1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: WinXP SP2 Yellow Triangle Adware Control Panel Missing & Privileges Gone! :(

Discussion in 'Virus & Other Malware Removal' started by Basu, Aug 25, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Basu

    Basu Thread Starter

    Joined:
    Aug 25, 2007
    Messages:
    10
    Hello Guys,

    Since yesterday I have had this terrible problem that I could'nt rectify. After I lost all hope I found you guys. I've been reading through some of the similar posts on here but thought it's best to start a thread of my own to provide the exact scenario on my system.

    My System Configuration :-

    Win Xp Pro SP2 on AMD64 3000+ Build 2600

    AV - AVG Internet Security 7.5.0.38

    I also have SpywareTerminator with the AV shield.


    The PROBLEM :-

    A yellow triangle/exclamation mark is in my system tray. Clicking it says that my computer is infected and that I should download special 'antispyware tools'. ". It keeps referring me to some bogus spyware remover website (Regular PopUps on my Desktop) and also prompts to download Win AntiVirus Pro 2007.

    I have lost link to my Control Panel and right-clicking on my desktop gives me a pop-up that says that there are Restrictions in place on my PC and I should contact an administrator even though I am the only Admin User (Only Account). I believe I cannot make changes to the Registry either.

    The good thing is that I am able to access the net and Pc is working quite fine even now.
    But I would really like it to be clean and troublefree again.


    As I noticed in similar Threads, I've downloaded SmitfraudFix & HJTInstall and have run the scan.


    Following is the Log for HijackThis:-


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:23:16 PM, on 8/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\SVRemote\USB20Remote.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\WinAvXX.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    C:\WINDOWS\System32\PAStiSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\BITWARE\NT\bwprnmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    <local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
    O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-21-1004336348-1767777339-725345543-1003\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-21-1004336348-1767777339-725345543-1003 Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe (User '?')
    O4 - S-1-5-21-1004336348-1767777339-725345543-1003 Startup: system.exe (User '?')
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Startup: system.exe
    O4 - Global Startup: autorun.exe
    O4 - Global Startup: bitware print monitor.lnk = C:\BITWARE\NT\bwprnmon.exe
    O4 - Global Startup: BlueSoleil.lnk = ?
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
    O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {48D61622-EC1E-4F95-847D-4C6F4B879173} (ComponentMethods Class) - https://mat2.religaresecurities.com/inetnet7/iNetNet.cab
    O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EEB58804-04A3-4E05-B777-CA5FFC8BF824}: NameServer = 202.56.230.6,202.56.215.6
    O20 - AppInit_DLLs: hadjajr.ini
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
    O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
    O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
    O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
    O23 - Service: FireDaemon Service: winsecure (winsecure) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
    O24 - Desktop Component 1: Ocean Aquarium Deluxe v1.0 Active Desktop - C:\Program Files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html

    --
    End of file - 10857 bytes




    Following is the Log for SmitfraudFix :-


    SmitFraudFix v2.216

    Scan done at 20:30:16.87, Sat 08/25/2007
    Run from C:\Documents and Settings\F\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    192.168.200.3 download.microsoft.com
    192.168.200.3 downloads.microsoft.com
    192.168.200.3 go.microsoft.com
    192.168.200.3 microsoft.com
    192.168.200.3 msdn.microsoft.com
    192.168.200.3 office.microsoft.com
    192.168.200.3 support.microsoft.com
    192.168.200.3 windowsupdate.microsoft.com
    192.168.200.3 www.microsoft.com
    192.168.200.3 pandasoftware.com
    192.168.200.3 www.pandasoftware.com

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\hadjajr.ini FOUND !
    C:\WINDOWS\system32\printer.exe FOUND !
    C:\WINDOWS\system32\vtr???.dll FOUND !
    C:\WINDOWS\system32\WinAvXX.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\F


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\F\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\F\STARTM~1\Programs\Startup\system.exe FOUND !
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\F\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="hadjajr.ini"


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock

    pe386 detected, use a Rootkit scanner


    »»»»»»»»»»»»»»»»»»»»»»»» DNS



    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End




    While SmitfraudFix was running I got an error saying "registry editing has been disabled by your administrator"


    Hope you can help me out ASAP. Many thanks in advance!

