Solved New malware Document1.exe help me out

[Resolved] New malware Document1.exe help me out

hi guys finally my one of my machis is infected with following malware it keep coming when i delete the file here combofix log plz have look need ur guide to hell it tq i don't have flash drive bcs the sytem used under clients so they use number usb or flash drive in the system
ComboFix 07-11-01.1** - P14 2007-11-01 9:21:59.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.107 [GMT 8:00]
Running from: C:\Documents and Settings\P14\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ÿ.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 09:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 21:29 <DIR> d-------- C:\Program Files\Conference
2007-10-31 15:55 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQDoctor
2007-10-31 09:34 <DIR> d-------- C:\WINDOWS\system32\qqedit
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Tencent
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQ
2007-10-31 09:34 147,456 --a------ C:\WINDOWS\system32\Scrax.dll
2007-10-31 09:34 135,168 --a------ C:\WINDOWS\system32\SSup.dll
2007-10-31 09:33 <DIR> d-------- C:\Program Files\Tencent
2007-10-27 16:59 <DIR> d-------- C:\Program Files\LowRateVoip
2007-10-27 16:59 <DIR> d-------- C:\Documents and Settings\P14\Application Data\LowRateVoip
2007-10-25 13:05 <DIR> d-------- C:\Program Files\Stardock
2007-10-25 13:05 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-25 13:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-10-22 12:35 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 12:35 <DIR> d-------- C:\Documents and Settings\P14\WINDOWS
2007-10-22 12:35 633,560 --a------ C:\WINDOWS\cd32.exe
2007-10-22 12:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-22 12:35 61,952 --a------ C:\WINDOWS\system32\nabapi32.dll
2007-10-19 22:02 <DIR> d-------- C:\Documents and Settings\P14\Application Data\AdobeUM
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\dllcache\redbook.sys
2007-10-19 21:43 249,627 -rahs---- C:\WINDOWS\Document1.exe
2007-10-19 21:43 226,587 -rahs---- C:\WINDOWS\*.exe
2007-10-18 12:00 40,296 --a------ C:\Documents and Settings\P14\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\Profiles
2007-10-11 13:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-11 13:07 <DIR> d-------- C:\Documents and Settings\P14\Application Data\InterTrust
2007-10-11 13:07 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-10 19:50 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 19:50 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 19:50 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 19:50 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 19:50 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 19:50 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 19:50 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 19:50 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 18:25 <DIR> d-------- C:\Program Files\Avira
2007-10-10 18:20 524,800 --a------ C:\WINDOWS\system32\CafeAgent.exe
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\dllcache\ftlx041e.dll
2007-10-10 18:04 <DIR> d-------- C:\Program Files\MSN Apps
2007-10-10 18:04 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-10 18:04 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-10 18:04 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-10-10 18:04 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-10 18:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Real
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-10 17:55 <DIR> d--hs---- C:\Recycled
2007-10-10 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-10 17:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-10 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-10 17:46 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 17:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-10 17:43 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-10 17:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-10 17:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-10 16:41 31,864 --a------ C:\WINDOWS\nsreg.dat
2007-10-10 16:40 <DIR> d-------- C:\Program Files\Canon
2007-10-10 16:40 25,584 --a------ C:\WINDOWS\system32\aucplmNT.dll
2007-10-10 16:40 2,301 --a------ C:\WINDOWS\mozver.dat
2007-10-10 16:38 <DIR> d-------- C:\WINDOWS\Cache
2007-10-10 16:37 <DIR> d-------- C:\Program Files\NJStar Communicator
2007-10-10 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 16:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-10 16:35 <DIR> d-------- C:\Program Files\mIRC
2007-10-10 16:35 <DIR> d-------- C:\Program Files\DFX
2007-10-10 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2007-10-10 16:28 <DIR> d-------- C:\Program Files\Winamp
2007-10-10 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\dllcache\swmidi.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\dllcache\dmusic.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\dllcache\splitter.sys
2007-10-10 16:26 <DIR> d-------- C:\Program Files\SiS7012
2007-10-10 16:25 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-10-10 16:25 <DIR> d--hs---- C:\Documents and Settings\P14\UserData
2007-10-10 16:23 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-10 16:07 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-10 16:06 113,222 --a------ C:\WINDOWS\system32\dllcache\zoneclim.dll
2007-10-10 16:06 41,029 --a------ C:\WINDOWS\system32\dllcache\zcorem.dll
2007-10-10 16:06 36,937 --a------ C:\WINDOWS\system32\dllcache\zclientm.exe
2007-10-10 16:06 29,760 --a------ C:\WINDOWS\system32\dllcache\znetm.dll
2007-10-10 16:06 13,894 --a------ C:\WINDOWS\system32\dllcache\zonelibm.dll
2007-10-10 16:06 4,677 --a------ C:\WINDOWS\system32\dllcache\zeeverm.dll
2007-10-10 16:03 1,175,635 --a------ C:\WINDOWS\system32\dllcache\hrtzres.dll
2007-10-10 16:03 57,409 --a------ C:\WINDOWS\system32\dllcache\hrtz.dll
2007-10-10 16:03 42,573 --a------ C:\WINDOWS\system32\dllcache\hrtzzm.exe
2007-10-10 16:03 39,936 --a------ C:\WINDOWS\system32\dllcache\hostmib.dll
2007-10-10 16:03 35,328 --a------ C:\WINDOWS\system32\dllcache\iprip.dll
2007-10-10 16:03 18,432 --a------ C:\WINDOWS\system32\dllcache\jupiw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 08:24 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-10-10 07:35 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-10 06:32 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-10-10 06:32 1,580,544 ----a-w C:\WINDOWS\system32\sfcfiles.dll
2007-09-12 15:05 226,587 --sha-r C:\WINDOWS\*.exe
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-20 07:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINDOWS\system32\cafeagent.exe" [2005-03-22 16:39]
"avgnt "= "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-10 17:56]
"stup.exe "= "C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll" [2007-09-29 10:09]
"Document1 "= "C:\WINDOWS\*.exe" [2007-09-12 23:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINDOWS\system32\cafeagent.exe /normal

