1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: remove infected system files ?

Discussion in 'Virus & Other Malware Removal' started by wello83, Feb 27, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    my AVG once iv installed it, it found some infected files but wn i try to remove it, it pops a warning that the removal might cause a system crash or wt so ever ..
    so what shall i do ... do i have to provide any other information ?
    i use win XP SP2


    thanks in advance
     
  2. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Can you post the results you got from AVG so we can see what they might be?

    Also, do this:


    go to Click here to download HJTsetup.exe
    • On that page, select one of the servers in the list under the Free Downloads heading
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Paste the log in your next reply.
    • Don't use the Analyse This button, its findings are dangerous if misinterpreted.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    _ _ _ _
    Please also do this:
    • Open Hijack This and click on the "Open the Misc Tools section" button.
    • Click on the "Open Uninstall Manager" button.
    • Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
    • Copy and paste that list here in your reply
     
  3. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    other information i can provide :

    very slow & unreasonable internet connection.
    don't know how to provide u with the AVG results but i think the autorun.inf in every drive is infected.
    i've used regcure & spyware doctor.... they fix things but with out any noticeable effect on my performance.
    i ran an online scan with trend micro but it crashed at the end and did not complete because of the slow connection i think ...note that i'm suppose to have a speed of 1024\256 kbps

    heres the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:38:07 AM, on 2/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
    C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\SkyTel.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
    O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6858 bytes

    -----

    thank u for helping
     
  4. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi,

    Where did you get AVG 8> A public beta? Or, AVG Internet Security 8....version you bought?

    I am looking around, and do see quite a bit about slowdowns with it.

    (And, in general, these full-featured suites do put a burden on computer resources, especially in the first day or two of use but the issue is supposed to decrease as you go on....)

    You didn't get this part of my reply:

    Please also do this:
    • Open Hijack This and click on the "Open the Misc Tools section" button.
    • Click on the "Open Uninstall Manager" button.
    • Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
    • Copy and paste that list here in your reply


    I need that to help you--have to know the exact name of AVG 8 there are several different types

    Here's the main FAQ section in Support> http://www.grisoft.com/ww.faq.num-436#faq_436


    I did find this in the Technical FAQ section for AVG Internet Security 8:which may not be exactly what you have there....




    Generally, the best option is the put any infected files in the Virus Vault or Quarantine area....when an alert comes up, or you are scanning and a virus detected message comes up...don't just delete them.

    In your situation though, these may be false detections>> it's a new program and these are going to happen. I would just wait and see if their Support can offer any help. You will have to give us some idea of what the filenames, and locations, were detected.

    Have a look at this page of the FAQ's:

    http://www.grisoft.com/ww.faq.num-419#faq_419
     
  5. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    sorry didn't c that part earlier... but here it is :

    ĀµTorrent
    3dsmax ancillary install
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge 1.0
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Common File Installer
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 1.0
    Adobe ExtendScript Toolkit 2
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player ActiveX
    Adobe Flash Player Plugin
    Adobe Fonts All
    Adobe Help Center 2.0
    Adobe Help Viewer CS3
    Adobe Illustrator CS2
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS2
    Adobe Photoshop CS3
    Adobe Photoshop CS3
    Adobe Premiere Pro FC
    Adobe Production Studio
    Adobe Reader 7.0
    Adobe Setup
    Adobe Setup
    Adobe Setup
    Adobe Stock Photos 1.0
    Adobe Stock Photos 1.0
    Adobe Stock Photos CS3
    Adobe SVG Viewer 3.0
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    Autodesk 3ds Max 2008 32-bit
    Autodesk 3ds Max 2008 32-bit Additional Maps and Material Libraries
    Autodesk 3ds Max 2008 32-bit Architectural Materials Library
    Autodesk 3ds Max 2008 32-bit Help
    Autodesk 3ds Max 2008 32-bit Vault 2008 Plug-In
    Autodesk 3ds Max 2008 32-bit Vault 5 Plug-In
    Autodesk 3ds Max 2008 32-bit Videos
    Autodesk 3ds Max 9 32-bit
    Autodesk DWF Viewer 7
    AVG 8.0
    Backburner
    DivX Codec
    DivX Converter
    FBX Plugin 2006.08 for Max 9.0
    FBX Plugin 2006.11.1 for Max 2008
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 2.0 (KB918842)
    J2SE Runtime Environment 5.0 Update 3
    Java(TM) 6 Update 3
    LimeWire PRO 4.14.10
    Macromedia Extension Manager
    Macromedia Flash 8
    Macromedia Flash 8 Video Encoder
    Macromedia Flash Player 8
    Microsoft .NET Framework 2.0
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (2.0.0.12)
    MSXML 6.0 Parser
    Nero 8 Demo
    neroxml
    NVIDIA Drivers
    PDF Settings
    QuickTime
    Real Alternative 1.31
    Realtek High Definition Audio Driver
    RegCure 1.5.0.0
    SUPERAntiSpyware Free Edition
    Turbo Squid Tentacles 3ds Max 2008
    Update for Windows XP (KB898461)
    VCRedistSetup
    VideoLAN VLC media player 0.8.4
    V-Ray for 3dsmax R9 for x86
    Web Sudoku Deluxe 1.2
    Winamp (remove only)
    Windows Installer 3.1 (KB893803)
    Windows Live Messenger
    Windows Media Format Runtime
    WinRAR archiver
    WinSoftMEsti
    Yahoo! Messenger


