqcpn.sys --> c:\windows\System32\Drivers\xzczqcpn.sys [?]
S3 zxpvdswd;zxpvdswd;\??\c:\windows\System32\Drivers\zxpvdswd.sys --> c:\windows\System32\Drivers\zxpvdswd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
rhpwqoi
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uInternet Connection Wizard,ShellNext = hxxp://quickheal.co.in/
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: {80A6047B-CC7F-4E80-BE8A-29F6A7E380CF} = 61.1.96.69,218.248.240.208
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {23ACBF1D-D7AF-4236-AD8C-CADF14234B78} - hxxp://164.100.9.245/(n)CodeDGFT_new.CAB
FF - ProfilePath - c:\documents and settings\Sweetheart\Application Data\Mozilla\Firefox\Profiles\xnvt1a54.default\
FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJPI142_18.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\NPDocBox.dll
FF - plugin: c:\program files\Opera\program\plugins\NPJPI142_18.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rhpwqoi]
"ServiceDll "= "c:\windows\system32\irzsv.dll "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1844237615-1580436667-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Kmlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\windows\System32\KmServc.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-05-08 20:26:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-08 14:56

Pre-Run: 26,307,137,536 bytes free
Post-Run: 26,450,747,392 bytes free

- - End Of File - - 958F95CBD176E2E550F9F8690A4F9DAA

please help me out
i have a adsl router UTSTARCOM 3000 model and netgear 4 port router. Even MSN doesnt opens up in any of the wired lan systems but if i access on a laptop via wifi all the antivirus sites are accessible. I have formatted all the hard disk partitiions re partioned the hard disk and fresh installed all the OS yet the same problem. I have avast antivirus. please do help

thanks in advance

PeteC · 2010/05/08

Welcome to WindowsBBS

Please read this as indicated at the head of the forum and post the logs requested in this thread.

dipesh · 2010/05/08

the dds.txt file is pasted below but somehow the attach.txt file does not gets saved