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=1 (0x1)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoInstrumentation "=0 (0x0)
"NoSimpleStartMenu "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoUserNameInStartMenu "=1 (0x1)
"NoInstrumentation "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"ForceStartMenuLogoff "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 AFPAnsi;CafeSuite File Protector;C:\WINDOWS\system32\AFPAnsi.sys
R2 CafeAgent;CafeAgent of CafeSuite;C:\WINDOWS\system32\CafeAgent.exe /service
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d5145c2-81eb-11dc-ad65-0050babdfc67}]
\Shell\AutoRun\command - ntdelect.com
\Shell\explore\Command - ntdelect.com
\Shell\open\Command - ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41596452-7d2d-11dc-ad5c-0050babdfc67}]
\Shell\AutoPlay\command - wscript.exe \Haha.js
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
\Shell\Explore\command - wscript.exe \Haha.js -Clicked
\Shell\Open\command - wscript.exe \Haha.js
\Shell\Scan for Viruses\command - wscript.exe \Haha.js
\Shell\Scan with AVG\command - wscript.exe \Haha.js
\Shell\Scan with Norton AntiVirus\command - wscript.exe \Haha.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72409fe-82b2-11dc-ad67-0050babdfc67}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - E:\Flash.10.Setup.exe
\Shell\Open\command - E:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - E:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72409ff-82b2-11dc-ad67-0050babdfc67}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc07ecb8-7df0-11dc-ad5d-0050babdfc67}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c88971b4-7eb3-11dc-ad5e-0050babdfc67}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c88971b5-7eb3-11dc-ad5e-0050babdfc67}]
\Shell\Auto\command - RavMon.exe
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5e9a07f-8758-11dc-ad71-0050babdfc67}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - E:\Flash.10.Setup.exe
\Shell\Open\command - E:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - E:\Scanner.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - HTTPFILTER
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 09:23:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-01 9:25:00
.
--- E O F ---
here is i submit document1.exe file to ur submission channel plz check it on http://www.bleepingcomputer.com/submit-malware.php?channel=22

 

Hi z4u,

I need the following file, as seen in the ComboFix log, uploaded please.

2007-10-19 21:43 226,587 -rahs---- C:\WINDOWS\*.exe


Please click Start>Run and type cmd then hit Enter to open a command window. Highlight and copy the following command.

attrib -r -h -s C:\WINDOWS\*.exe

Now right click in the command window and paste the command, then hit enter. Locate and upload that file to my submission channel.

 

hi noahdfear i have run command but i m failed to locate the *.exe in windows folder and even i have tried search files option aa well b4 that i have updated avira antivirus and scanned my hard drive got few virus and removed so i post again new combofix log it's here
ComboFix 07-11-01.1** - P14 2007-11-01 13:53:29.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.98 [GMT 8:00]
Running from: C:\Documents and Settings\P14\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 09:29 <DIR> d-------- C:\Program Files\FRISK Software
2007-11-01 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2007-11-01 09:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 21:29 <DIR> d-------- C:\Program Files\Conference
2007-10-31 15:55 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQDoctor
2007-10-31 09:34 <DIR> d-------- C:\WINDOWS\system32\qqedit
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Tencent
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQ
2007-10-31 09:34 147,456 --a------ C:\WINDOWS\system32\Scrax.dll
2007-10-31 09:34 135,168 --a------ C:\WINDOWS\system32\SSup.dll
2007-10-31 09:33 <DIR> d-------- C:\Program Files\Tencent
2007-10-27 16:59 <DIR> d-------- C:\Program Files\LowRateVoip
2007-10-27 16:59 <DIR> d-------- C:\Documents and Settings\P14\Application Data\LowRateVoip
2007-10-25 13:05 <DIR> d-------- C:\Program Files\Stardock
2007-10-25 13:05 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-25 13:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-10-22 12:35 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 12:35 <DIR> d-------- C:\Documents and Settings\P14\WINDOWS
2007-10-22 12:35 633,560 --a------ C:\WINDOWS\cd32.exe
2007-10-22 12:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-22 12:35 61,952 --a------ C:\WINDOWS\system32\nabapi32.dll
2007-10-19 22:02 <DIR> d-------- C:\Documents and Settings\P14\Application Data\AdobeUM
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\dllcache\redbook.sys
2007-10-18 12:00 40,296 --a------ C:\Documents and Settings\P14\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\Profiles
2007-10-11 13:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-11 13:07 <DIR> d-------- C:\Documents and Settings\P14\Application Data\InterTrust
2007-10-11 13:07 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-10 19:50 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 19:50 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 19:50 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 19:50 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 19:50 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 19:50 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 19:50 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 19:50 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 18:25 <DIR> d-------- C:\Program Files\Avira
2007-10-10 18:20 524,800 --a------ C:\WINDOWS\system32\CafeAgent.exe
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\dllcache\ftlx041e.dll
2007-10-10 18:04 <DIR> d-------- C:\Program Files\MSN Apps
2007-10-10 18:04 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-10 18:04 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-10 18:04 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-10-10 18:04 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-10 18:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Real
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-10 17:55 <DIR> d--hs---- C:\Recycled
2007-10-10 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-10 17:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-10 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-10 17:46 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 17:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-10 17:43 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-10 17:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-10 17:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-10 16:41 31,864 --a------ C:\WINDOWS\nsreg.dat
2007-10-10 16:40 <DIR> d-------- C:\Program Files\Canon
2007-10-10 16:40 25,584 --a------ C:\WINDOWS\system32\aucplmNT.dll
2007-10-10 16:40 2,301 --a------ C:\WINDOWS\mozver.dat
2007-10-10 16:38 <DIR> d-------- C:\WINDOWS\Cache
2007-10-10 16:37 <DIR> d-------- C:\Program Files\NJStar Communicator
2007-10-10 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 16:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-10 16:35 <DIR> d-------- C:\Program Files\mIRC
2007-10-10 16:35 <DIR> d-------- C:\Program Files\DFX
2007-10-10 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2007-10-10 16:28 <DIR> d-------- C:\Program Files\Winamp
2007-10-10 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\dllcache\swmidi.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\dllcache\dmusic.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\dllcache\splitter.sys
2007-10-10 16:26 <DIR> d-------- C:\Program Files\SiS7012
2007-10-10 16:25 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-10-10 16:25 <DIR> d--hs---- C:\Documents and Settings\P14\UserData
2007-10-10 16:23 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-10 16:07 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-10 16:06 113,222 --a------ C:\WINDOWS\system32\dllcache\zoneclim.dll
2007-10-10 16:06 41,029 --a------ C:\WINDOWS\system32\dllcache\zcorem.dll
2007-10-10 16:06 36,937 --a------ C:\WINDOWS\system32\dllcache\zclientm.exe
2007-10-10 16:06 29,760 --a------ C:\WINDOWS\system32\dllcache\znetm.dll
2007-10-10 16:06 13,894 --a------ C:\WINDOWS\system32\dllcache\zonelibm.dll
2007-10-10 16:06 4,677 --a------ C:\WINDOWS\system32\dllcache\zeeverm.dll
2007-10-10 16:03 1,175,635 --a------ C:\WINDOWS\system32\dllcache\hrtzres.dll
2007-10-10 16:03 57,409 --a------ C:\WINDOWS\system32\dllcache\hrtz.dll
2007-10-10 16:03 42,573 --a------ C:\WINDOWS\system32\dllcache\hrtzzm.exe
2007-10-10 16:03 39,936 --a------ C:\WINDOWS\system32\dllcache\hostmib.dll
2007-10-10 16:03 35,328 --a------ C:\WINDOWS\system32\dllcache\iprip.dll
2007-10-10 16:03 18,432 --a------ C:\WINDOWS\system32\dllcache\jupiw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 08:24 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-10-10 07:35 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-10 06:32 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-10-10 06:32 1,580,544 ----a-w C:\WINDOWS\system32\sfcfiles.dll
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-20 07:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_ 9.23.39.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-07-20 04:01:52 767,280 ----a-w C:\WINDOWS\system32\ArcaMicroScanUpdater.exe
+ 2007-07-20 02:34:38 847,872 ----a-w C:\WINDOWS\system32\ArcaOnline.dll
+ 2005-03-04 06:01:24 139,264 ----a-w C:\WINDOWS\system32\ArcaOnlineUninstall.exe
- 2007-09-07 04:05:20 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-11-01 02:31:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2002-01-05 04:48:16 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINDOWS\system32\cafeagent.exe" [2005-03-22 16:39]
"avgnt "= "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-01 10:31]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-10 17:56]
"stup.exe "= "C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll" [2007-09-29 10:09]
"Document1 "= "C:\WINDOWS\*.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINDOWS\system32\cafeagent.exe /normal

