11 replies to this topic

[moks]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:35:26, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProxyWay\proxyway.exe
C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
I:\New Folder\u96\u96.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:81 local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - S-1-5-21-343818398-115176313-839522115-1003 Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe (User '?')
O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TweakMASTER\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A81205B3-F354-477A-BA8E-16D1C0F15D1D}: NameServer = 222.124.204.34 203.130.208.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0DDEC5-0674-4290-A613-E9314C98882E}: NameServer = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\kloehk.dll,
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OOMMKAP - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe (file missing)
O23 - Service: RB - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\RB.exe (file missing)

--
End of file - 10957 bytes

my av detected that generic host for win32 services trying to access http://q

can any body help, i have tried to delete

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:81 local

but it always coming back at me..

[moks]

Can any body help me ? thanks in advance..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:35:26, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProxyWay\proxyway.exe
C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
I:\New Folder\u96\u96.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:81 local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-115176313-839522115-1003\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - S-1-5-21-343818398-115176313-839522115-1003 Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe (User '?')
O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TweakMASTER\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A81205B3-F354-477A-BA8E-16D1C0F15D1D}: NameServer = 222.124.204.34 203.130.208.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0DDEC5-0674-4290-A613-E9314C98882E}: NameServer = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\KASPER~1\Kaspersky Internet Security 2009\kloehk.dll,
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OOMMKAP - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe (file missing)
O23 - Service: RB - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\RB.exe (file missing)

--
End of file - 10957 bytes

[screen317]

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[moks]

First of all, thanks screen317 for your attention, here i included both combo fix and hijackthis logs

Combofix Log

ComboFix 09-11-07.02 - User XP 11/08/2009 13:10.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1671 [GMT 7:00]
Running from: c:\documents and settings\User XP\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User XP\Favorites\Mp3 download.url
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-06 02:12 . 2009-11-06 02:12 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-06 01:35 . 2009-11-06 01:35 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-11-06 01:35 . 2009-11-06 01:35 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-11-06 01:35 . 2009-11-06 01:35 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-06 01:35 . 2009-11-07 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-11-06 01:35 . 2009-11-06 09:03 -------- d-----w- c:\documents and settings\User XP\Application Data\Spyware Terminator
2009-11-06 01:34 . 2009-11-06 09:14 -------- d-----w- c:\program files\Spyware Terminator
2009-11-06 01:27 . 2009-11-06 01:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-05 14:39 . 2009-11-05 14:39 -------- d-----w- c:\documents and settings\User XP\Application Data\Lavasoft
2009-11-05 14:18 . 2009-11-05 14:18 -------- d-----w- C:\!KillBox
2009-11-05 13:40 . 2009-11-05 13:40 -------- d-----w- c:\documents and settings\User XP\Application Data\Grisoft
2009-11-05 13:39 . 2007-05-30 12:10 10872 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
2009-11-05 13:39 . 2009-11-05 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-11-05 13:32 . 2009-11-05 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-05 13:26 . 2009-11-05 13:26 -------- d-----w- c:\program files\SpywareBlaster
2009-11-05 12:31 . 2009-11-05 12:31 -------- d-----w- c:\program files\Trend Micro
2009-11-04 01:50 . 2009-11-07 02:13 -------- d-----w- c:\program files\ProxyWay
2009-11-03 06:05 . 2004-08-03 17:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-03 06:05 . 2001-08-17 15:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-03 06:05 . 2004-08-03 15:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-03 06:05 . 2004-08-03 15:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-27 15:38 . 2009-10-27 16:18 -------- d-----w- c:\program files\GSA Auto Website Submitter
2009-10-27 11:53 . 2009-10-27 11:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-27 10:52 . 2009-11-02 03:51 -------- d-----w- c:\program files\The Ad Clicker 2
2009-10-26 16:10 . 2009-10-26 16:10 -------- d-----w- c:\documents and settings\User XP\Application Data\NotMyIp
2009-10-26 13:45 . 2009-10-26 13:45 -------- d-----w- c:\documents and settings\User XP\Application Data\Technology Lighthouse
2009-10-26 12:27 . 2009-05-12 10:20 173384 ----a-w- c:\windows\system32\AVLibrary.dll
2009-10-26 11:44 . 2009-10-26 11:44 -------- d-----w- c:\program files\Privoxy
2009-10-26 11:27 . 2009-10-27 15:05 769775 ----a-w- c:\documents and settings\User XP\Application Data\Hide IP NG\hideipng-update.exe
2009-10-26 11:18 . 2009-10-23 08:36 -------- d-----w- c:\temp\Automatic Mouse Schedule
2009-10-26 11:16 . 2009-11-05 02:34 -------- d-----w- c:\documents and settings\User XP\Local Settings\Application Data\Temp
2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\program files\DU Meter
2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\documents and settings\User XP\Application Data\Hagel Technologies
2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-10-25 13:15 . 2009-10-25 13:29 -------- d-----w- c:\program files\TweakMASTER
2009-10-19 22:59 . 2009-11-01 10:52 -------- d-----w- c:\temp\u95
2009-10-19 22:37 . 2009-10-19 22:58 -------- d-----w- c:\temp\asm 103