    Best Regards,
    Basu
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    =====================
    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others as they were.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me regardless of what it finds with a new HijackThis log.

    This will take some time!!!!!!!!
     
  3. Basu

    Basu Thread Starter

    Joined:
    Aug 25, 2007
    Messages:
    10
    Hello MFDnNC,

    Really appreciate your quick response. I have done all the scans as you asked. Here are the Logs from ComboFix , SAS, & latest HJT .....


    ComboFix 07-08-25.2 - "F" 2007-08-26 13:42:06.1 - NTFSx86

    Rootkit driver pe386 is present. ... attempting disinfection
    pe386 ...... driver unloaded successfully.
    ADS removed - system32: deleted 55004 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
    C:\DOCUME~1\F\STARTM~1\Programs\Startup\system.exe
    C:\Documents and Settings\All Users.\documents\settings
    C:\Documents and Settings\All Users.\documents\settings\desktop.ini
    C:\Program Files\Common Files\{24CE5~1
    C:\Program Files\Common Files\{34CE5~1
    C:\WINDOWS\emdat.tm
    C:\WINDOWS\emdat.tmp
    C:\WINDOWS\system32\printer.exe
    C:\WINDOWS\system32\vx.tll
    C:\WINDOWS\system32\WinAvXX.exe
    C:\WINDOWS\system32\wl.exe


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_NPF
    -------\NPF
    -------\ntio256
    -------\ntndis


    ((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


    2007-08-26 11:10 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-08-26 10:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-08-26 10:19 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\SUPERAntiSpyware.com
    2007-08-26 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-08-26 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-08-26 10:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-08-25 13:00 3,204 --a------ C:\WINDOWS\system32\tmp.reg
    2007-08-25 12:57 <DIR> d-------- C:\Program Files\Trend Micro
    2007-08-25 03:26 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
    2007-08-25 03:26 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
    2007-08-25 02:01 <DIR> d-------- C:\Program Files\WinClamAVShield
    2007-08-25 01:50 <DIR> d-------- C:\Program Files\Spyware Terminator
    2007-08-25 01:50 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\Spyware Terminator
    2007-08-25 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
    2007-08-25 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
    2007-08-25 00:47 39,424 --a------ C:\WINDOWS\system32\vtr.dll
    2007-08-21 02:38 <DIR> d-------- C:\XPCD
    2007-08-20 16:45 <DIR> d-------- C:\WINDOWS\pss
    2007-08-20 16:11 <DIR> d-------- C:\Program Files\SolidDocuments
    2007-08-20 16:11 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\SolidDocuments
    2007-08-20 15:41 <DIR> d-------- C:\Program Files\Celestia
    2007-08-20 08:35 12,219,981 --------- C:\AVG7QT.DAT
    2007-08-18 05:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SolidDocuments
    2007-08-18 05:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SolidDocuments
    2007-08-16 08:57 <DIR> d-------- C:\Program Files\ScummVM
    2007-08-11 03:12 <DIR> d-------- C:\Program Files\ElcomSoft
    2007-08-10 05:07 <DIR> d-------- C:\Program Files\Ancient Castle 3D Screensaver
    2007-08-10 05:05 <DIR> d-------- C:\Program Files\Fantasy Moon 3D Screensaver
    2007-08-10 05:03 <DIR> d-------- C:\Program Files\Spirit of Fire 3D Screensaver
    2007-08-10 05:01 <DIR> d-------- C:\Program Files\Nautilus 3D Screensaver
    2007-08-10 04:59 <DIR> d-------- C:\Program Files\Tropical Fish 3D Screensaver
    2007-08-10 04:57 <DIR> d-------- C:\Program Files\Galleon 3D Screensaver
    2007-08-10 04:56 <DIR> d-------- C:\Program Files\Discovery 3D Screensaver
    2007-08-10 04:48 <DIR> d-------- C:\Program Files\Earth 3D Screensaver
    2007-08-10 04:45 <DIR> d-------- C:\Program Files\Nature 3D Screensaver
    2007-08-10 04:40 <DIR> d-------- C:\Program Files\Voyage of Columbus 3D Screensaver
    2007-08-10 04:36 <DIR> d-------- C:\Program Files\Watermill 3D Screensaver
    2007-08-09 21:21 10,477,568 --a------ C:\WINDOWS\system32\3D Titanic Screensaver.scr
    2007-08-09 21:21 <DIR> d-------- C:\Program Files\Astro Gemini Software
    2007-08-09 01:46 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\ScummVM
    2007-08-09 00:22 <DIR> d-------- C:\MONKEY