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoInstrumentation "=0 (0x0)
"NoSimpleStartMenu "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoUserNameInStartMenu "=1 (0x1)
"NoInstrumentation "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"ForceStartMenuLogoff "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 AFPAnsi;CafeSuite File Protector;C:\WINDOWS\system32\AFPAnsi.sys
R2 CafeAgent;CafeAgent of CafeSuite;C:\WINDOWS\system32\CafeAgent.exe /service
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d5145c2-81eb-11dc-ad65-0050babdfc67}]
\Shell\AutoRun\command - ntdelect.com
\Shell\explore\Command - ntdelect.com
\Shell\open\Command - ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41596452-7d2d-11dc-ad5c-0050babdfc67}]
\Shell\AutoPlay\command - wscript.exe \Haha.js
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
\Shell\Explore\command - wscript.exe \Haha.js -Clicked
\Shell\Open\command - wscript.exe \Haha.js
\Shell\Scan for Viruses\command - wscript.exe \Haha.js
\Shell\Scan with AVG\command - wscript.exe \Haha.js
\Shell\Scan with Norton AntiVirus\command - wscript.exe \Haha.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72409fe-82b2-11dc-ad67-0050babdfc67}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - E:\Flash.10.Setup.exe
\Shell\Open\command - E:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - E:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72409ff-82b2-11dc-ad67-0050babdfc67}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc07ecb8-7df0-11dc-ad5d-0050babdfc67}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c88971b4-7eb3-11dc-ad5e-0050babdfc67}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c88971b5-7eb3-11dc-ad5e-0050babdfc67}]
\Shell\Auto\command - RavMon.exe
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5e9a07f-8758-11dc-ad71-0050babdfc67}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - E:\Flash.10.Setup.exe
\Shell\Open\command - E:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - E:\Scanner.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 13:54:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 13:56:32
C:\ComboFix2.txt ... 2007-11-01 09:25
.
--- E O F ---

 

It does appear those files were both removed. Lets do a bit more cleanup.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="Black"]currentversion[/COLOR]\explorer\mountpoints2\{0d5145c2-81eb-11dc-ad65-0050babdfc67}]
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{41596452-7d2d-11dc-ad5c-0050babdfc67}]
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{a72409fe-82b2-11dc-ad67-0050babdfc67}]
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{a72409ff-82b2-11dc-ad67-0050babdfc67}]
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{c88971b4-7eb3-11dc-ad5e-0050babdfc67}]
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{c88971b5-7eb3-11dc-ad5e-0050babdfc67}]
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{e5e9a07f-8758-11dc-ad71-0050babdfc67}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\[COLOR="black"]CurrentVersion[/COLOR]\Run]
 "Document1 "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

okey here is log plz have a look
ComboFix 07-11-01.1** - P14 2007-11-02 11:27:46.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT 8:00]
Running from: C:\Documents and Settings\P14\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\P14\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Yahoo!
2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-01 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-01 16:05 <DIR> d-------- C:\Documents and Settings\P14\Application Data\JustVoip
2007-11-01 09:29 <DIR> d-------- C:\Program Files\FRISK Software
2007-11-01 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2007-11-01 09:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 21:29 <DIR> d-------- C:\Program Files\Conference
2007-10-31 15:55 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQDoctor
2007-10-31 09:34 <DIR> d-------- C:\WINDOWS\system32\qqedit
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Tencent
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQ
2007-10-31 09:34 147,456 --a------ C:\WINDOWS\system32\Scrax.dll
2007-10-31 09:34 135,168 --a------ C:\WINDOWS\system32\SSup.dll
2007-10-31 09:33 <DIR> d-------- C:\Program Files\Tencent
2007-10-27 16:59 <DIR> d-------- C:\Program Files\LowRateVoip
2007-10-27 16:59 <DIR> d-------- C:\Documents and Settings\P14\Application Data\LowRateVoip
2007-10-25 13:05 <DIR> d-------- C:\Program Files\Stardock
2007-10-25 13:05 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-25 13:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-10-22 12:35 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 12:35 <DIR> d-------- C:\Documents and Settings\P14\WINDOWS
2007-10-22 12:35 633,560 --a------ C:\WINDOWS\cd32.exe
2007-10-22 12:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-22 12:35 61,952 --a------ C:\WINDOWS\system32\nabapi32.dll
2007-10-19 22:02 <DIR> d-------- C:\Documents and Settings\P14\Application Data\AdobeUM
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\dllcache\redbook.sys
2007-10-18 12:00 40,296 --a------ C:\Documents and Settings\P14\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\Profiles
2007-10-11 13:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-11 13:07 <DIR> d-------- C:\Documents and Settings\P14\Application Data\InterTrust
2007-10-11 13:07 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-10 19:50 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 19:50 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 19:50 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 19:50 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 19:50 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 19:50 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 19:50 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 19:50 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 18:25 <DIR> d-------- C:\Program Files\Avira
2007-10-10 18:20 524,800 --a------ C:\WINDOWS\system32\CafeAgent.exe
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\dllcache\ftlx041e.dll
2007-10-10 18:04 <DIR> d-------- C:\Program Files\MSN Apps
2007-10-10 18:04 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-10 18:04 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-10 18:04 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-10-10 18:04 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-10 18:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Real
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-10 17:55 <DIR> d--hs---- C:\Recycled
2007-10-10 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-10 17:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-10 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-10 17:46 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 17:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-10 17:43 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-10 17:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-10 17:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-10 16:41 31,864 --a------ C:\WINDOWS\nsreg.dat
2007-10-10 16:40 <DIR> d-------- C:\Program Files\Canon
2007-10-10 16:40 25,584 --a------ C:\WINDOWS\system32\aucplmNT.dll
2007-10-10 16:40 2,301 --a------ C:\WINDOWS\mozver.dat
2007-10-10 16:38 <DIR> d-------- C:\WINDOWS\Cache
2007-10-10 16:37 <DIR> d-------- C:\Program Files\NJStar Communicator
2007-10-10 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 16:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-10 16:35 <DIR> d-------- C:\Program Files\mIRC
2007-10-10 16:35 <DIR> d-------- C:\Program Files\DFX
2007-10-10 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2007-10-10 16:28 <DIR> d-------- C:\Program Files\Winamp
2007-10-10 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\dllcache\swmidi.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\dllcache\dmusic.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\dllcache\splitter.sys
2007-10-10 16:26 <DIR> d-------- C:\Program Files\SiS7012
2007-10-10 16:25 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-10-10 16:25 <DIR> d--hs---- C:\Documents and Settings\P14\UserData
2007-10-10 16:23 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-10 16:07 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-10 16:06 113,222 --a------ C:\WINDOWS\system32\dllcache\zoneclim.dll
2007-10-10 16:06 41,029 --a------ C:\WINDOWS\system32\dllcache\zcorem.dll
2007-10-10 16:06 36,937 --a------ C:\WINDOWS\system32\dllcache\zclientm.exe
2007-10-10 16:06 29,760 --a------ C:\WINDOWS\system32\dllcache\znetm.dll
2007-10-10 16:06 13,894 --a------ C:\WINDOWS\system32\dllcache\zonelibm.dll
2007-10-10 16:06 4,677 --a------ C:\WINDOWS\system32\dllcache\zeeverm.dll
2007-10-10 16:03 1,175,635 --a------ C:\WINDOWS\system32\dllcache\hrtzres.dll
2007-10-10 16:03 57,409 --a------ C:\WINDOWS\system32\dllcache\hrtz.dll
2007-10-10 16:03 42,573 --a------ C:\WINDOWS\system32\dllcache\hrtzzm.exe
2007-10-10 16:03 39,936 --a------ C:\WINDOWS\system32\dllcache\hostmib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 08:24 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-10-10 07:35 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-10 06:32 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-10-10 06:32 1,580,544 ----a-w C:\WINDOWS\system32\sfcfiles.dll
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-20 07:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_ 9.23.39.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-07-20 04:01:52 767,280 ----a-w C:\WINDOWS\system32\ArcaMicroScanUpdater.exe
+ 2007-07-20 02:34:38 847,872 ----a-w C:\WINDOWS\system32\ArcaOnline.dll
+ 2005-03-04 06:01:24 139,264 ----a-w C:\WINDOWS\system32\ArcaOnlineUninstall.exe
- 2007-09-07 04:05:20 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-11-01 02:31:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2002-01-05 04:48:16 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINDOWS\system32\cafeagent.exe" [2005-03-22 16:39]
"avgnt "= "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-01 10:31]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-10 17:56]
"stup.exe "= "C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll" [2007-09-29 10:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"JustVoip "= "C:\Program Files\JustVoip.com\JustVoip\JustVoip.exe" []
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"YSearchProtection "= "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-29 06:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINDOWS\system32\cafeagent.exe /normal