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 06:19 . 2009-06-26 12:11 -------- d-----w- c:\documents and settings\User XP\Application Data\DMCache
2009-11-08 06:18 . 2008-06-23 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-08 06:18 . 2009-07-29 10:26 -------- d-----w- c:\program files\cFosSpeed
2009-11-08 06:16 . 2008-11-09 16:08 8003104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-08 06:16 . 2008-11-09 16:08 7400 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-08 06:16 . 2008-11-09 16:08 69892 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-08 06:16 . 2008-11-09 16:08 622624 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-06 12:18 . 2008-05-07 02:33 -------- d-----w- c:\program files\Winamp
2009-11-05 13:53 . 2008-09-18 10:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-05 13:10 . 2008-08-06 10:38 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-04 12:28 . 2009-07-06 14:41 -------- d-----w- c:\documents and settings\User XP\Application Data\IDM
2009-11-03 14:19 . 2008-07-30 11:13 -------- d-----w- c:\program files\FlashGet
2009-11-03 06:09 . 2009-04-24 12:44 -------- d-----w- c:\program files\MODEM Mobile Connection
2009-10-27 15:06 . 2009-03-21 17:22 -------- d-----w- c:\documents and settings\User XP\Application Data\Hide IP NG
2009-10-15 04:26 . 2009-07-14 11:14 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 04:26 . 2009-07-14 11:14 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-04 02:13 . 2009-10-03 03:56 -------- d-----w- c:\program files\ImageConverter Plus
2009-10-03 13:15 . 2009-10-03 13:15 -------- d-----w- c:\program files\Common Files\DirectX
2009-10-03 13:15 . 2009-10-03 13:15 -------- d-----w- c:\documents and settings\User XP\Application Data\DragonicaSCB
2009-10-02 16:55 . 2009-10-02 16:55 -------- d-----w- c:\program files\IrfanView
2009-09-21 16:53 . 2009-09-21 16:53 -------- d-----w- c:\program files\Bridge software
2009-09-17 16:49 . 2009-05-13 11:51 982896 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-17 02:58 . 2009-09-17 02:58 25214 ----a-r- c:\documents and settings\User XP\Application Data\Microsoft\Installer\{1C40AC14-26B0-4D2F-A6C9-36CAE8643EE0}\VineClientIcon.exe
2009-09-14 18:25 . 2009-10-03 03:56 180224 ----a-w- c:\windows\system32\cnvshell.dll
2009-09-14 03:53 . 2009-04-30 23:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-11 04:12 . 2009-09-11 04:12 -------- d-----w- c:\program files\Link Generator
2009-09-10 10:16 . 2009-07-22 10:14 -------- d-----w- c:\program files\Raxco
2009-09-10 10:08 . 2008-05-06 10:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 12:04 . 2009-08-24 12:04 781435 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\Download.dll
2009-08-24 12:04 . 2009-08-24 12:04 22528 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll
2009-08-14 15:00 . 2009-08-14 15:00 52224 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\FFExternalAlert.dll
2009-08-14 15:00 . 2009-08-14 15:00 114688 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\npmozax.dll
.