    ------

    about AVG i've installed it after mcafee showed inefficiency due to my slowdown and earlier viruses... like drivers that do not open normaly and can't unhide hidden infected files from the folder options . it was advised from a friend i got from...
    "AVG Anti-Virus v8 Pro" . and the exe file name is "avg80f_62a1257.exe" . and in the AVG title bar : "AVG Internet Security - Release Candidate"
    i think its that one :
    www.grisoft.com/ww.download?prd=ais#tba1

    thanks for helping
     
  6. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, OK I don't see anything wrong in the log.

    I would say, best thing to do is an online scan--make sure that when the scan completes, you save the report/results of scan and post them.



    Housecall online scan:
    http://www.trendsecure.com/portal/en-US/tools/security_tools


    Or this one: Kaspersky online full scan
    • Please go HERE and click Free Online Scanner
    • Read and Accept the Agreement
    • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • If you see a Windows dialog asking if you want to install this software, click the Install button.
    • The program will launch and then begin downloading the latest definition files,
    • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
    • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
    • Under "Please select a target to scan:", click My Computer to start the scan.
    • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
    • Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.


    That will give me the filenames and locations so I can tell what to do.
     
  7. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    i've done a kaspersky online scan but i don't know if it got any healing options .., anyway here's the report u asked for :
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, February 29, 2008 9:42:38 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 29/02/2008
    Kaspersky Anti-Virus database records: 542949
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan Statistics:
    Total number of scanned objects: 167560
    Number of viruses found: 2
    Number of infected objects: 7
    Number of suspicious objects: 0
    Duration of the scan process: 03:02:18

    Infected Object Name / Virus Name / Last Action
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\avgfw8u.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U3ZMZF5Z\w[1].bin Infected: Trojan-Downloader.Win32.Delf.evt skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\sherif compumood\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Temp\IMG9.tmp Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Temp\fla24.tmp Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
    C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
    C:\Documents and Settings\sherif compumood\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\foxmarks.log Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\cert8.db Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\key3.db Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\parent.lock Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\history.dat Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\sherif compumood\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-2-29-2008( 5-51-39 ).LOG Object is locked skipped
    C:\Documents and Settings\sherif compumood\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\sherif compumood\.housecall6.6\log\execution0.log Object is locked skipped
    C:\Documents and Settings\sherif compumood\.housecall6.6\log\error0.log Object is locked skipped
    C:\Documents and Settings\sherif compumood\.housecall6.6\log\engine0.log Object is locked skipped
    C:\Documents and Settings\sherif compumood\.housecall6.6\log\execution0.log.lck Object is locked skipped
    C:\Documents and Settings\sherif compumood\.housecall6.6\log\error0.log.lck Object is locked skipped
    C:\Documents and Settings\sherif compumood\.housecall6.6\log\engine0.log.lck Object is locked skipped
    C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
    C:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
    C:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP72\A0015817.SYS Infected: Trojan-Downloader.Win32.Delf.evt skipped
    C:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP73\change.log Object is locked skipped
    D:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
    E:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
    E:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP68\A0013729.exe Object is locked skipped
    E:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP68\A0013730.exe Object is locked skipped
    F:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
    G:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped

    Scan process completed.

    ------------------------------

    hi again, so that was the report
    i don't like that part about the infected autorun.inf because as i said i used to have problems with opening my drives
     
  8. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, No, Kaspersky Online scan does not heal or remove anything, we use it because it is a very thorough diagnostic and gives us a scan for all types of malware not just trojans and virii.