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=1 (0x1)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoInstrumentation "=0 (0x0)
"NoSimpleStartMenu "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoUserNameInStartMenu "=1 (0x1)
"NoInstrumentation "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"ForceStartMenuLogoff "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 AFPAnsi;CafeSuite File Protector;C:\WINDOWS\system32\AFPAnsi.sys
R2 CafeAgent;CafeAgent of CafeSuite;C:\WINDOWS\system32\CafeAgent.exe /service
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d5145c2-81eb-11dc-ad65-0050babdfc67}]
\Shell\AutoRun\command - ntdelect.com
\Shell\explore\Command - ntdelect.com
\Shell\open\Command - ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41596452-7d2d-11dc-ad5c-0050babdfc67}]
\Shell\AutoPlay\command - wscript.exe \Haha.js
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
\Shell\Explore\command - wscript.exe \Haha.js -Clicked
\Shell\Open\command - wscript.exe \Haha.js
\Shell\Scan for Viruses\command - wscript.exe \Haha.js
\Shell\Scan with AVG\command - wscript.exe \Haha.js
\Shell\Scan with Norton AntiVirus\command - wscript.exe \Haha.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72409fe-82b2-11dc-ad67-0050babdfc67}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - E:\Flash.10.Setup.exe
\Shell\Open\command - E:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - E:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72409ff-82b2-11dc-ad67-0050babdfc67}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc07ecb8-7df0-11dc-ad5d-0050babdfc67}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c88971b4-7eb3-11dc-ad5e-0050babdfc67}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c88971b5-7eb3-11dc-ad5e-0050babdfc67}]
\Shell\Auto\command - RavMon.exe
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5e9a07f-8758-11dc-ad71-0050babdfc67}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - E:\Flash.10.Setup.exe
\Shell\Open\command - E:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - E:\Scanner.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 11:29:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 11:30:01
C:\ComboFix3.txt ... 2007-11-01 09:25
C:\ComboFix2.txt ... 2007-11-01 13:56
.
--- E O F ---

 

I made an oversight in my last instructions, therefore we need to do a repeat. Sorry.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="Black"]currentversion[/COLOR]\explorer\mountpoints2\{0d5145c2-81eb-11dc-ad65-0050babdfc67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{41596452-7d2d-11dc-ad5c-0050babdfc67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{a72409fe-82b2-11dc-ad67-0050babdfc67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{a72409ff-82b2-11dc-ad67-0050babdfc67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{c88971b4-7eb3-11dc-ad5e-0050babdfc67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{c88971b5-7eb3-11dc-ad5e-0050babdfc67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{e5e9a07f-8758-11dc-ad71-0050babdfc67}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

sorry i was on holiday here is fresh hijack during processing of combofix runnig i recieving error it's
" sed.cfexe hasd encounter a problem and need to close. we are sorry for invonvenience" and as u mention the computer will be restared but it doesn't after finishing a log appear here is detail of log tq
ComboFix 07-11-01.1** - P14 2007-11-05 9:52:47.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT 8:00]
Running from: C:\Documents and Settings\P14\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\P14\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\knight.exe
C:\WINDOWS\recover.reg