DDS (Ver_10-03-17.01) - NTFSx86
Run by at 20:53:30.17 on Sat 05/08/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.990.527 [GMT 5.5:30]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\j2re1.4.2_18\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Program Files\Common Files\NComputer\bootsrv.exe
C:\WINDOWS\System32\KmServc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\SWEETH~1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
uInternet Connection Wizard,ShellNext = hxxp://quickheal.co.in/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HpMessage] c:\program files\netcomputer\KmMsg.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe "
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe "
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini "
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_18\bin\jusched.exe "
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office14\officesas\officeSASscheduler.exe
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {23ACBF1D-D7AF-4236-AD8C-CADF14234B78} - hxxp://164.100.9.245/(n)CodeDGFT_new.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: {80A6047B-CC7F-4E80-BE8A-29F6A7E380CF} = 61.1.96.69,218.248.240.208
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: AtiExtEvent - Ati2evxx.dl_
Notify: KmWinLog - Kmlogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sweeth~1\applic~1\mozilla\firefox\profiles\xnvt1a54.default\
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJPI142_18.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\NPDocBox.dll
FF - plugin: c:\program files\opera\program\plugins\NPJPI142_18.dll
FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R0 HpPciVga;Multiuser PCI VGA Station Driver (MultiScreen);c:\windows\system32\drivers\KmWpsMs.sys [2010-4-15 148834]
R0 HpStore;Multiuser Devices Control Service;c:\windows\system32\drivers\KmStore.sys [2010-4-15 13688]
R0 HpUsbKeyboard;Multiuser USB Keyboard Class Driver;c:\windows\system32\drivers\KmKbdCls.sys [2010-4-15 29601]
R0 HpUsbMouse;Multiuser USB Mouse Class Driver;c:\windows\system32\drivers\KmMouCls.sys [2010-4-15 26657]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-20 164048]
R1 HpHelper;Multiuser User Mode Helper Driver;c:\windows\system32\drivers\KmHlprk.sys [2010-4-15 23744]
R1 HpVcard;UTMA Video-Accelerator;c:\windows\system32\drivers\hpvcard.sys [2010-4-15 4096]
R1 Hstd;Multiuser hstd driver;c:\windows\system32\drivers\hstd.sys [2010-4-15 72464]
R2 ACWINLPT;ASCL LPT Windows Driver;c:\windows\system32\ACWINLPT.SYS [2010-4-17 4080]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-20 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
R2 HpBootSrv;Multiuser Boot Server for Miniterm;c:\program files\common files\ncomputer\bootsrv.exe [2010-4-15 139264]
R2 HpLegacyKeyboard;Multiuser Legacy Keyboard Port Driver;c:\windows\system32\drivers\KmJBox.sys [2010-4-15 48863]
R2 HpService;Multiuser Service;System32\KmServc.exe --> System32\KmServc.exe [?]
R3 HpXpHidCls;Multiuser HID Device Control Service;c:\windows\system32\drivers\KmHidCls.sys [2010-4-15 5504]
R3 HpXpKbdPnp;Multiuser Keyboard Control Service;c:\windows\system32\drivers\KmKbdPnp.sys [2010-4-15 6753]
R3 HpXpMouPnp;Multiuser mouse Control Service;c:\windows\system32\drivers\KmMouPnp.sys [2010-4-15 6337]
R3 htsatran;UTSA/UTMA Virtual Transport Driver;c:\windows\system32\drivers\htsatran.sys [2010-4-15 110840]
R3 htsaudio;UTMA Virtual Audio Driver;c:\windows\system32\drivers\htsaudio.sys [2010-4-15 28600]
R3 HtsBusEnum;UTMA Devices Enumerator;c:\windows\system32\drivers\htsbus.sys [2010-4-15 27092]
S0 etxupjkt;etxupjkt;c:\windows\system32\drivers\elvudk.sys --> c:\windows\system32\drivers\elvudk.sys [?]
S0 lhhdvrf;lhhdvrf;c:\windows\system32\drivers\vporf.sys --> c:\windows\system32\drivers\vporf.sys [?]
S2 rhpwqoi;Server Task;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-20 40384]
S3 cczvenue;cczvenue;\??\c:\windows\system32\drivers\cczvenue.sys --> c:\windows\system32\drivers\cczvenue.sys [?]
S3 cimytgjc;cimytgjc;\??\c:\windows\system32\drivers\cimytgjc.sys --> c:\windows\system32\drivers\cimytgjc.sys [?]
S3 dlkyzwqq;dlkyzwqq;\??\c:\windows\system32\drivers\dlkyzwqq.sys --> c:\windows\system32\drivers\dlkyzwqq.sys [?]
S3 dpeitwxw;dpeitwxw;\??\c:\windows\system32\drivers\dpeitwxw.sys --> c:\windows\system32\drivers\dpeitwxw.sys [?]
S3 gsyarxaa;gsyarxaa;\??\c:\windows\system32\drivers\gsyarxaa.sys --> c:\windows\system32\drivers\gsyarxaa.sys [?]
S3 hdgaltah;hdgaltah;\??\c:\windows\system32\drivers\hdgaltah.sys --> c:\windows\system32\drivers\hdgaltah.sys [?]
S3 htsxhci;Kingsem UTMA USB Host Controller;c:\windows\system32\drivers\htsxhci.sys [2010-4-15 17654]
S3 iulmjkee;iulmjkee;\??\c:\windows\system32\drivers\iulmjkee.sys --> c:\windows\system32\drivers\iulmjkee.sys [?]
S3 mxsugeuc;mxsugeuc;\??\c:\windows\system32\drivers\mxsugeuc.sys --> c:\windows\system32\drivers\mxsugeuc.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 sipepbkg;sipepbkg;\??\c:\windows\system32\drivers\sipepbkg.sys --> c:\windows\system32\drivers\sipepbkg.sys [?]
S3 tynsicgq;tynsicgq;\??\c:\windows\system32\drivers\tynsicgq.sys --> c:\windows\system32\drivers\tynsicgq.sys [?]
S3 uamfjlez;uamfjlez;\??\c:\windows\system32\drivers\uamfjlez.sys --> c:\windows\system32\drivers\uamfjlez.sys [?]
S3 vljjxhcs;vljjxhcs;\??\c:\windows\system32\drivers\vljjxhcs.sys --> c:\windows\system32\drivers\vljjxhcs.sys [?]
S3 xzczqcpn;xzczqcpn;\??\c:\windows\system32\drivers\xzczqcpn.sys --> c:\windows\system32\drivers\xzczqcpn.sys [?]
S3 zxpvdswd;zxpvdswd;\??\c:\windows\system32\drivers\zxpvdswd.sys --> c:\windows\system32\drivers\zxpvdswd.sys [?]