------- Sigcheck -------

[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-28 960944]
"SpeedConnectStartUp"="c:\program files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe" [2008-08-18 565760]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-11-06 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-08-12 208616]
"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2009-07-02 887512]
"TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2006-11-27 284712]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-04-04 1822720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2007-09-20 53760]

c:\documents and settings\User XP\Start Menu\Programs\Startup\
LocalCooling.lnk - c:\program files\Uniblue\LocalCooling\localcooling2.exe [2008-2-29 5054464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\GPS Monitor\\SwiApiMux.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 17:29 33808]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [11/6/2009 08:35 142592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [5/6/2008 17:51 37376]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 18:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 17:06 24592]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 13:18 20352]
S3 ancsys;ancsys;c:\windows\system32\drivers\ancsys.sys [5/14/2008 17:32 9856]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [9/18/2007 06:56 109080]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [11/1/2006 06:01 3328]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 npkycryp;npkycryp;\??\i:\lineageii\system\npkycryp.sys --> i:\lineageii\system\npkycryp.sys [?]
S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\User XP\My Documents\Downloads\Programs\RohanBotEn1.0.36\RohanBotEn1.0.36\NTProcDrv.sys [8/25/2009 22:01 3584]
S3 OOMMKAP;OOMMKAP;c:\docume~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe --> c:\docume~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe [?]
S3 RB;RB;c:\docume~1\USERXP~1\LOCALS~1\Temp\RB.exe --> c:\docume~1\USERXP~1\LOCALS~1\Temp\RB.exe [?]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 10:41 177536]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 10:42 145280]
S3 Tcpz-x86;Tcpz-x86;\??\c:\docume~1\USERXP~1\LOCALS~1\Temp\Tcpz-x86.sys --> c:\docume~1\USERXP~1\LOCALS~1\Temp\Tcpz-x86.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-06-07 01:23]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to &LinkFox - c:\progra~1\TweakMASTER\TweakBHO.dll/IESCRIPT
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
TCP: {FA0DDEC5-0674-4290-A613-E9314C98882E} = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
FF - ProfilePath - c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2359848&SearchSource=13
FF - component: c:\documents and settings\User XP\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ProxyWay - c:\program files\ProxyWay\proxyway.exe
SafeBoot-AVG Anti-Spyware Driver



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 13:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):D1,09,1e,07,2e,1f,52,72,d2,39,ad,38,41,31,5f,b6,86,73,5f,b1,a2,
bc,c5,ea,c2,9e,2f,e1,a0,d2,71,65,5c,f7,69,08,a6,2e,05,f2,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f9192687-ddc4-4227-b5b5-a07cf2f589ab}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c6
"Therad"=dword:00000010
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(644)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\cFosSpeed\spd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-08 13:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-08 06:23

Pre-Run: 264,065,024 bytes free
Post-Run: 172,785,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1A34C616D5287B30D117DCCC26F24351

-----------------------------------------------------------------------------------------------------------------------------------------------
HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:28:54, on 11/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TweakMASTER\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A81205B3-F354-477A-BA8E-16D1C0F15D1D}: NameServer = 222.124.204.34 203.130.208.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0DDEC5-0674-4290-A613-E9314C98882E}: NameServer = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OOMMKAP - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\OOMMKAP.exe (file missing)
O23 - Service: RB - Unknown owner - C:\DOCUME~1\USERXP~1\LOCALS~1\Temp\RB.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 9478 bytes

[screen317]

Hi,

You are running a very old standalone version of AVG Antispyware. The current version is bundled with its antivirus, and your version is too out of date to be doing any good. Please uninstall it from Add or Remove Programs.


Important: Are you currently running any cracked programs?


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Quote

Driver::
OOMMKAP
RB
Tcpz-x86

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Next, please go to VirusTotal, and upload the following file for analysis:
c:\windows\system32\drivers\ancsys.sys

Post the results in your reply.


Can you update MBAM now?

-screen317

[moks]

ComboFix Log
ComboFix 09-11-08.03 - User XP 11/09/2009 9:01.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1545 [GMT 7:00]
Running from: c:\documents and settings\User XP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User XP\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_OOMMKAP
-------\Legacy_RB
-------\Legacy_TCPZ-X86
-------\Service_OOMMKAP
-------\Service_RB
-------\Service_Tcpz-x86