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Yahoo!
2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-01 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-01 16:05 <DIR> d-------- C:\Documents and Settings\P14\Application Data\JustVoip
2007-11-01 09:29 <DIR> d-------- C:\Program Files\FRISK Software
2007-11-01 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2007-11-01 09:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 21:29 <DIR> d-------- C:\Program Files\Conference
2007-10-31 15:55 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQDoctor
2007-10-31 09:34 <DIR> d-------- C:\WINDOWS\system32\qqedit
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Tencent
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQ
2007-10-31 09:34 147,456 --a------ C:\WINDOWS\system32\Scrax.dll
2007-10-31 09:34 135,168 --a------ C:\WINDOWS\system32\SSup.dll
2007-10-31 09:33 <DIR> d-------- C:\Program Files\Tencent
2007-10-27 16:59 <DIR> d-------- C:\Program Files\LowRateVoip
2007-10-27 16:59 <DIR> d-------- C:\Documents and Settings\P14\Application Data\LowRateVoip
2007-10-25 13:05 <DIR> d-------- C:\Program Files\Stardock
2007-10-25 13:05 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-25 13:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-10-22 12:35 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 12:35 <DIR> d-------- C:\Documents and Settings\P14\WINDOWS
2007-10-22 12:35 633,560 --a------ C:\WINDOWS\cd32.exe
2007-10-22 12:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-22 12:35 61,952 --a------ C:\WINDOWS\system32\nabapi32.dll
2007-10-19 22:02 <DIR> d-------- C:\Documents and Settings\P14\Application Data\AdobeUM
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\dllcache\redbook.sys
2007-10-18 12:00 40,296 --a------ C:\Documents and Settings\P14\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\Profiles
2007-10-11 13:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-11 13:07 <DIR> d-------- C:\Documents and Settings\P14\Application Data\InterTrust
2007-10-11 13:07 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-10 19:50 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 19:50 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 19:50 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 19:50 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 19:50 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 19:50 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 19:50 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 19:50 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 18:25 <DIR> d-------- C:\Program Files\Avira
2007-10-10 18:20 524,800 --a------ C:\WINDOWS\system32\CafeAgent.exe
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\dllcache\ftlx041e.dll
2007-10-10 18:04 <DIR> d-------- C:\Program Files\MSN Apps
2007-10-10 18:04 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-10 18:04 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-10 18:04 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-10-10 18:04 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-10 18:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Real
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-10 17:55 <DIR> d--hs---- C:\Recycled
2007-10-10 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-10 17:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-10 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-10 17:46 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 17:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-10 17:43 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-10 17:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-10 17:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-10 16:41 31,864 --a------ C:\WINDOWS\nsreg.dat
2007-10-10 16:40 <DIR> d-------- C:\Program Files\Canon
2007-10-10 16:40 25,584 --a------ C:\WINDOWS\system32\aucplmNT.dll
2007-10-10 16:40 2,301 --a------ C:\WINDOWS\mozver.dat
2007-10-10 16:38 <DIR> d-------- C:\WINDOWS\Cache
2007-10-10 16:37 <DIR> d-------- C:\Program Files\NJStar Communicator
2007-10-10 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 16:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-10 16:35 <DIR> d-------- C:\Program Files\mIRC
2007-10-10 16:35 <DIR> d-------- C:\Program Files\DFX
2007-10-10 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2007-10-10 16:28 <DIR> d-------- C:\Program Files\Winamp
2007-10-10 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\dllcache\swmidi.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\dllcache\dmusic.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\dllcache\splitter.sys
2007-10-10 16:26 <DIR> d-------- C:\Program Files\SiS7012
2007-10-10 16:25 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-10-10 16:25 <DIR> d--hs---- C:\Documents and Settings\P14\UserData
2007-10-10 16:23 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-10 16:07 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-10 16:06 113,222 --a------ C:\WINDOWS\system32\dllcache\zoneclim.dll
2007-10-10 16:06 41,029 --a------ C:\WINDOWS\system32\dllcache\zcorem.dll
2007-10-10 16:06 36,937 --a------ C:\WINDOWS\system32\dllcache\zclientm.exe
2007-10-10 16:06 29,760 --a------ C:\WINDOWS\system32\dllcache\znetm.dll
2007-10-10 16:06 13,894 --a------ C:\WINDOWS\system32\dllcache\zonelibm.dll
2007-10-10 16:06 4,677 --a------ C:\WINDOWS\system32\dllcache\zeeverm.dll
2007-10-10 16:03 1,175,635 --a------ C:\WINDOWS\system32\dllcache\hrtzres.dll
2007-10-10 16:03 57,409 --a------ C:\WINDOWS\system32\dllcache\hrtz.dll
2007-10-10 16:03 42,573 --a------ C:\WINDOWS\system32\dllcache\hrtzzm.exe
2007-10-10 16:03 39,936 --a------ C:\WINDOWS\system32\dllcache\hostmib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 08:24 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-10-10 07:35 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-10 06:32 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-10-10 06:32 1,580,544 ----a-w C:\WINDOWS\system32\sfcfiles.dll
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-20 07:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_ 9.23.39.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-07-20 04:01:52 767,280 ----a-w C:\WINDOWS\system32\ArcaMicroScanUpdater.exe
+ 2007-07-20 02:34:38 847,872 ----a-w C:\WINDOWS\system32\ArcaOnline.dll
+ 2005-03-04 06:01:24 139,264 ----a-w C:\WINDOWS\system32\ArcaOnlineUninstall.exe
- 2007-09-07 04:05:20 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-11-01 02:31:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2002-01-05 04:48:16 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINDOWS\system32\cafeagent.exe" [2005-03-22 16:39]
"avgnt "= "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-01 10:31]
"stup.exe "= "C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll" [2007-09-29 10:09]
"Disk Knight "= "C:\WINDOWS\Knight.exe" []
"YSearchProtection "= "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"JustVoip "= "C:\Program Files\JustVoip.com\JustVoip\JustVoip.exe" []
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"YSearchProtection "= "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINDOWS\system32\cafeagent.exe /normal

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=1 (0x1)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoInstrumentation "=0 (0x0)
"NoSimpleStartMenu "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoUserNameInStartMenu "=1 (0x1)
"NoInstrumentation "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"ForceStartMenuLogoff "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 AFPAnsi;CafeSuite File Protector;C:\WINDOWS\system32\AFPAnsi.sys
R2 CafeAgent;CafeAgent of CafeSuite;C:\WINDOWS\system32\CafeAgent.exe /service
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc07ecb8-7df0-11dc-ad5d-0050babdfc67}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3a030ea-88e2-11dc-ad75-0050babdfc67}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 09:54:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-05 9:56:36
C:\ComboFix3.txt ... 2007-11-01 13:56
C:\ComboFix2.txt ... 2007-11-02 11:30
.
--- E O F ---

 

Looks like we got em that time.

Now, a bit of background information on the new files removed by ComboFix ........ knight.exe and recover.exe

You will also see the following entries in the log.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Disk Knight "= "C:\WINDOWS\Knight.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e3a030ea-88e2-11dc-ad75-0050babdfc67}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

These were all placed there by a USB flash drive. Now, the info.

Background Info from Sophos > Mistaken identity of a security program

Subsequently, the author of ComboFix added the files for removal. If you knowingly used the program, you might reconsider, else be very aware that any of those flash drives used outside of your network will 'infect' any computer they get plugged into. Should you decide to remove it completely and require help doing so, let me know.


How's the computer performing now?