=============== Created Last 30 ================

2010-05-08 14:39:02 98816 ----a-w- c:\windows\sed.exe
2010-05-08 14:39:02 77312 ----a-w- c:\windows\MBR.exe
2010-05-08 14:39:02 256512 ----a-w- c:\windows\PEV.exe
2010-05-08 14:39:02 161792 ----a-w- c:\windows\SWREG.exe
2010-05-08 14:37:30 3684271 ----a-r- C:\ComboFix.exe
2010-05-08 10:48:57 0 d-----w- c:\program files\Nsasoft
2010-05-07 08:12:26 0 d-----w- c:\program files\AskBarDis
2010-05-07 08:12:19 0 d-----w- c:\program files\Foxit Software
2010-05-07 08:12:19 0 d-----w- c:\docume~1\sweeth~1\applic~1\Foxit
2010-05-02 17:09:07 0 d-----w- c:\program files\SPC Invoice
2010-05-02 09:00:04 0 d-----w- c:\docume~1\sweeth~1\applic~1\GARMIN
2010-05-02 08:58:41 0 d-----w- C:\WebUpdater
2010-05-02 08:58:04 0 d-----w- C:\Garmin
2010-05-02 08:39:31 57344 ----a-w- c:\windows\system32\H1DXP.DLL
2010-04-30 05:25:29 0 d-----w- c:\docume~1\sweeth~1\applic~1\Malwarebytes
2010-04-29 13:47:51 3243 ----a-w- c:\windows\system32\wbem\Outlook_01cae7a28fa85f58.mof
2010-04-29 07:48:23 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-28 11:01:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Net Protector
2010-04-26 04:06:11 332323 ----a-w- C:\news of maharashtra (Dahanu Delivry).pdf
2010-04-26 03:45:37 0 d--h--w- c:\windows\PIF
2010-04-26 03:32:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 03:32:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 03:32:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 03:32:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-26 01:33:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-25 06:19:09 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-22 13:42:41 0 d-----w- C:\23 April 10 PDF
2010-04-22 12:54:27 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-04-21 15:02:39 286208 ------w- C:\New cencus 2222.xls
2010-04-21 14:56:25 364544 ------w- C:\New cencus 49%.xls
2010-04-21 14:46:37 407552 ------w- C:\master trainer cencus.xls
2010-04-21 06:59:07 116 ----a-w- c:\windows\NeroDigital.ini
2010-04-20 05:29:20 0 d-----w- c:\windows\system32\XPSViewer
2010-04-20 05:28:45 14048 ------w- c:\windows\system32\spmsg2.dll
2010-04-20 05:02:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-20 05:00:29 61555 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-04-17 21:24:30 0 d-----w- C:\Downloads
2010-04-17 21:17:46 0 d-----w- c:\program files\FlashGet
2010-04-17 02:20:34 67584 ----a-w- c:\windows\system32\satnam.jpg
2010-04-17 02:18:06 0 d-----w- c:\program files\Kun2009
2010-04-16 23:35:14 0 d-----w- C:\project1
2010-04-15 18:01:47 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-04-15 18:01:41 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-04-15 18:01:40 476320 ----a-w- c:\windows\system32\ImagXpr7.dll
2010-04-15 18:01:40 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-04-15 18:01:40 1568768 ----a-w- c:\windows\system32\ImagX7.dll
2010-04-14 23:42:32 0 d-----w- c:\documents and settings\all users\Microsoft
2010-04-14 23:40:44 0 d-----w- c:\program files\Microsoft Analysis Services
2010-04-14 23:40:34 0 d-----w- c:\windows\SHELLNEW
2010-04-14 23:25:59 97117 -c----w- c:\windows\system32\dllcache\mplayer2.hlp
2010-04-14 23:24:03 0 d-----w- c:\windows\ServicePackFiles
2010-04-14 23:23:48 294912 -c--a-w- c:\windows\system32\dllcache\dlimport.exe
2010-04-14 23:21:17 19569 ----a-w- c:\windows\002864_.tmp
2010-04-14 23:21:09 0 d-----w- c:\windows\system32\ReinstallBackups
2010-04-14 23:20:59 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-04-14 23:17:17 0 d-----w- c:\windows\system32\LogFiles
2010-04-14 22:44:50 0 d-----w- c:\program files\common files\NComputer
2010-04-14 22:44:33 0 d-----w- c:\program files\Microsoft Shared
2010-04-14 22:44:32 0 d-----w- c:\program files\common files\PCSeverics
2010-04-14 22:44:31 0 d-----w- c:\program files\NetComputer
2010-04-14 22:42:07 0 d-----w- c:\program files\Dell
2010-04-14 22:34:00 0 d-----w- c:\program files\ATI Technologies
2010-04-14 22:24:11 0 d-----w- c:\program files\Broadcom
2010-04-14 22:18:29 0 d-sh--w- c:\documents and settings\all users\DRM
2010-04-14 22:18:12 0 d--h--w- c:\program files\WindowsUpdate
2010-04-14 22:17:23 0 d-----w- c:\program files\common files\MSSoap
2010-04-14 22:16:11 0 d-----w- c:\program files\Online Services
2010-04-14 22:16:07 0 d-----w- c:\program files\Messenger
2010-04-14 22:16:03 0 d-----w- c:\program files\MSN Gaming Zone
2010-04-14 22:15:16 0 d-----w- c:\program files\Windows NT
2010-04-14 15:09:40 0 d-----w- c:\program files\common files\ODBC
2010-04-14 15:09:36 0 d-----w- c:\program files\common files\SpeechEngines
2010-04-14 15:09:14 0 d-----r- c:\documents and settings\all users\Documents
2010-04-14 11:31:01 0 d-----r- c:\docume~1\sweeth~1\applic~1\Brother
2010-04-14 11:30:47 0 d-----w- c:\program files\Yahoo!
2010-04-14 11:28:51 0 d-----w- c:\program files\Brother
2010-04-14 11:27:57 0 d-----w- c:\program files\Nuance
2010-04-14 11:26:58 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-04-14 11:26:50 0 d-----w- c:\program files\ScanSoft
2010-04-14 11:25:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Brother