((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-06 02:12 . 2009-11-06 02:12 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-06 01:35 . 2009-11-06 01:35 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-11-06 01:35 . 2009-11-06 01:35 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-11-06 01:35 . 2009-11-06 01:35 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-06 01:35 . 2009-11-07 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-11-06 01:35 . 2009-11-06 09:03 -------- d-----w- c:\documents and settings\User XP\Application Data\Spyware Terminator
2009-11-06 01:34 . 2009-11-06 09:14 -------- d-----w- c:\program files\Spyware Terminator
2009-11-06 01:27 . 2009-11-06 01:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-05 14:39 . 2009-11-05 14:39 -------- d-----w- c:\documents and settings\User XP\Application Data\Lavasoft
2009-11-05 14:18 . 2009-11-05 14:18 -------- d-----w- C:\!KillBox
2009-11-05 13:39 . 2009-11-05 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-11-05 13:32 . 2009-11-05 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-05 13:26 . 2009-11-05 13:26 -------- d-----w- c:\program files\SpywareBlaster
2009-11-05 12:31 . 2009-11-05 12:31 -------- d-----w- c:\program files\Trend Micro
2009-11-04 01:50 . 2009-11-07 02:13 -------- d-----w- c:\program files\ProxyWay
2009-11-03 06:05 . 2004-08-03 17:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-03 06:05 . 2001-08-17 15:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-03 06:05 . 2004-08-03 15:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-03 06:05 . 2004-08-03 15:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-27 15:38 . 2009-10-27 16:18 -------- d-----w- c:\program files\GSA Auto Website Submitter
2009-10-27 11:53 . 2009-10-27 11:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-27 10:52 . 2009-11-02 03:51 -------- d-----w- c:\program files\The Ad Clicker 2
2009-10-26 16:10 . 2009-10-26 16:10 -------- d-----w- c:\documents and settings\User XP\Application Data\NotMyIp
2009-10-26 13:45 . 2009-10-26 13:45 -------- d-----w- c:\documents and settings\User XP\Application Data\Technology Lighthouse
2009-10-26 12:27 . 2009-05-12 10:20 173384 ----a-w- c:\windows\system32\AVLibrary.dll
2009-10-26 11:44 . 2009-10-26 11:44 -------- d-----w- c:\program files\Privoxy
2009-10-26 11:27 . 2009-10-27 15:05 769775 ----a-w- c:\documents and settings\User XP\Application Data\Hide IP NG\hideipng-update.exe
2009-10-26 11:18 . 2009-10-23 08:36 -------- d-----w- c:\temp\Automatic Mouse Schedule
2009-10-26 11:16 . 2009-11-05 02:34 -------- d-----w- c:\documents and settings\User XP\Local Settings\Application Data\Temp
2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\program files\DU Meter
2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\documents and settings\User XP\Application Data\Hagel Technologies
2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-10-25 13:15 . 2009-10-25 13:29 -------- d-----w- c:\program files\TweakMASTER
2009-10-19 22:59 . 2009-11-01 10:52 -------- d-----w- c:\temp\u95
2009-10-19 22:37 . 2009-10-19 22:58 -------- d-----w- c:\temp\asm 103

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 02:11 . 2009-06-26 12:11 -------- d-----w- c:\documents and settings\User XP\Application Data\DMCache
2009-11-09 02:11 . 2008-06-23 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-09 02:11 . 2009-07-29 10:26 -------- d-----w- c:\program files\cFosSpeed
2009-11-09 02:08 . 2008-11-09 16:08 8003104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-09 02:08 . 2008-11-09 16:08 7400 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-09 02:08 . 2008-11-09 16:08 69892 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-09 02:08 . 2008-11-09 16:08 622624 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-06 12:18 . 2008-05-07 02:33 -------- d-----w- c:\program files\Winamp
2009-11-05 13:53 . 2008-09-18 10:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-05 13:10 . 2008-08-06 10:38 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-04 12:28 . 2009-07-06 14:41 -------- d-----w- c:\documents and settings\User XP\Application Data\IDM
2009-11-03 14:19 . 2008-07-30 11:13 -------- d-----w- c:\program files\FlashGet
2009-11-03 06:09 . 2009-04-24 12:44 -------- d-----w- c:\program files\MODEM Mobile Connection
2009-10-27 15:06 . 2009-03-21 17:22 -------- d-----w- c:\documents and settings\User XP\Application Data\Hide IP NG
2009-10-15 04:26 . 2009-07-14 11:14 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 04:26 . 2009-07-14 11:14 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-04 02:13 . 2009-10-03 03:56 -------- d-----w- c:\program files\ImageConverter Plus
2009-10-03 13:15 . 2009-10-03 13:15 -------- d-----w- c:\program files\Common Files\DirectX
2009-10-03 13:15 . 2009-10-03 13:15 -------- d-----w- c:\documents and settings\User XP\Application Data\DragonicaSCB
2009-10-02 16:55 . 2009-10-02 16:55 -------- d-----w- c:\program files\IrfanView
2009-09-21 16:53 . 2009-09-21 16:53 -------- d-----w- c:\program files\Bridge software
2009-09-17 16:49 . 2009-05-13 11:51 982896 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-17 02:58 . 2009-09-17 02:58 25214 ----a-r- c:\documents and settings\User XP\Application Data\Microsoft\Installer\{1C40AC14-26B0-4D2F-A6C9-36CAE8643EE0}\VineClientIcon.exe
2009-09-14 18:25 . 2009-10-03 03:56 180224 ----a-w- c:\windows\system32\cnvshell.dll
2009-09-14 03:53 . 2009-04-30 23:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-11 04:12 . 2009-09-11 04:12 -------- d-----w- c:\program files\Link Generator
2009-09-10 10:16 . 2009-07-22 10:14 -------- d-----w- c:\program files\Raxco
2009-09-10 10:08 . 2008-05-06 10:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 12:04 . 2009-08-24 12:04 781435 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\Download.dll
2009-08-24 12:04 . 2009-08-24 12:04 22528 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll
2009-08-14 15:00 . 2009-08-14 15:00 52224 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\FFExternalAlert.dll
2009-08-14 15:00 . 2009-08-14 15:00 114688 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\npmozax.dll
.