    Here are the files we need to deal with: Do NOT delete them, yet.

    Anyway- by "trouble opening drives" do you mean, that without an autorun.inf file in each they don't open? Are you meaning....hard drives or partitions, or > just USB flash drives, MP3 players....iPods...
    and CD/DVD drives? Did drive C: ever give you trouble?

    Let's experiment with one drive to start- remove all flash USB or USB external hard drives (don't just turn off, remove the cables)

    Set your Folder Options>View and Search settings this way:

    Boot up in Safe Mode:

    Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
    not use Safe Mode with Networking for this fix!)

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account and log on.

    At the desktop:

    Pick a drive letter but not C: that is a hard disk or partition, but not where Windows is installed, and not a CD drive, use Windows Explorer and navigate to (driveletter)\autorun.inf, (for example,) H:\autorun.inf

    Right click the autorun.inf and select Properties, if it is marked read-only take the mark out.

    Delete the autorun.inf file and empty the Recycle Bin.

    Open My Computer> double click that same drive letter to see if it will open.

    If it opens> check for a new autorun.inf file, one might have been automatically re-created...let me know if one does show up. Or, let me know autorun.inf is not there.

    Restart the computer normally. Now, you need to again check that that same drive letter will open by a double click, let me know.

    Let me know if it does not, and if an autorun.inf file is back on drive H: , or not there.

    Post the details.
     
  9. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    Hi and thanks for ur efforts :D ,

    now wn i said i "used" to have problems with opening my drives. i meant i had that problem before and explained as following :

    wn ever i click to open any partition including the one with the windows and any other flash drives BUT not the CD\DVD drives it pops the "Open with dialougue box" and in the meantime the system was suffering slow in performance and internet connection .

    Now that partition opening problem is gone suddenly don't know how .. maybe the AVG did something but the slow performance still exists, and then after the kaspersky scan i noticed that the infection in the "autorun.inf" is still there as well

    ---
    about what u told me to do :

    after deleting the autorun.inf in my "F" drive as instructed .
    i clicked to open it, and it did open; and did NOTfind any other replaced autorun.inf file .
    i restart in normal mode .. and the same ; the "F" drive opened with no trace of the autorun.inf .

    let me know if anything is missing

    thank u again

    Note: i think the system is faster now but not as it used to be
     
  10. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi,

    Please do what is below- if you do not understand something, ask before using the tool.

    Please also have all external or USB drives connected before using the tool.

    SD FIX Runs only in Windows Safe Mode-

    Please read all through the info so you know what will be done.
    **Note that SDFix runs only in Safe Mode
    **Also> any user account that you boot into, in Safe Mode, has to be at Administrator user level...
    There is a Printable Version button up under the Thread Tools drop down menu that will let you print a nice text version of these instructions.
    Alternate way to save directions:Open Notepad> Copy and Paste any text you wish into Notepad, and Save the file as something you will recognize like TSGhelp.txt and save it onto your desktop.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  11. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    Hi,
    here's a question b4 doing wt u've instructed :

    u wrote in ur post; i have to enter in an administrator level. then in later lines u wrote enter ur usual account .."in the safe mode" part.

    now here's my status; i'm the only user of my pc, i thought i have made an administration user account to make a windows password,.. but when i enter the safe mode there is an administrator account other than my usual account which has my password so i don't know if my usual account is administrative or not.

    i don't know y there is another administration account that appears "ONLY" in the safe mode, so anyway which one should i enter ?
     
  12. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    There is a hidden user account called Administrator on XP Home Edition that does not show when you log on in Normal Mode.

    *Don't use that one- you won't see your usual desktop and shortcuts, etc....

    *Use your normal user account provided it is an administrator level account- here is how to tell:

    When you start up in Normal Mode> your user account name has just underneath it: "Administrator" that means your account is not a Limited account, and that you should log on to that account in Safe Mode to do the work.

    *The special Administrator account that you see in Safe Mode, has a blank password by default...that is, unless you or someone created one, there is no password for it. There is for your account, if you log on using a password.

    * All user accounts when created are Administrator level - any account can be changed later to a Limited account, but if no one has done that, your account should be OK and have Administrator rights so try it out.