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-08-26 13:33 --------- d-------- C:\DOCUME~1\F\APPLIC~1\uTorrent
    2007-08-26 13:33 --------- d-------- C:\DOCUME~1\F\APPLIC~1\uTorrent
    2007-08-26 09:37 --------- d-------- C:\Program Files\GetRight
    2007-08-25 04:08 --------- d-------- C:\DOCUME~1\F\APPLIC~1\Help
    2007-08-25 04:08 --------- d-------- C:\DOCUME~1\F\APPLIC~1\Help
    2007-08-25 02:05 --------- d-------- C:\DOCUME~1\F\APPLIC~1\AdobeUM
    2007-08-25 02:05 --------- d-------- C:\DOCUME~1\F\APPLIC~1\AdobeUM
    2007-08-24 23:22 --------- d-------- C:\Program Files\FILES
    2007-08-21 16:55 --------- d-------- C:\DOCUME~1\F\APPLIC~1\StanaPhone
    2007-08-21 16:55 --------- d-------- C:\DOCUME~1\F\APPLIC~1\StanaPhone
    2007-08-21 16:47 --------- d-------- C:\Program Files\iCall
    2007-08-19 17:35 --------- d-------- C:\Program Files\DAEMON Tools
    2007-08-19 16:20 75252 --a------ C:\WINDOWS\tmihjs.exe
    2007-08-11 05:39 --------- d-------- C:\Program Files\CDisplay
    2007-08-10 04:40 --------- d-------- C:\Program Files\3Planesoft Screensaver Manager
    2007-08-03 17:19 --------- d-------- C:\Program Files\WMR11
    2007-07-20 22:25 --------- d-------- C:\Program Files\MSECache
    2007-07-08 19:39 --------- d-------- C:\Program Files\Online Services
    2007-01-11 09:31 183808 --a------ C:\DOCUME~1\F\msupdate.exe
    2007-01-11 09:31 183808 --a------ C:\DOCUME~1\F\msupdate.exe
    2006-04-12 22:10 630784 --a------ C:\DOCUME~1\F\chatlnk.exe
    2006-04-12 22:10 630784 --a------ C:\DOCUME~1\F\chatlnk.exe
    2006-02-01 04:19:32 56 --sh--r C:\WINDOWS\system32\09048EEEBD.sys
    2006-02-01 04:19:32 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 21:10]
    "SoundMan"="SOUNDMAN.EXE" [2004-12-01 13:24 C:\WINDOWS\SOUNDMAN.EXE]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-25 22:00]
    "SVRemote"="c:\Program Files\SVRemote\USB20Remote.exe" [2005-11-07 07:39]
    "WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 22:31]
    "WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 22:30]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "iCall Internet Phone"="C:\Program Files\iCall\iCall.exe" [2007-08-18 16:02]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-25 03:26]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    C:\DOCUME~1\F\STARTM~1\Programs\Startup\
    Screen Saver Control.lnk - C:\WINDOWS\FSScrCtl.exe [2007-04-13 09:56:47]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
    Source= C:\Program Files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html
    FriendlyName= Ocean Aquarium Deluxe v1.0 Active Desktop

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
    avgwlntf.dll 2007-08-25 03:26 9216 C:\WINDOWS\system32\avgwlntf.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32]
    winzdn32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=hadjajr.ini



    Contents of the 'Scheduled Tasks' folder
    2007-08-26 06:43:00 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-26 13:49:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-08-26 13:54:18 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-08-26 13:54