 

hi today i checked my system it's still under in virus attack and avira keep detecting but deleting by avira
i have scan avira found virus but can't be remove here is virus result and plus n combofix log result plz have look i can't go to safe mood during safe mood windows hang
AntiVir PersonalEdition Classic
Report file date: Tuesday, November 06, 2007 08:22

Scanning for 916490 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: PC14

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 06:16:30
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 05:23:52
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 08:32:48
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 05:35:22
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 11:30:54
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 11:30:56
ANTIVIR2.VDF : 7.0.0.172 1092608 Bytes 11/5/2007 15:42:40
ANTIVIR3.VDF : 7.0.0.173 2048 Bytes 11/5/2007 15:42:40
AVEWIN32.DLL : 7.6.0.30 3056128 Bytes 11/1/2007 02:31:20
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 03:36:28
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 00:39:18
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 06:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 01:46:02
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 00:17:08
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 05:26:34
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 00:10:20
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 04:09:44
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 05:38:14
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 05:50:38
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 02:37:22

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: delete
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, November 06, 2007 08:22

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'CafeAgent.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SearchProtection.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'Rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
26 processes with 26 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\urqoonn.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.dlu
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\urqoonn.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.dlu
C:\WINDOWS\system32\winpdc32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\winpdc32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen

The registry was scanned ( '26' files ).


Starting the file scan:

Begin scan in 'C:\' <PC14>
C:\PAGEFILE.SYS
[WARNING] The file could not be opened!
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\taskmgr.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\urqoonn.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.dlu
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\winpdc32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\System Volume Information\_restore{C84A62ED-1FF0-4277-A753-380F011F40BB}\RP44\A0012396.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.AV
[INFO] The file was deleted!
C:\System Volume Information\_restore{C84A62ED-1FF0-4277-A753-380F011F40BB}\RP44\A0012399.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{C84A62ED-1FF0-4277-A753-380F011F40BB}\RP44\A0014409.exe
[DETECTION] Is the Trojan horse TR/SPY.KeyLogger.RP.24
[INFO] The file was deleted!
C:\System Volume Information\_restore{C84A62ED-1FF0-4277-A753-380F011F40BB}\RP44\A0014411.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
Begin scan in 'D:\'


End of the scan: Tuesday, November 06, 2007 08:44
Used time: 21:43 min

The scan has been done completely.

2623 Scanning directories
165946 Files were scanned
8 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
4 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
165938 Files not concerned
10526 Archives were scanned
7 Warnings
0 Notes

combofix log plz have look it.
ComboFix 07-11-01.1** - P14 2007-11-06 8:52:17.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.87 [GMT 8:00]
Running from: C:\Documents and Settings\P14\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\knight.exe
C:\WINDOWS\recover.reg
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\drivers\runtime2.sy_
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-06 08:27 83,008 --a------ C:\WINDOWS\system32\jaltmdke.dll
2007-11-06 08:24 85,568 --a------ C:\WINDOWS\system32\rmvgdqil.dll
2007-11-05 17:32 <DIR> d-------- C:\kav
2007-11-05 17:09 21,504 --------- C:\WINDOWS\system32\winpdc32.dll
2007-11-05 17:08 44,032 --------- C:\WINDOWS\system32\urqoonn.dll
2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Yahoo!
2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-01 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-01 16:05 <DIR> d-------- C:\Documents and Settings\P14\Application Data\JustVoip
2007-11-01 09:29 <DIR> d-------- C:\Program Files\FRISK Software
2007-11-01 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2007-11-01 09:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 21:29 <DIR> d-------- C:\Program Files\Conference
2007-10-31 15:55 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQDoctor
2007-10-31 09:34 <DIR> d-------- C:\WINDOWS\system32\qqedit
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Tencent
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQ
2007-10-31 09:34 147,456 --a------ C:\WINDOWS\system32\Scrax.dll
2007-10-31 09:34 135,168 --a------ C:\WINDOWS\system32\SSup.dll
2007-10-31 09:33 <DIR> d-------- C:\Program Files\Tencent
2007-10-27 16:59 <DIR> d-------- C:\Program Files\LowRateVoip
2007-10-27 16:59 <DIR> d-------- C:\Documents and Settings\P14\Application Data\LowRateVoip
2007-10-25 13:05 <DIR> d-------- C:\Program Files\Stardock
2007-10-25 13:05 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-25 13:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-10-22 12:35 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 12:35 <DIR> d-------- C:\Documents and Settings\P14\WINDOWS
2007-10-22 12:35 633,560 --a------ C:\WINDOWS\cd32.exe
2007-10-22 12:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-22 12:35 61,952 --a------ C:\WINDOWS\system32\nabapi32.dll
2007-10-19 22:02 <DIR> d-------- C:\Documents and Settings\P14\Application Data\AdobeUM
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\dllcache\redbook.sys
2007-10-18 12:00 40,296 --a------ C:\Documents and Settings\P14\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\Profiles
2007-10-11 13:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-11 13:07 <DIR> d-------- C:\Documents and Settings\P14\Application Data\InterTrust
2007-10-11 13:07 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-10 19:50 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 19:50 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 19:50 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 19:50 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 19:50 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 19:50 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 19:50 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 19:50 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 18:25 <DIR> d-------- C:\Program Files\Avira
2007-10-10 18:20 524,800 --a------ C:\WINDOWS\system32\CafeAgent.exe
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\dllcache\ftlx041e.dll
2007-10-10 18:04 <DIR> d-------- C:\Program Files\MSN Apps
2007-10-10 18:04 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-10 18:04 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-10 18:04 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-10-10 18:04 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-10 18:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Real
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-10 17:55 <DIR> d--hs---- C:\Recycled
2007-10-10 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-10 17:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-10 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-10 17:46 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 17:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-10 17:43 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-10 17:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-10 17:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-10 16:41 31,864 --a------ C:\WINDOWS\nsreg.dat
2007-10-10 16:40 <DIR> d-------- C:\Program Files\Canon
2007-10-10 16:40 25,584 --a------ C:\WINDOWS\system32\aucplmNT.dll
2007-10-10 16:40 2,301 --a------ C:\WINDOWS\mozver.dat
2007-10-10 16:38 <DIR> d-------- C:\WINDOWS\Cache
2007-10-10 16:37 <DIR> d-------- C:\Program Files\NJStar Communicator
2007-10-10 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 16:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-10 16:35 <DIR> d-------- C:\Program Files\mIRC
2007-10-10 16:35 <DIR> d-------- C:\Program Files\DFX
2007-10-10 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2007-10-10 16:28 <DIR> d-------- C:\Program Files\Winamp
2007-10-10 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\dllcache\swmidi.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\dllcache\dmusic.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\dllcache\splitter.sys
2007-10-10 16:26 <DIR> d-------- C:\Program Files\SiS7012
2007-10-10 16:25 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-10-10 16:25 <DIR> d--hs---- C:\Documents and Settings\P14\UserData
2007-10-10 16:23 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-10 16:07 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-10 16:06 113,222 --a------ C:\WINDOWS\system32\dllcache\zoneclim.dll
2007-10-10 16:06 41,029 --a------ C:\WINDOWS\system32\dllcache\zcorem.dll
2007-10-10 16:06 36,937 --a------ C:\WINDOWS\system32\dllcache\zclientm.exe
2007-10-10 16:06 29,760 --a------ C:\WINDOWS\system32\dllcache\znetm.dll
2007-10-10 16:06 13,894 --a------ C:\WINDOWS\system32\dllcache\zonelibm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 08:24 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-10-10 07:35 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-10 06:32 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-10-10 06:32 1,580,544 ----a-w C:\WINDOWS\system32\sfcfiles.dll
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-20 07:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_ 9.23.39.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-07-20 04:01:52 767,280 ----a-w C:\WINDOWS\system32\ArcaMicroScanUpdater.exe
+ 2007-07-20 02:34:38 847,872 ----a-w C:\WINDOWS\system32\ArcaOnline.dll
+ 2005-03-04 06:01:24 139,264 ----a-w C:\WINDOWS\system32\ArcaOnlineUninstall.exe
- 2007-09-07 04:05:20 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-11-01 02:31:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2002-01-05 04:48:16 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13e345e9-6506-47cb-9d24-0cb2f94ba737}]
2007-11-06 08:27 83008 --a------ C:\WINDOWS\system32\jaltmdke.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{837B45D6-BF85-457D-AABF-6D2E7815F791}]
2007-11-05 17:08 44032 --------- C:\WINDOWS\system32\urqoonn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINDOWS\system32\cafeagent.exe" [2005-03-22 16:39]
"avgnt "= "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-01 10:31]
"MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINDOWS\system32\cafeagent.exe /normal