    This should be your user account: sherif compumood
     
  13. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    Hi,
    this is the SDFix report :

    SDFix: Version 1.150

    Run by sherif compumood on Mon 03/03/2008 at 02:04 AM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\autorun.inf - Deleted
    C:\WINDOWS\system32\comsa32.sys - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-03 02:41:53
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ĀµTorrent"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2008 32-bit"
    "C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
    "C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
    "C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
    "C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
    "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\00766461b1b00d8469999536d8f8d6e4\BIT35.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0091ab299e899a5920ad91739ad99c67\BIT37.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55a03b0de671f167\BIT39.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\208c1a8c52f47d7b2df4baa21f58d3da\BIT3C.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d94bb81819c80f2b\BIT3E.tmp"
    Tue 8 Jan 2008 6,934,488 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b6b8211a5dc0636ae3d15bf626ce10d3\BIT4.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a120212db9f8797932f46def01672fc\BIT3D.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d4a7c846fe5e74c3056c3e240c1ffeb\BIT9.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\52b72a8354f3c8a72b1aee0b2a11d368\BIT17.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\BIT1A.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c82b6f4f138d5f7e\BIT1E.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86c1313b3b7233a513215d577f5db5c4\BIT1F.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\BIT23.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT24.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cc8107fde988bba1481bb736cc96c29\BIT25.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\BIT27.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\BIT28.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3c3121982c8a4d0c1605cfbcb9bb7c8\BIT29.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20fc1765c1d2a8e6c26cf77036ce48f\BIT2D.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\BIT31.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\BIT33.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\BIT42.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT44.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\BIT43.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c87932aedce288373d0b6a6c23f00c8a\BIT46.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\BIT4A.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT49.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\304c19f1612f37ffa8967147d3cb7464\BIT4C.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\458b0ddf827cd2ca02539e5a3b1a3d3c\BIT4F.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT4E.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\BIT4D.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT52.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT57.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8c1c336efaf0a7b\BIT59.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5652d934eec8bfa4dc68c4e256a23d5e\download\BIT89.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\download\BIT34.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a45671fd2c1557da38\download\BIT62.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5379e5c681c265eb176cf4ee378a3a96\download\BIT63.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\download\BIT64.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\download\BIT65.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\download\BIT67.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\download\BIT7E.tmp"
    Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\512e19b377bd5d52a1e190ecbd7a83eb\download\BIT7F.tmp"

    Finished!



    -----------------------


    and this is the new HJT new log :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:46:59 AM, on 3/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
    C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\SkyTel.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
    O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 7799 bytes



    ---------------------------

    thank u
     
  14. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, Good, that found a few things.

    Do this please:

    Run Hijackthis, Scan only this time...put checks next to these items on your scan window....CLOSE all Internet related and program windows, nothing open but Hijackthis....CLOSE this browser window, also...

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    When you have the items checked, click "Fix checked" to remove them.

    Close Hijackthis.


    Please read all through the info so you know what will be done.
    Here are directions etc but I also have them below:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    There is a Printable Version button up under the Thread Tools drop down menu that will let you print a nice text version of these instructions.
    Alternate way to save directions:Open Notepad> Copy and Paste any text you wish into Notepad, and Save the file as something you will recognize like TSGhelp.txt and save it onto your desktop.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​

    3. Double click on combofix.exe & follow the prompts.
    4. When finished, it will produce a report for you.
    5. Please post the "C:\ComboFix.txt" in your next reply..And, after you are done posting the log from ComboFix....run Hijackthis again, Scan and Save a Log....post the brand new log
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
    _ _ _ _ _ _ _
     
  15. wello83

    wello83 Thread Starter

    Joined:
    Feb 2, 2008
    Messages:
    31
    Hi, i feel like a soldier here doing missions :D

    so thats the combofix.txt :




    ComboFix 08-03-03.12 - sherif compumood 2008-03-03 18:19:03.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.1590 [GMT 2:00]
    Running from: C:\Documents and Settings\sherif compumood\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\drmgs.sys
    D:\Autorun.inf
    E:\Autorun.inf
    G:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_PERFMONS
    -------\LEGACY_ROUTING
    -------\Routing


    ((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
    .