    --- E O F ---





    Code:
    2004-07-05 14:24      110592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wl.exe.vir
    2007-01-10 04:42      1    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vx.tll.vir
    2007-01-10 04:47      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\emdat.tm.vir
    2007-01-10 04:47      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\emdat.tmp.vir
    2007-01-14 08:25      124    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\desktop.ini.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\F\STARTM~1\Programs\Startup\system.exe.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winavxx.exe.vir
    2007-08-26 13:45      1326    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf
    2007-08-26 13:45      2418    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cf
    2007-08-26 13:45      2524    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ntio256.reg.cf
    2007-08-26 13:45      2560    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ntndis.reg.cf
    
    
    Folder PATH listing
    Volume serial number is 24CE-5CD3
    C:\QOOBOX
    \---Quarantine
        +---C
        |   +---Documents and Settings
        |   |   \---All Users
        |   |       \---Documents
        |   |           \---Settings
        |   |                   desktop.ini.vir
        |   |                   
        |   +---DOCUME~1
        |   |   +---ALLUSE~1
        |   |   |   \---STARTM~1
        |   |   |       \---Programs
        |   |   |           \---Startup
        |   |   |                   autorun.exe.vir
        |   |   |                   
        |   |   \---F
        |   |       \---STARTM~1
        |   |           \---Programs
        |   |               \---Startup
        |   |                       system.exe.vir
        |   |                       
        |   \---WINDOWS
        |       |   emdat.tm.vir
        |       |   emdat.tmp.vir
        |       |   
        |       \---system32
        |               printer.exe.vir
        |               vx.tll.vir
        |               winavxx.exe.vir
        |               wl.exe.vir
        |               
        \---Registry_backups
                LEGACY_NPF.reg.cf
                services_NPF.reg.cf
                services_ntio256.reg.cf
                services_ntndis.reg.cf
                
    




    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/26/2007 at 12:09 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3292
    Trace Rules Database Version: 1303

    Scan type : Complete Scan
    Total Scan Time : 00:56:53

    Memory items scanned : 413
    Memory threats detected : 1
    Registry items scanned : 7339
    Registry threats detected : 9
    File items scanned : 42872
    File threats detected : 60

    Trojan.Net-AVP/AVT
    C:\WINDOWS\SYSTEM32\PRINTER.EXE
    C:\WINDOWS\SYSTEM32\PRINTER.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\AUTORUN.EXE
    C:\DOCUMENTS AND SETTINGS\F\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661510.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661512.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0662509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0662510.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0662511.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0663507.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0663508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0663509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0664507.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0664508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0664509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665507.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665530.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665531.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666531.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666533.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666558.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666559.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666560.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0667560.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0667561.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP393\A0668558.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP393\A0668559.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP393\A0668560.EXE
    C:\WINDOWS\SYSTEM32\WINAVXX.EXE
    C:\WINDOWS\Prefetch\SYSTEM.EXE-12A91105.pf

    Adware.Tracking Cookie
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt

    Trojan.Downloader-IBM/Shell
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#DeviceDesc

    Trojan.Rustock/LZX32
    C:\WINDOWS\system32:lzx32.sys

    Adware.180solutions/ZangoSearch
    C:\PROGRAM FILES\MAIL.COM MESSENGER\EM2.EXE
    C:\DOCUMENTS AND SETTINGS\F\DESKTOP\MAIL.COM MESSENGER.LNK
    C:\DOCUMENTS AND SETTINGS\F\START MENU\PROGRAMS\MAIL.COM MESSENGER\MAIL.COM MESSENGER.LNK

    Trojan.Downloader-Gen
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP384\A0652734.EXE
    C:\WINDOWS\TMIHJS.EXE