------- Sigcheck -------

[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-08_06.20.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-09 02:10 . 2009-11-09 02:10 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-28 960944]
"SpeedConnectStartUp"="c:\program files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe" [2008-08-18 565760]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-11-06 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-08-12 208616]
"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2009-07-02 887512]
"TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2006-11-27 284712]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-04-04 1822720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2007-09-20 53760]

c:\documents and settings\User XP\Start Menu\Programs\Startup\
LocalCooling.lnk - c:\program files\Uniblue\LocalCooling\localcooling2.exe [2008-2-29 5054464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\GPS Monitor\\SwiApiMux.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 17:29 33808]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [11/6/2009 08:35 142592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [5/6/2008 17:51 37376]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 18:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 17:06 24592]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 13:18 20352]
S3 ancsys;ancsys;c:\windows\system32\drivers\ancsys.sys [5/14/2008 17:32 9856]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [9/18/2007 06:56 109080]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [11/1/2006 06:01 3328]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 npkycryp;npkycryp;\??\i:\lineageii\system\npkycryp.sys --> i:\lineageii\system\npkycryp.sys [?]
S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\User XP\My Documents\Downloads\Programs\RohanBotEn1.0.36\RohanBotEn1.0.36\NTProcDrv.sys [8/25/2009 22:01 3584]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 10:41 177536]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 10:42 145280]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-06-07 01:23]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to &LinkFox - c:\progra~1\TweakMASTER\TweakBHO.dll/IESCRIPT
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
TCP: {FA0DDEC5-0674-4290-A613-E9314C98882E} = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
FF - ProfilePath - c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2359848&SearchSource=13
FF - component: c:\documents and settings\User XP\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 09:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):D1,09,1e,07,2e,1f,52,72,d2,39,ad,38,41,31,5f,b6,86,73,5f,b1,a2,
bc,c5,ea,c2,9e,2f,e1,a0,d2,71,65,5c,f7,69,08,a6,2e,05,f2,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f9192687-ddc4-4227-b5b5-a07cf2f589ab}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c6
"Therad"=dword:00000010
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(724)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\bmwebcfg.exe
c:\program files\cFosSpeed\spd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-09 9:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 02:14
ComboFix2.txt 2009-11-08 06:23

Pre-Run: 181,415,936 bytes free
Post-Run: 140,505,088 bytes free

- - End Of File - - E0E018888938492CACF898781FEE6C75

HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:15:12, on 11/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TweakMASTER\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A81205B3-F354-477A-BA8E-16D1C0F15D1D}: NameServer = 222.124.204.34 203.130.208.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0DDEC5-0674-4290-A613-E9314C98882E}: NameServer = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 8891 bytes