    2008-03-03 02:02 . 2008-03-03 02:02 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-03-03 01:53 . 2008-03-01 13:18 <DIR> d-------- C:\SDFix
    2008-03-03 01:33 . 2008-03-03 01:33 <DIR> d--hs---- C:\FOUND.004
    2008-02-29 23:13 . 2008-02-29 23:13 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
    2008-02-29 22:52 . 2008-02-29 22:52 <DIR> d-------- C:\Program Files\Windows Live
    2008-02-29 22:52 . 2008-02-29 22:53 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
    2008-02-29 22:52 . 2008-02-29 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-02-29 15:39 . 2008-02-29 15:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-02-29 15:39 . 2008-02-29 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-02-29 03:31 . 2008-02-29 03:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-02-29 03:30 . 2008-02-29 03:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-02-29 03:30 . 2008-02-29 03:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-29 03:30 . 2008-02-29 03:30 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\SUPERAntiSpyware.com
    2008-02-28 17:37 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-02-28 01:56 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-02-28 01:33 . 2008-02-27 20:33 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-02-27 20:32 . 2008-02-27 20:32 <DIR> d-------- C:\Documents and Settings\sherif compumood\.housecall6.6
    2008-02-27 19:43 . 2008-02-27 19:43 <DIR> d-------- C:\Program Files\RegCure
    2008-02-27 17:46 . 2008-02-27 17:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
    2008-02-27 17:39 . 2008-02-27 17:39 <DIR> d--hs---- C:\FOUND.003
    2008-02-26 23:39 . 2008-02-26 23:39 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\PC Tools
    2008-02-26 22:58 . 2008-02-26 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-20 01:03 . 2008-02-20 01:03 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-02-20 00:49 . 2008-02-20 00:49 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-02-20 00:49 . 2008-02-20 00:49 <DIR> d-------- C:\Program Files\AVG
    2008-02-20 00:49 . 2008-02-20 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-02-20 00:49 . 2008-02-20 00:49 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-02-20 00:49 . 2008-02-20 00:50 73,864 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-02-20 00:49 . 2008-02-20 00:49 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
    2008-02-20 00:49 . 2008-02-20 00:49 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
    2008-02-20 00:49 . 2008-02-20 00:50 14,104 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-02-20 00:49 . 2008-02-20 00:50 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
    2008-02-20 00:48 . 2008-02-20 00:49 434,401 --a------ C:\WINDOWS\system32\tmp0_800732510241.bk
    2008-02-19 23:22 . 2003-11-04 15:10 65,536 --a------ C:\WINDOWS\system32\lfeps13n.dll
    2008-02-19 23:22 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
    2008-02-19 23:21 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
    2008-02-19 23:21 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
    2008-02-19 23:21 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
    2008-02-19 23:21 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
    2008-02-19 23:21 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
    2008-02-19 23:21 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
    2008-02-19 23:21 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
    2008-02-19 23:21 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
    2008-02-16 14:56 . 2008-02-16 14:56 <DIR> d-------- C:\Program Files\WebSudokuDeluxe
    2008-02-16 00:10 . 2008-02-16 00:10 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\vlc
    2008-02-15 15:43 . 2008-02-15 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-15 15:38 . 2008-02-15 15:38 <DIR> d-------- C:\Program Files\Bonjour
    2008-02-15 15:31 . 2008-02-15 15:31 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-02-14 22:41 . 2008-02-14 22:42 4,212 --a------ C:\WINDOWS\system32\acdb.err
    2008-02-13 22:26 . 2008-02-13 22:26 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\DivX
    2008-02-12 18:19 . 2008-02-12 18:19 <DIR> d--hs---- C:\FOUND.002
    2008-02-11 19:41 . 2008-02-11 19:41 32 --a------ C:\WINDOWS\CD_Start.INI
    2008-02-05 02:05 . 2008-02-05 02:05 244 --ah----- C:\sqmnoopt00.sqm
    2008-02-05 02:05 . 2008-02-05 02:05 232 --ah----- C:\sqmdata00.sqm
    2008-02-03 18:22 . 2008-02-03 18:22 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-03 18:15 . 2008-02-03 18:15 <DIR> d--hs---- C:\FOUND.001