    Trojan.TaskDir
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661397.DLL

    Trojan.Downloader-Gen/NoMultiTask
    C:\WINDOWS\SYSTEM32\VTR.DLL





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:13:58 PM, on 8/26/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    C:\WINDOWS\System32\PAStiSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\SVRemote\USB20Remote.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\BITWARE\NT\bwprnmon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    <local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-21-1004336348-1767777339-725345543-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-21-1004336348-1767777339-725345543-1003 Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe (User '?')
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: bitware print monitor.lnk = C:\BITWARE\NT\bwprnmon.exe
    O4 - Global Startup: BlueSoleil.lnk = ?
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
    O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {48D61622-EC1E-4F95-847D-4C6F4B879173} (ComponentMethods Class) - https://mat2.religaresecurities.com/inetnet7/iNetNet.cab
    O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EEB58804-04A3-4E05-B777-CA5FFC8BF824}: NameServer = 202.56.230.6,202.56.215.6
    O20 - AppInit_DLLs: hadjajr.ini
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
    O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
    O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
    O23 - Service: FireDaemon Service: winsecure (winsecure) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
    O24 - Desktop Component 1: Ocean Aquarium Deluxe v1.0 Active Desktop - C:\Program Files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html

    --
    End of file - 10110 bytes
     
  4. Basu

    Basu Thread Starter

    Joined:
    Aug 25, 2007
    Messages:
    10
    Oops......Plz ignore the incomplete Log...here are the complete Logs once again :-




    ComboFix 07-08-25.2 - "F" 2007-08-26 13:42:06.1 - NTFSx86

    Rootkit driver pe386 is present. ... attempting disinfection
    pe386 ...... driver unloaded successfully.
    ADS removed - system32: deleted 55004 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
    C:\DOCUME~1\F\STARTM~1\Programs\Startup\system.exe
    C:\Documents and Settings\All Users.\documents\settings
    C:\Documents and Settings\All Users.\documents\settings\desktop.ini
    C:\Program Files\Common Files\{24CE5~1
    C:\Program Files\Common Files\{34CE5~1
    C:\WINDOWS\emdat.tm
    C:\WINDOWS\emdat.tmp
    C:\WINDOWS\system32\printer.exe
    C:\WINDOWS\system32\vx.tll
    C:\WINDOWS\system32\WinAvXX.exe
    C:\WINDOWS\system32\wl.exe


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_NPF
    -------\NPF
    -------\ntio256
    -------\ntndis


    ((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


    2007-08-26 11:10 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-08-26 10:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-08-26 10:19 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\SUPERAntiSpyware.com
    2007-08-26 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-08-26 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-08-26 10:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-08-25 13:00 3,204 --a------ C:\WINDOWS\system32\tmp.reg
    2007-08-25 12:57 <DIR> d-------- C:\Program Files\Trend Micro
    2007-08-25 03:26 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
    2007-08-25 03:26 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
    2007-08-25 02:01 <DIR> d-------- C:\Program Files\WinClamAVShield
    2007-08-25 01:50 <DIR> d-------- C:\Program Files\Spyware Terminator
    2007-08-25 01:50 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\Spyware Terminator
    2007-08-25 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
    2007-08-25 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
    2007-08-25 00:47 39,424 --a------ C:\WINDOWS\system32\vtr.dll
    2007-08-21 02:38 <DIR> d-------- C:\XPCD
    2007-08-20 16:45 <DIR> d-------- C:\WINDOWS\pss
    2007-08-20 16:11 <DIR> d-------- C:\Program Files\SolidDocuments
    2007-08-20 16:11 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\SolidDocuments
    2007-08-20 15:41 <DIR> d-------- C:\Program Files\Celestia
    2007-08-20 08:35 12,219,981 --------- C:\AVG7QT.DAT
    2007-08-18 05:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SolidDocuments
    2007-08-18 05:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SolidDocuments
    2007-08-16 08:57 <DIR> d-------- C:\Program Files\ScummVM
    2007-08-11 03:12 <DIR> d-------- C:\Program Files\ElcomSoft
    2007-08-10 05:07 <DIR> d-------- C:\Program Files\Ancient Castle 3D Screensaver
    2007-08-10 05:05 <DIR> d-------- C:\Program Files\Fantasy Moon 3D Screensaver
    2007-08-10 05:03 <DIR> d-------- C:\Program Files\Spirit of Fire 3D Screensaver
    2007-08-10 05:01 <DIR> d-------- C:\Program Files\Nautilus 3D Screensaver
    2007-08-10 04:59 <DIR> d-------- C:\Program Files\Tropical Fish 3D Screensaver
    2007-08-10 04:57 <DIR> d-------- C:\Program Files\Galleon 3D Screensaver
    2007-08-10 04:56 <DIR> d-------- C:\Program Files\Discovery 3D Screensaver
    2007-08-10 04:48 <DIR> d-------- C:\Program Files\Earth 3D Screensaver
    2007-08-10 04:45 <DIR> d-------- C:\Program Files\Nature 3D Screensaver
    2007-08-10 04:40 <DIR> d-------- C:\Program Files\Voyage of Columbus 3D Screensaver
    2007-08-10 04:36 <DIR> d-------- C:\Program Files\Watermill 3D Screensaver
    2007-08-09 21:21 10,477,568 --a------ C:\WINDOWS\system32\3D Titanic Screensaver.scr
    2007-08-09 21:21 <DIR> d-------- C:\Program Files\Astro Gemini Software
    2007-08-09 01:46 <DIR> d-------- C:\DOCUME~1\F\APPLIC~1\ScummVM
    2007-08-09 00:22 <DIR> d-------- C:\MONKEY