==================== Find3M ====================

2010-05-08 11:16:11 66384 ----a-w- c:\windows\fonts\k11.ttf
2010-04-14 22:16:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-14 13:53:19 48508 ----a-w- c:\windows\fonts\Shivaji01_Normal_(wwww[1].font-cat.com).ttf
2008-04-14 12:41:58 174852 --sha-r- c:\windows\system32\irzsv.dll

============= FINISH: 20:53:39.06 ===============

PeteC · 2010/05/08

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.

broni · 2010/05/08

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Click to expand...

Make sure, you allow recovery console installation on next Combofix run.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\H1DXP.DLL
c:\windows\system32\irzsv.dll
c:\windows\system32\drivers\elvudk.sys
c:\windows\system32\drivers\vporf.sys
c:\windows\System32\Drivers\cczvenue.sys
c:\windows\System32\Drivers\cimytgjc.sys
c:\windows\System32\Drivers\dlkyzwqq.sys
c:\windows\System32\Drivers\dpeitwxw.sys
c:\windows\System32\Drivers\gsyarxaa.sys
c:\windows\System32\Drivers\hdgaltah.sys
c:\windows\System32\Drivers\iulmjkee.sys
c:\windows\System32\Drivers\mxsugeuc.sys
c:\windows\System32\Drivers\sipepbkg.sys
c:\windows\System32\Drivers\tynsicgq.sys
c:\windows\System32\Drivers\uamfjlez.sys
c:\windows\System32\Drivers\vljjxhcs.sys
c:\windows\System32\Drivers\xzczqcpn.sys
c:\windows\System32\Drivers\zxpvdswd.sys


Folder::

Driver::
etxupjkt
lhhdvrf
cczvenue
cimytgjc
dlkyzwqq
dpeitwxw
gsyarxaa
hdgaltah
htsxhci
iulmjkee
mxsugeuc
sipepbkg
tynsicgq
uamfjlez
vljjxhcs
xzczqcpn
zxpvdswd
rhpwqoi

NetSvc::
rhpwqoi

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
 "DisableStatusMessages "=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "EnableFirewall "=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
 "4689:TCP "=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rhpwqoi]

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Log in or Sign up

Inactive all antivirus sites blocked

dipesh Inactive Thread Starter

PeteC SuperGeek Staff

dipesh Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive all antivirus sites blocked

dipesh Inactive Thread Starter

PeteC SuperGeek Staff

dipesh Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

Share This Page

Useful Searches