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-26 21:36 98,304 ----a-w C:\WINDOWS\DUMP124c.tmp
    2008-02-02 19:42 --------- d-----w C:\Program Files\Chaos Group
    2008-02-01 23:52 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\McAfee
    2008-02-01 16:49 --------- d-----w C:\Program Files\Macromedia
    2008-02-01 16:49 --------- d-----w C:\Program Files\Common Files\Macromedia
    2008-02-01 16:06 --------- d-----w C:\Program Files\Common Files\ChaosGroup
    2008-01-28 00:02 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Autodesk
    2008-01-27 23:56 --------- d-----w C:\Program Files\turbo squid tentacles
    2008-01-27 23:53 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
    2008-01-27 23:53 --------- d-----w C:\Program Files\Autodesk
    2008-01-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
    2008-01-19 23:55 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Nero
    2008-01-19 16:56 --------- d-----w C:\Program Files\Nero
    2008-01-19 16:56 --------- d-----w C:\Program Files\Common Files\Nero
    2008-01-19 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
    2008-01-19 14:37 --------- d-----w C:\Program Files\Real Alternative
    2008-01-19 14:37 --------- d-----w C:\Program Files\Media Player Classic
    2008-01-10 12:50 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\AdobeUM
    2008-01-09 15:07 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\LimeWire
    2008-01-09 11:18 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2008-01-09 11:18 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-01-09 11:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2008-01-09 11:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2008-01-09 11:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
    2008-01-09 11:16 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2008-01-09 11:16 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
    2008-01-09 11:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2008-01-08 22:21 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Media Player Classic
    2008-01-08 22:20 --------- d-----w C:\Program Files\VideoLAN
    2008-01-08 21:46 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\uTorrent
    2008-01-08 21:45 --------- d-----w C:\Program Files\uTorrent
    2008-01-08 21:43 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2008-01-08 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-01-08 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
    2008-01-08 15:56 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
    2008-01-08 15:56 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-08 00:22 --------- d-----w C:\Program Files\Winamp
    2008-01-08 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-01-08 00:10 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Apple Computer
    2008-01-08 00:08 --------- d-----w C:\Program Files\QuickTime
    2008-01-08 00:07 --------- d-----w C:\Program Files\Yahoo!
    2008-01-07 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\MCA38.tmp
    2008-01-07 22:15 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\McAfee.com Personal Firewall
    2008-01-07 22:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
    2008-01-07 22:12 --------- d-----w C:\Program Files\McAfee
    2008-01-07 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
    2008-01-07 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2008-01-07 21:40 --------- d-----w C:\Program Files\Java
    2008-01-07 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-01-07 21:25 --------- d-----w C:\Program Files\Common Files\Java
    2008-01-07 21:24 --------- d-----w C:\Program Files\LimeWire
    2008-01-07 21:22 --------- d-----w C:\Program Files\DivX
    2008-01-07 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
    2008-01-07 21:10 --------- d-----w C:\Program Files\DAEMON Tools
    2008-01-07 21:08 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2008-01-07 14:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-07 14:35 --------- d-----w C:\Program Files\Realtek
    2008-01-07 14:35 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-01-07 14:12 --------- d-----w C:\Program Files\microsoft frontpage
    2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-28 14:23 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SkyTel"="SkyTel.EXE" [2006-04-24 09:20 1448960 C:\WINDOWS\SkyTel.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2006-05-04 09:59 16206848 C:\WINDOWS\RTHDCPL.EXE]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-12 06:51 8523776]
    "nwiz"="nwiz.exe" [2007-11-12 06:51 1626112 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-12 06:51 81920]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
    "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-02-20 00:49 899864]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:07 15360]

    C:\Documents and Settings\sherif compumood\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\uTorrent\\utorrent.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
    "C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
    "C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
    "C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
    "C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-02-20 00:50]
    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-02-20 00:49]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-02-20 00:49]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-02-20 00:49]
    R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-02-20 00:49]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-02-20 00:50]
    R2 mi-raysat_3dsMax2008_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit;"C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe" [2007-09-24 17:05]
    R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-02-20 00:49]
    S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-02-20 00:49]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02916cf8-d675-11dc-9dca-0014853d7e7d}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff6c399c-d0dc-11dc-9dc2-0014853d7e7d}]
    \Shell\AutoRun\command - ylr.exe
    \Shell\explore\Command - ylr.exe
    \Shell\open\Command - ylr.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-27 17:44:16 C:\WINDOWS\Tasks\RegCure.job"
    - C:\Program Files\RegCure\RegCure.exe
    "2008-03-03 16:24:24 C:\WINDOWS\Tasks\RegCure Program Check.job"
    - C:\Program Files\RegCure\RegCure.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-03 18:24:48
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    .
    **************************************************************************
    .
    Completion time: 2008-03-03 18:25:32 - machine was rebooted [sherif compumood]
    ComboFix-quarantined-files.txt 2008-03-03 16:25:30
    .
    2008-01-08 15:25:45 --- E O F ---



    -----------------------------------------------











    and thats the HJT log :


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:38:24 PM, on 3/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
    C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SkyTel.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
    O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 7849 bytes





    ----------------------------------------





    hey... do u know what is "Bonjour service" ; at every startup the AVG pops telling me if i wd like to grant access for that "Bonjour service" to the internet , but since i dnt know wt it is i choose block . !

    thanks
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/687693