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-08-26 13:33 --------- d-------- C:\DOCUME~1\F\APPLIC~1\uTorrent
    2007-08-26 13:33 --------- d-------- C:\DOCUME~1\F\APPLIC~1\uTorrent
    2007-08-26 09:37 --------- d-------- C:\Program Files\GetRight
    2007-08-25 04:08 --------- d-------- C:\DOCUME~1\F\APPLIC~1\Help
    2007-08-25 04:08 --------- d-------- C:\DOCUME~1\F\APPLIC~1\Help
    2007-08-25 02:05 --------- d-------- C:\DOCUME~1\F\APPLIC~1\AdobeUM
    2007-08-25 02:05 --------- d-------- C:\DOCUME~1\F\APPLIC~1\AdobeUM
    2007-08-24 23:22 --------- d-------- C:\Program Files\FILES
    2007-08-21 16:55 --------- d-------- C:\DOCUME~1\F\APPLIC~1\StanaPhone
    2007-08-21 16:55 --------- d-------- C:\DOCUME~1\F\APPLIC~1\StanaPhone
    2007-08-21 16:47 --------- d-------- C:\Program Files\iCall
    2007-08-19 17:35 --------- d-------- C:\Program Files\DAEMON Tools
    2007-08-19 16:20 75252 --a------ C:\WINDOWS\tmihjs.exe
    2007-08-11 05:39 --------- d-------- C:\Program Files\CDisplay
    2007-08-10 04:40 --------- d-------- C:\Program Files\3Planesoft Screensaver Manager
    2007-08-03 17:19 --------- d-------- C:\Program Files\WMR11
    2007-07-20 22:25 --------- d-------- C:\Program Files\MSECache
    2007-07-08 19:39 --------- d-------- C:\Program Files\Online Services
    2007-01-11 09:31 183808 --a------ C:\DOCUME~1\F\msupdate.exe
    2007-01-11 09:31 183808 --a------ C:\DOCUME~1\F\msupdate.exe
    2006-04-12 22:10 630784 --a------ C:\DOCUME~1\F\chatlnk.exe
    2006-04-12 22:10 630784 --a------ C:\DOCUME~1\F\chatlnk.exe
    2006-02-01 04:19:32 56 --sh--r C:\WINDOWS\system32\09048EEEBD.sys
    2006-02-01 04:19:32 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 21:10]
    "SoundMan"="SOUNDMAN.EXE" [2004-12-01 13:24 C:\WINDOWS\SOUNDMAN.EXE]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-25 22:00]
    "SVRemote"="c:\Program Files\SVRemote\USB20Remote.exe" [2005-11-07 07:39]
    "WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-08-15 22:31]
    "WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe" [2005-08-15 22:30]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "iCall Internet Phone"="C:\Program Files\iCall\iCall.exe" [2007-08-18 16:02]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-25 03:26]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    C:\DOCUME~1\F\STARTM~1\Programs\Startup\
    Screen Saver Control.lnk - C:\WINDOWS\FSScrCtl.exe [2007-04-13 09:56:47]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
    Source= C:\Program Files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html
    FriendlyName= Ocean Aquarium Deluxe v1.0 Active Desktop