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=1 (0x1)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=1 (0x1)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=1 (0x1)
"NoInstrumentation "=0 (0x0)
"NoSimpleStartMenu "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoActiveDesktop "=1 (0x1)
"ForceActiveDesktopOn "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoDesktop "=0 (0x0)
"NoClose "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"StartMenuLogoff "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=1 (0x1)
"NoUserNameInStartMenu "=1 (0x1)
"NoInstrumentation "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"ForceStartMenuLogoff "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoLogOff "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoActiveDesktop "=1 (0x1)
"ForceActiveDesktopOn "=0 (0x0)
"NoDesktop "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{837B45D6-BF85-457D-AABF-6D2E7815F791} "= C:\WINDOWS\system32\urqoonn.dll [2007-11-05 17:08 44032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqoonn]
urqoonn.dll 2007-11-05 17:08 44032 C:\WINDOWS\system32\urqoonn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
winpdc32.dll 2007-11-05 17:09 21504 C:\WINDOWS\system32\winpdc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\awtqr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\10451673]
rundll32.exe "C:\WINDOWS\system32\rmvgdqil.dll ",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]
Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R0 AFPAnsi;CafeSuite File Protector;C:\WINDOWS\system32\AFPAnsi.sys
R2 CafeAgent;CafeAgent of CafeSuite;C:\WINDOWS\system32\CafeAgent.exe /service
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66b7970c-8b7f-11dc-ad7b-0050babdfc67}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc07ecb8-7df0-11dc-ad5d-0050babdfc67}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3a030ea-88e2-11dc-ad75-0050babdfc67}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 09:03:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 9:05:31 - machine was rebooted
C:\ComboFix3.txt ... 2007-11-02 11:30
C:\ComboFix2.txt ... 2007-11-05 09:56
.
--- E O F ---

 

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\jaltmdke.dll
C:\WINDOWS\system32\rmvgdqil.dll
C:\WINDOWS\system32\winpdc32.dll
C:\WINDOWS\system32\urqoonn.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13e345e9-6506-47cb-9d24-0cb2f94ba737}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{837B45D6-BF85-457D-AABF-6D2E7815F791}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\[COLOR="black"]CurrentVersion[/COLOR]\Explorer\ShellExecuteHooks]
 "{837B45D6-BF85-457D-AABF-6D2E7815F791} "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqoonn] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\[COLOR="Black"]Control[/COLOR]\Lsa]
 "Authentication Packages "=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\10451673]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{66b7970c-8b7f-11dc-ad7b-0050babdfc67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\explorer\mountpoints2\{e3a030ea-88e2-11dc-ad75-0050babdfc67}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Download and install AVG Anti-Spyware (AVG-AS)

• When installation completes, start AVG-AS then click the Update tab at the top. Under Manual Update click Start update.
• After the update finishes (the status bar at the bottom will display "Update successful "), click on the Scanner tab at the top.
• Click the "Settings" tab and change the recommended action to Quarantine.
• Select Do Not Automatically Generate a Report after Every Scan.
• Go back to the "Scan" tab and click "Complete System Scan ". This scan can take quite a while to run, so sit back and wait.
• AVG-AS will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
• Click the Apply all actions button. AVG-AS will display "All actions have been applied" on the right hand side.
• Click on "Save Report ", then "Save Report As ". Save the report where you know you can find it again (like on the Desktop) and take note of the name.
• Close AVG-AS and reboot.

Please post the contents of a new HiJackThis log and the AVG-AS report.

 