Virus total scan
File ancsys.sys received on 2009.11.09 02:20:18 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/40 (2.5%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.09 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.08 -
Antiy-AVL 2.0.3.7 2009.11.05 -
Authentium 5.2.0.5 2009.11.08 -
Avast 4.8.1351.0 2009.11.08 -
AVG 8.5.0.423 2009.11.08 -
BitDefender 7.2 2009.11.09 -
CAT-QuickHeal 10.00 2009.11.07 -
ClamAV 0.94.1 2009.11.09 -
Comodo 2890 2009.11.09 -
DrWeb 5.0.0.12182 2009.11.09 -
eTrust-Vet 35.1.7108 2009.11.06 -
F-Prot 4.5.1.85 2009.11.08 -
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.08 -
GData 19 2009.11.09 -
Ikarus T3.1.1.74.0 2009.11.09 -
Jiangmin 11.0.800 2009.11.08 -
K7AntiVirus 7.10.891 2009.11.07 -
Kaspersky 7.0.0.125 2009.11.09 -
McAfee 5796 2009.11.08 -
McAfee+Artemis 5796 2009.11.08 -
McAfee-GW-Edition 6.8.5 2009.11.09 -
Microsoft 1.5202 2009.11.08 -
NOD32 4586 2009.11.09 -
Norman 6.03.02 2009.11.06 -
nProtect 2009.1.8.0 2009.11.08 -
Panda 10.0.2.2 2009.11.08 -
PCTools 7.0.3.5 2009.11.06 -
Prevx 3.0 2009.11.09 -
Rising 21.54.62.00 2009.11.08 RootKit.Win32.Agent.GEN
Sophos 4.47.0 2009.11.09 -
Sunbelt 3.2.1858.2 2009.11.08 -
Symantec 1.4.4.12 2009.11.09 -
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.08 -
VBA32 3.12.10.11 2009.11.09 -
ViRobot 2009.11.6.2025 2009.11.06 -
VirusBuster 4.6.5.0 2009.11.08 -
Additional information
File size: 9856 bytes
MD5...: ffc2790d8fd9babd536775087f1c3a38
SHA1..: 7d8ec22e3b3dc0bae19f355d4efe910966920929
SHA256: ec6abdc3e36be6ec4501025dfaf91cbf8c70eba373d7dc9e2234a698b1e2475c
ssdeep: 96:NQEPqrBc98Zqh9CXBkkNM2/LD8zZOlxa7uB8pHXXxh/q3hCDAr:uESG8ZqvUH
Di03a7uB8p3r/dDA
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1f8e
timedatestamp.....: 0x4861ac5f (Wed Jun 25 02:24:31 2008)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x50d 0x580 5.85 467e8da1b50927baabadb0902a6d8312
.rdata 0xa00 0x224 0x280 3.60 7ef66a0cca93cd73a4529ac14aeee42a
.data 0xc80 0x334 0x380 1.53 5da01dae15c20d48e4fa62b0dde8908b
PAGE 0x1000 0xe14 0xe80 6.06 41016783af2d165f8e0387e57475ab81
INIT 0x1e80 0x504 0x580 5.47 b7d192857379931539251450ed0b45f1
.reloc 0x2400 0x218 0x280 5.31 c4d75cefe2679c41906d54132e7cc082

( 1 imports )
> ntoskrnl.exe: ZwCreateSection, ZwOpenProcess, memset, MmIsAddressValid, IofCompleteRequest, PsGetCurrentProcessId, IoDeleteSymbolicLink, RtlInitUnicodeString, IoDeleteDevice, DbgPrint, MmGetSystemRoutineAddress, IoCreateSymbolicLink, IoCreateDevice, ProbeForRead, strncmp, _strupr, ObfDereferenceObject, PsLookupProcessByProcessId, ObReferenceObjectByHandle, KeWaitForSingleObject, ZwClose, KeInitializeEvent, KeSetEvent, RtlCompareUnicodeString, RtlUnicodeToMultiByteN, ExFreePoolWithTag, ExAllocatePoolWithTag, ObOpenObjectByPointer, KeTickCount, RtlUnwind, KeBugCheckEx

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)


I have some cracked software installed but i have already remove it. still can't update MBAM

[moks]

Help me....

[screen317]

My apologies for the delay. Please feel free to PM me if I don't respond within a reasonable amount of time.


Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Quote

Driver::
ancsys
KILLALL::
File::
c:\windows\system32\drivers\ancsys.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

[moks]

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:25:05, on 11/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:9666
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: LocalCooling.lnk = C:\Program Files\Uniblue\LocalCooling\localcooling2.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TweakMASTER\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A81205B3-F354-477A-BA8E-16D1C0F15D1D}: NameServer = 222.124.204.34 203.130.208.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0DDEC5-0674-4290-A613-E9314C98882E}: NameServer = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 8966 bytes
-------------------------------------------------------------------------------------------------------------------------------------------
ComboFix Log

ComboFix 09-11-19.05 - User XP 11/20/2009 8:13.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1460 [GMT 7:00]
Running from: c:\documents and settings\User XP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User XP\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\ancsys.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ancsys.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANCSYS
-------\Legacy_NPF
-------\Service_ancsys


((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-19 07:33 . 2009-11-19 07:33 -------- d-----w- c:\program files\Defraggler
2009-11-19 07:30 . 2009-11-19 07:30 -------- d-----w- c:\program files\CCleaner
2009-11-14 01:09 . 2009-09-10 07:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 12:53 . 2009-11-12 12:53 -------- d-----w- c:\documents and settings\User XP\Application Data\DivX
2009-11-06 02:12 . 2009-11-06 02:12 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-06 01:35 . 2009-11-06 01:35 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-11-06 01:35 . 2009-11-06 01:35 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-11-06 01:35 . 2009-11-06 01:35 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-11-06 01:35 . 2009-11-17 15:46 -------- d-----w- c:\documents and settings\User XP\Application Data\Spyware Terminator
2009-11-06 01:35 . 2009-11-17 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-11-06 01:34 . 2009-11-14 01:01 -------- d-----w- c:\program files\Spyware Terminator
2009-11-06 01:27 . 2009-11-06 01:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-05 14:39 . 2009-11-05 14:39 -------- d-----w- c:\documents and settings\User XP\Application Data\Lavasoft
2009-11-05 13:39 . 2009-11-05 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-11-05 13:32 . 2009-11-19 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-05 12:31 . 2009-11-05 12:31 -------- d-----w- c:\program files\Trend Micro
2009-11-04 01:50 . 2009-11-07 02:13 -------- d-----w- c:\program files\ProxyWay
2009-11-03 06:05 . 2004-08-03 17:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-03 06:05 . 2001-08-17 15:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-03 06:05 . 2004-08-03 15:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-03 06:05 . 2004-08-03 15:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-27 15:38 . 2009-10-27 16:18 -------- d-----w- c:\program files\GSA Auto Website Submitter
2009-10-27 11:53 . 2009-10-27 11:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-26 13:45 . 2009-10-26 13:45 -------- d-----w- c:\documents and settings\User XP\Application Data\Technology Lighthouse
2009-10-26 12:27 . 2009-05-12 10:20 173384 ----a-w- c:\windows\system32\AVLibrary.dll
2009-10-26 11:44 . 2009-10-26 11:44 -------- d-----w- c:\program files\Privoxy
2009-10-26 11:18 . 2009-10-23 08:36 -------- d-----w- c:\temp\Automatic Mouse Schedule
2009-10-26 11:16 . 2009-11-05 02:34 -------- d-----w- c:\documents and settings\User XP\Local Settings\Application Data\Temp
2009-10-25 13:15 . 2009-10-25 13:15 -------- d-----w- c:\documents and settings\User XP\Application Data\Hagel Technologies
2009-10-25 13:15 . 2009-11-12 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-10-25 13:15 . 2009-10-25 13:29 -------- d-----w- c:\program files\TweakMASTER

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 01:21 . 2009-06-26 12:11 -------- d-----w- c:\documents and settings\User XP\Application Data\DMCache
2009-11-20 01:21 . 2008-06-23 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-20 01:21 . 2009-07-29 10:26 -------- d-----w- c:\program files\cFosSpeed
2009-11-20 01:19 . 2008-11-09 16:08 8042528 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-20 01:19 . 2008-11-09 16:08 7400 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-20 01:19 . 2008-11-09 16:08 70200 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-20 01:19 . 2008-11-09 16:08 622624 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-19 19:22 . 2008-05-07 02:33 -------- d-----w- c:\program files\Winamp
2009-11-19 12:20 . 2008-08-06 10:38 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-19 11:04 . 2008-07-30 11:13 -------- d-----w- c:\program files\FlashGet
2009-11-19 10:37 . 2009-07-06 14:41 -------- d-----w- c:\documents and settings\User XP\Application Data\IDM
2009-11-14 01:09 . 2008-06-23 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 01:08 . 2008-06-23 15:50 4045527 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-12 03:09 . 2009-10-03 03:56 -------- d-----w- c:\program files\ImageConverter Plus
2009-11-05 13:53 . 2008-09-18 10:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-03 06:09 . 2009-04-24 12:44 -------- d-----w- c:\program files\MODEM Mobile Connection
2009-10-15 04:26 . 2009-07-14 11:14 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-15 04:26 . 2009-07-14 11:14 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-03 13:15 . 2009-10-03 13:15 -------- d-----w- c:\program files\Common Files\DirectX
2009-10-02 16:55 . 2009-10-02 16:55 -------- d-----w- c:\program files\IrfanView
2009-09-21 16:53 . 2009-09-21 16:53 -------- d-----w- c:\program files\Bridge software
2009-09-17 16:49 . 2009-05-13 11:51 982896 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-17 02:58 . 2009-09-17 02:58 25214 ----a-r- c:\documents and settings\User XP\Application Data\Microsoft\Installer\{1C40AC14-26B0-4D2F-A6C9-36CAE8643EE0}\VineClientIcon.exe
2009-09-10 07:53 . 2008-06-23 15:24 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-08-24 12:04 . 2009-08-24 12:04 781435 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\Download.dll
2009-08-24 12:04 . 2009-08-24 12:04 22528 ----a-w- c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll
.

------- Sigcheck -------

[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2009-07-24 . 827C0A2165325B2B121B2ECD776DFA86 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-28 960944]
"SpeedConnectStartUp"="c:\program files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe" [2008-08-18 565760]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-08-12 208616]
"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2009-07-02 887512]
"TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2006-11-27 284712]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-04-04 1822720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2007-09-20 53760]

c:\documents and settings\User XP\Start Menu\Programs\Startup\
LocalCooling.lnk - c:\program files\Uniblue\LocalCooling\localcooling2.exe [2008-2-29 5054464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\GPS Monitor\\SwiApiMux.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 17:29 33808]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [11/6/2009 08:35 142592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [5/6/2008 17:51 37376]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 18:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 17:06 24592]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 13:18 20352]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [9/18/2007 06:56 109080]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [11/1/2006 06:01 3328]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 npkycryp;npkycryp;\??\i:\lineageii\system\npkycryp.sys --> i:\lineageii\system\npkycryp.sys [?]
S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\User XP\My Documents\Downloads\Programs\RohanBotEn1.0.36\RohanBotEn1.0.36\NTProcDrv.sys [8/25/2009 22:01 3584]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 10:41 177536]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 10:42 145280]
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-06-07 01:23]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:9666
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to &LinkFox - c:\progra~1\TweakMASTER\TweakBHO.dll/IESCRIPT
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
TCP: {FA0DDEC5-0674-4290-A613-E9314C98882E} = 203.130.208.18,222.124.204.34,202.134.2.5,203.134.0.62,202.130.196.155,203.130.1
96.5,202.134.0.155,192.168.1.1
FF - ProfilePath - c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2359848&SearchSource=13
FF - component: c:\documents and settings\User XP\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\{5ac45f86-f391-414e-b163-163f7193d448}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\User XP\Application Data\Mozilla\Firefox\Profiles\r9lz0vhn.default\extensions\firedownload@mozilla.org\components\firedownload.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 08:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):D1,09,1e,07,2e,1f,52,72,d2,39,ad,38,41,31,5f,b6,86,73,5f,b1,a2,
bc,c5,ea,c2,9e,2f,e1,a0,d2,71,65,5c,f7,69,08,a6,2e,05,f2,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f9192687-ddc4-4227-b5b5-a07cf2f589ab}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c6
"Therad"=dword:00000010
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3896)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\bmwebcfg.exe
c:\program files\cFosSpeed\spd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-11-20 08:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 01:24
ComboFix2.txt 2009-11-09 02:14
ComboFix3.txt 2009-11-08 06:23

Pre-Run: 879,136,768 bytes free
Post-Run: 893,898,752 bytes free

- - End Of File - - D06D0CB6028DBCD32FE91A89A713AADE

[moks]

I can update my MBAM Thanks -screen317 for your help.

[screen317]

Update MBAM, run a Quick Scan, and post its log.

After that, run the F-Secure scan as previously instructed. We're not through here yet.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!