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
    avgwlntf.dll 2007-08-25 03:26 9216 C:\WINDOWS\system32\avgwlntf.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32]
    winzdn32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=hadjajr.ini



    Contents of the 'Scheduled Tasks' folder
    2007-08-26 06:43:00 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-26 13:49:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-08-26 13:54:18 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-08-26 13:54

    --- E O F ---






    ComboFix Quarantined Files :-


    Code:
    2004-07-05 14:24      110592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wl.exe.vir
    2007-01-10 04:42      1    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vx.tll.vir
    2007-01-10 04:47      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\emdat.tm.vir
    2007-01-10 04:47      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\emdat.tmp.vir
    2007-01-14 08:25      124    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\desktop.ini.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\F\STARTM~1\Programs\Startup\system.exe.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
    2007-08-25 00:47      16896    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winavxx.exe.vir
    2007-08-26 13:45      1326    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf
    2007-08-26 13:45      2418    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cf
    2007-08-26 13:45      2524    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ntio256.reg.cf
    2007-08-26 13:45      2560    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ntndis.reg.cf
    
    
    Folder PATH listing
    Volume serial number is 24CE-5CD3
    C:\QOOBOX
    \---Quarantine
        +---C
        |   +---Documents and Settings
        |   |   \---All Users
        |   |       \---Documents
        |   |           \---Settings
        |   |                   desktop.ini.vir
        |   |                   
        |   +---DOCUME~1
        |   |   +---ALLUSE~1
        |   |   |   \---STARTM~1
        |   |   |       \---Programs
        |   |   |           \---Startup
        |   |   |                   autorun.exe.vir
        |   |   |                   
        |   |   \---F
        |   |       \---STARTM~1
        |   |           \---Programs
        |   |               \---Startup
        |   |                       system.exe.vir
        |   |                       
        |   \---WINDOWS
        |       |   emdat.tm.vir
        |       |   emdat.tmp.vir
        |       |   
        |       \---system32
        |               printer.exe.vir
        |               vx.tll.vir
        |               winavxx.exe.vir
        |               wl.exe.vir
        |               
        \---Registry_backups
                LEGACY_NPF.reg.cf
                services_NPF.reg.cf
                services_ntio256.reg.cf
                services_ntndis.reg.cf
                
    




    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/26/2007 at 12:09 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3292
    Trace Rules Database Version: 1303

    Scan type : Complete Scan
    Total Scan Time : 00:56:53

    Memory items scanned : 413
    Memory threats detected : 1
    Registry items scanned : 7339
    Registry threats detected : 9
    File items scanned : 42872
    File threats detected : 60

    Trojan.Net-AVP/AVT
    C:\WINDOWS\SYSTEM32\PRINTER.EXE
    C:\WINDOWS\SYSTEM32\PRINTER.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\AUTORUN.EXE
    C:\DOCUMENTS AND SETTINGS\F\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661510.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661512.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0662509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0662510.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0662511.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0663507.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0663508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0663509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0664507.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0664508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0664509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665507.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665530.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0665531.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666531.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666533.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666558.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666559.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0666560.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0667560.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0667561.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP393\A0668558.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP393\A0668559.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP393\A0668560.EXE
    C:\WINDOWS\SYSTEM32\WINAVXX.EXE
    C:\WINDOWS\Prefetch\SYSTEM.EXE-12A91105.pf

    Adware.Tracking Cookie
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][2].txt
    C:\Documents and Settings\F\Cookies\[email protected][1].txt

    Trojan.Downloader-IBM/Shell
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#DeviceDesc

    Trojan.Rustock/LZX32
    C:\WINDOWS\system32:lzx32.sys

    Adware.180solutions/ZangoSearch
    C:\PROGRAM FILES\MAIL.COM MESSENGER\EM2.EXE
    C:\DOCUMENTS AND SETTINGS\F\DESKTOP\MAIL.COM MESSENGER.LNK
    C:\DOCUMENTS AND SETTINGS\F\START MENU\PROGRAMS\MAIL.COM MESSENGER\MAIL.COM MESSENGER.LNK