hi again here is combofix log and avg antispyware result i put recommanded action delted.
ComboFix 07-11-06.4 - P14 2007-11-06 19:29:14.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT 8:00]
Running from: C:\Documents and Settings\P14\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\P14\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\jaltmdke.dll
C:\WINDOWS\system32\rmvgdqil.dll
C:\WINDOWS\system32\urqoonn.dll
C:\WINDOWS\system32\winpdc32.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jaltmdke.dll
C:\WINDOWS\system32\rmvgdqil.dll
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\urqoonn.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\winpdc32.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-05 17:32 <DIR> d-------- C:\kav
2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Yahoo!
2007-11-01 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-01 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-01 16:05 <DIR> d-------- C:\Documents and Settings\P14\Application Data\JustVoip
2007-11-01 09:29 <DIR> d-------- C:\Program Files\FRISK Software
2007-11-01 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2007-11-01 09:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 21:29 <DIR> d-------- C:\Program Files\Conference
2007-10-31 15:55 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQDoctor
2007-10-31 09:34 <DIR> d-------- C:\WINDOWS\system32\qqedit
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\Tencent
2007-10-31 09:34 <DIR> d-------- C:\Documents and Settings\P14\Application Data\QQ
2007-10-31 09:34 147,456 --a------ C:\WINDOWS\system32\Scrax.dll
2007-10-31 09:34 135,168 --a------ C:\WINDOWS\system32\SSup.dll
2007-10-31 09:33 <DIR> d-------- C:\Program Files\Tencent
2007-10-27 16:59 <DIR> d-------- C:\Program Files\LowRateVoip
2007-10-27 16:59 <DIR> d-------- C:\Documents and Settings\P14\Application Data\LowRateVoip
2007-10-25 13:05 <DIR> d-------- C:\Program Files\Stardock
2007-10-25 13:05 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-25 13:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-10-22 12:35 <DIR> d-------- C:\Program Files\Netscape
2007-10-22 12:35 <DIR> d-------- C:\Documents and Settings\P14\WINDOWS
2007-10-22 12:35 633,560 --a------ C:\WINDOWS\cd32.exe
2007-10-22 12:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-22 12:35 61,952 --a------ C:\WINDOWS\system32\nabapi32.dll
2007-10-19 22:02 <DIR> d-------- C:\Documents and Settings\P14\Application Data\AdobeUM
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-19 22:02 57,472 --a------ C:\WINDOWS\system32\dllcache\redbook.sys
2007-10-18 12:00 40,296 --a------ C:\Documents and Settings\P14\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-10-11 13:07 <DIR> d-------- C:\WINDOWS\Profiles
2007-10-11 13:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-11 13:07 <DIR> d-------- C:\Documents and Settings\P14\Application Data\InterTrust
2007-10-11 13:07 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-10 19:50 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 19:50 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 19:50 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 19:50 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 19:50 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 19:50 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 19:50 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 19:50 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 18:25 <DIR> d-------- C:\Program Files\Avira
2007-10-10 18:20 524,800 --a------ C:\WINDOWS\system32\CafeAgent.exe
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-10-10 18:16 6,144 --a------ C:\WINDOWS\system32\dllcache\ftlx041e.dll
2007-10-10 18:04 <DIR> d-------- C:\Program Files\MSN Apps
2007-10-10 18:04 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-10 18:04 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-10 18:04 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-10-10 18:04 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-10 18:02 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Real
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-10 17:56 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-10 17:55 <DIR> d--hs---- C:\Recycled
2007-10-10 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-10-10 17:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-10 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-10 17:46 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 17:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-10 17:43 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-10-10 17:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-10 17:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-10 16:41 31,864 --a------ C:\WINDOWS\nsreg.dat
2007-10-10 16:40 <DIR> d-------- C:\Program Files\Canon
2007-10-10 16:40 25,584 --a------ C:\WINDOWS\system32\aucplmNT.dll
2007-10-10 16:40 2,301 --a------ C:\WINDOWS\mozver.dat
2007-10-10 16:38 <DIR> d-------- C:\WINDOWS\Cache
2007-10-10 16:37 <DIR> d-------- C:\Program Files\NJStar Communicator
2007-10-10 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-10 16:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-10 16:35 <DIR> d-------- C:\Program Files\mIRC
2007-10-10 16:35 <DIR> d-------- C:\Program Files\DFX
2007-10-10 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2007-10-10 16:28 <DIR> d-------- C:\Program Files\Winamp
2007-10-10 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-10-10 16:27 82,944 --a------ C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-10-10 16:27 54,272 --a------ C:\WINDOWS\system32\dllcache\swmidi.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-10-10 16:27 52,864 --a------ C:\WINDOWS\system32\dllcache\dmusic.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-10-10 16:27 6,400 --a------ C:\WINDOWS\system32\dllcache\splitter.sys
2007-10-10 16:26 <DIR> d-------- C:\Program Files\SiS7012
2007-10-10 16:25 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-10-10 16:25 <DIR> d--hs---- C:\Documents and Settings\P14\UserData
2007-10-10 16:23 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-10 16:07 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-10-10 16:06 113,222 --a------ C:\WINDOWS\system32\dllcache\zoneclim.dll
2007-10-10 16:06 41,029 --a------ C:\WINDOWS\system32\dllcache\zcorem.dll
2007-10-10 16:06 36,937 --a------ C:\WINDOWS\system32\dllcache\zclientm.exe
2007-10-10 16:06 29,760 --a------ C:\WINDOWS\system32\dllcache\znetm.dll
2007-10-10 16:06 13,894 --a------ C:\WINDOWS\system32\dllcache\zonelibm.dll
2007-10-10 16:06 4,677 --a------ C:\WINDOWS\system32\dllcache\zeeverm.dll
2007-10-10 16:03 1,175,635 --a------ C:\WINDOWS\system32\dllcache\hrtzres.dll
2007-10-10 16:03 57,409 --a------ C:\WINDOWS\system32\dllcache\hrtz.dll
2007-10-10 16:03 42,573 --a------ C:\WINDOWS\system32\dllcache\hrtzzm.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 08:24 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-10-10 07:35 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-10 06:32 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-10-10 06:32 1,580,544 ----a-w C:\WINDOWS\system32\sfcfiles.dll
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-20 07:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_ 9.23.39.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-07-20 04:01:52 767,280 ----a-w C:\WINDOWS\system32\ArcaMicroScanUpdater.exe
+ 2007-07-20 02:34:38 847,872 ----a-w C:\WINDOWS\system32\ArcaOnline.dll
+ 2005-03-04 06:01:24 139,264 ----a-w C:\WINDOWS\system32\ArcaOnlineUninstall.exe
- 2007-09-07 04:05:20 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-11-01 02:31:20 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2002-01-05 04:48:16 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
- 2007-04-02 06:21:28 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 10:39:28 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINDOWS\system32\cafeagent.exe" [2005-03-22 16:39]
"avgnt "= "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-01 10:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINDOWS\system32\cafeagent.exe /normal

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=1 (0x1)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoInstrumentation "=0 (0x0)
"NoSimpleStartMenu "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoActiveDesktop "=1 (0x1)
"ForceActiveDesktopOn "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoDesktop "=0 (0x0)
"NoClose "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"StartMenuLogoff "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoUserNameInStartMenu "=1 (0x1)
"NoInstrumentation "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"ForceStartMenuLogoff "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoActiveDesktop "=1 (0x1)
"ForceActiveDesktopOn "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"StartMenuLogoff "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoStartMenuMorePrograms "=0 (0x0)
"NoStartMenuMFUprogramsList "=0 (0x0)
"NoStartMenuPinnedList "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]
Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R0 AFPAnsi;CafeSuite File Protector;C:\WINDOWS\system32\AFPAnsi.sys
R2 CafeAgent;CafeAgent of CafeSuite;C:\WINDOWS\system32\CafeAgent.exe /service
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc07ecb8-7df0-11dc-ad5d-0050babdfc67}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:34:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 19:36:13 - machine was rebooted
C:\ComboFix3.txt ... 2007-11-05 09:56
C:\ComboFix2.txt ... 2007-11-06 09:05
.
--- E O F ---

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:53 11/6/2007

+ Scan result:



C:\System Volume Information\_restore{C84A62ED-1FF0-4277-A753-380F011F40BB}\RP43\A0011347.exe -> Worm.AutoRun.ao : Cleaned.
C:\System Volume Information\_restore{C84A62ED-1FF0-4277-A753-380F011F40BB}\RP44\A0015425.exe -> Worm.AutoRun.ao : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\Knight.exe.vir -> Worm.AutoRun.ao : Cleaned.


::Report end

 

Looks good. How are things working today?

 

heheh thanx man noahdfear system works fine and smoothly .....
tq

 

Great! Lets clean up then. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created and quarantined.

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


That should be a wrap.

 

thanx man i already have uninstalled combo fix and remove remove system restore point and created and new thanx
a lot man ...

 

You're most welcome. Glad I could help.