    Trojan.Downloader-Gen
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP384\A0652734.EXE
    C:\WINDOWS\TMIHJS.EXE

    Trojan.TaskDir
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{0FAFD8DE-E21C-4717-B216-7EBD6406BA1B}\RP392\A0661397.DLL

    Trojan.Downloader-Gen/NoMultiTask
    C:\WINDOWS\SYSTEM32\VTR.DLL





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:13:58 PM, on 8/26/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    C:\WINDOWS\System32\PAStiSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\SVRemote\USB20Remote.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\BITWARE\NT\bwprnmon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    <local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-21-1004336348-1767777339-725345543-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-21-1004336348-1767777339-725345543-1003 Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe (User '?')
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: bitware print monitor.lnk = C:\BITWARE\NT\bwprnmon.exe
    O4 - Global Startup: BlueSoleil.lnk = ?
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
    O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {48D61622-EC1E-4F95-847D-4C6F4B879173} (ComponentMethods Class) - https://mat2.religaresecurities.com/inetnet7/iNetNet.cab
    O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EEB58804-04A3-4E05-B777-CA5FFC8BF824}: NameServer = 202.56.230.6,202.56.215.6
    O20 - AppInit_DLLs: hadjajr.ini
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
    O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
    O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
    O23 - Service: FireDaemon Service: winsecure (winsecure) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
    O24 - Desktop Component 1: Ocean Aquarium Deluxe v1.0 Active Desktop - C:\Program Files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html

    --
    End of file - 10110 bytes
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix these with HiJackThis – mark them, close IE, click fix checked

    O20 - AppInit_DLLs: hadjajr.ini

    O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)

    O23 - Service: FireDaemon Service: winsecure (winsecure) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
    =======
    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find this exact name

    FireDaemon Service: winsecure

    Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

    ============

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode



    How are things on the PC???????????
     
  6. Basu

    Basu Thread Starter

    Joined:
    Aug 25, 2007
    Messages:
    10
    Thx....I'm in office right now; will do the same ASA I'm home....

    Regards
    Basu
     
  7. Basu

    Basu Thread Starter

    Joined:
    Aug 25, 2007
    Messages:
    10
    Hello,

    I did as you asked in HJT and services.msc

    (these files could not be deleted from TEMP) -
    ~DFD871.tmp
    ~DFE5E2.tmp
    ~DFECB9.tmp
    ~DFFA04.tmp
    ~WRF0000.tmp




    ...and here is the new HJT Log:-



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:38:02 AM, on 8/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\SVRemote\USB20Remote.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\BITWARE\NT\bwprnmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    C:\WINDOWS\System32\PAStiSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    <local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [iCall Internet Phone] "C:\Program Files\iCall\iCall.exe" /startup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-21-1004336348-1767777339-725345543-1003 Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe (User '?')
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: bitware print monitor.lnk = C:\BITWARE\NT\bwprnmon.exe
    O4 - Global Startup: BlueSoleil.lnk = ?
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
    O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {48D61622-EC1E-4F95-847D-4C6F4B879173} (ComponentMethods Class) - https://mat2.religaresecurities.com/inetnet7/iNetNet.cab
    O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EEB58804-04A3-4E05-B777-CA5FFC8BF824}: NameServer = 202.56.230.6,202.56.215.6
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
    O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
    O24 - Desktop Component 1: Ocean Aquarium Deluxe v1.0 Active Desktop - C:\Program Files\Ocean Aquarium 3D Deluxe\Active Desktop\Ocean_Aquarium_3D_Active_DT.html

    --
    End of file - 9770 bytes
     
  8. Basu

    Basu Thread Starter

    Joined:
    Aug 25, 2007
    Messages:
    10
    Good News!

    Control Panel is back again and that annoying Yellow Triangle is gone this time when I booted my system.

    Is this Permanent or temp is my concern.


    Thx & Regards
    Basu
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  10. Basu

    Basu Thread Starter

    Joined:
    Aug 25, 2007
    Messages:
    10
    Thanks a ton MFDnNC. Really Really appreciate the help and effort. Problem Sloved!

    Thanks & God Bless,

    Basu
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/615073

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice