This malware has blocked my avast protection including the boot time scanner. It has disabled regedit, taskmanager, unhiding of files, safe mode boot etc. Only after running MABM latest and restarting the PC, Avast protection is able to run and notifies me of Win32:Rootkit-gen (Rtk) and identifies it as Rootkit. My PC is crashing frequently with an error title "GENERIC HOST PROCESS FOR WIN32 SERVICES".

First Hijackthis log---------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:50 PM, on 6/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbtfuty.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkuxjgh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Archive
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D}: NameServer = 218.248.255.162 218.248.255.194
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: MUXRXROEG (muxrxroeg) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsWmiApSrv (RpcSsWmiApSrv) - Unknown owner - C:\WINDOWS\system32\icsxmlo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 8401 bytes

--------------------------------------------------------------------------------
After doing MABM full scan, the log is:--------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.38
Database version: 2340
Windows 5.1.2600 Service Pack 2

6/27/2009 4:37:17 PM
mbam-log-2009-06-27 (16-37-17).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 184723
Time elapsed: 24 minute(s), 13 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 90
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\winbtfuty.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winkuxjgh.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASecurityCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\winbtfuty.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winkuxjgh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\system volume information\_restore{5b7aa32f-a0d6-4edf-a767-1db4335bf422}\RP1\A0000274.exe (Spyware.Agent) -> Quarantined and deleted successfully.
d:\system volume information\_restore{5b7aa32f-a0d6-4edf-a767-1db4335bf422}\RP1\A0000690.exe (Spyware.Agent) -> Quarantined and deleted successfully.
d:\f\pastedesktop\Mcl\Softw\CP_Setup.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashd iuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\oashdihasidhasuidhiasdhiash diuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

----------------------------------------------------------------------------------
After restarting hijackthis log is:--------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:20 PM, on 6/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Archive
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: MUXRXROEG (muxrxroeg) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsWmiApSrv (RpcSsWmiApSrv) - Unknown owner - C:\WINDOWS\system32\icsxmlo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 8260 bytes
--------------------------------------------------------------------------------------------------------------
Only in this session that avast runs and shows the Win32:Rootkit-gen (Rtk). Deleting or moving it to chest only calms avast. After finishing this session, again the same problem persists i.e avast gets blocked, MABM agains detects those registry hijacks and other items.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

Very very thankful to your quick response.

The problem is that neither the program(Avast) nor any of its component(from its parent folder) is running. Avast taskbar icon too is not being displayed on account of those registry hacks . I thought its resident scanner is tuned off, b'coz I also didn't found any avast process in the process manager of HJT(taskmanager is disabled!). But, combofix warns me of the avast scanner being running.

To turn on the main program(Avast), I first used MABM to remove those registry hacks and restarted(PC) to find the avast main program running. I rightclicked and disabled every protection but still the same problem with combofix!

I think the only solution will be to uninstall avast. Am I correct?

No. Simply run Combofix.

I mean to say that combofix is still warning me to turn off the avast scanner and then to hit ok. Should I hit ok?

Yes, go ahead...

Combofix log
-------------------------------------------------------------------------------------------------------

ComboFix 09-06-26.02 - Administrator 06/28/2009 22:17.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126.14 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Favorites\.url
C:\klttd323.dll
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\clofghls.dll
c:\windows\system32\_id.dat
c:\windows\system32\config\system~1\applic~1\insta ll.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\uhmw.sys
c:\windows\system32\icsxmlo.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_fips32cup
-------\Legacy_i386si
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_NPF
-------\Legacy_RPCSSWMIAPSRV
-------\Legacy_TCPSR
-------\Legacy_WS2_32SIK
-------\Service_npf
-------\Service_RpcSsWmiApSrv


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-28 16:30 . 2009-06-28 16:30 -------- d-sh--w- C:\FOUND.060
2009-06-27 13:57 . 2009-06-27 13:57 -------- d-sh--w- C:\FOUND.059
2009-06-27 09:13 . 2009-06-27 09:13 3631375 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 16:33 . 2009-06-26 16:33 -------- d--h--w- c:\windows\$hf_mig$
2009-06-25 16:16 . 2009-06-25 16:16 -------- d-sh--w- C:\FOUND.058
2009-06-17 14:41 . 2009-06-17 14:41 -------- d-sh--w- C:\FOUND.057
2009-06-12 18:09 . 2009-06-12 18:09 -------- d-sh--w- C:\FOUND.056
2009-06-10 16:08 . 2009-06-10 16:08 -------- d-sh--w- C:\FOUND.055
2009-06-08 14:41 . 2009-06-08 14:41 -------- d-----w- c:\program files\Mario Forever Toolbar
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\program files\Winamp
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-06-04 10:33 . 2009-06-04 10:33 -------- d-sh--w- C:\FOUND.054
2009-06-02 16:06 . 2009-06-02 16:06 -------- d-sh--w- C:\FOUND.053
2009-06-02 15:42 . 2009-06-02 15:42 -------- d-sh--w- C:\FOUND.052
2009-06-01 15:57 . 2009-06-01 15:57 -------- d-sh--w- C:\FOUND.051
2009-05-31 17:36 . 2007-02-25 10:06 383238 ----a-w- c:\windows\system32\libmp3lame-0.dll
2009-05-31 17:36 . 2006-11-01 09:22 765952 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-31 17:36 . 2007-02-28 22:48 4762112 ----a-w- c:\windows\system32\NCMedia.dll
2009-05-30 14:57 . 2009-05-30 14:57 -------- d-sh--w- C:\FOUND.050
2009-05-30 14:20 . 2009-05-30 14:20 -------- d-sh--w- C:\FOUND.049
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\98348586
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\18338594

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-28 07:50 . 2008-01-09 15:32 499712 ----a-w- c:\windows\system32\igfxtray.exe
2009-06-25 05:55 . 2008-05-16 10:32 60 ----a-w- c:\windows\wpd99.drv
2009-06-17 05:57 . 2009-05-27 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:57 . 2009-05-27 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-04 16:35 . 2009-05-24 14:22 100 --s-a-w- c:\windows\system32\4041241291.dat
2009-05-30 14:58 . 2009-05-28 06:44 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-05-29 03:19 . 2009-05-28 06:44 2 --sha-r- c:\windows\winstart.bat
2009-05-28 06:42 . 2009-05-28 06:42 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-05-28 06:42 . 2009-05-28 06:42 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-05-28 06:41 . 2009-05-28 06:41 -------- d-----w- c:\program files\Greatis
2009-05-27 19:07 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-27 18:21 . 2009-05-27 18:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 18:06 . 2009-05-25 18:06 -------- d-----w- c:\program files\Trend Micro
2009-05-18 16:58 . 2008-01-09 15:40 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 14:36 . 2009-05-12 14:36 -------- d-----w- c:\program files\PublicSoft
2009-05-12 08:43 . 2009-05-12 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fast Torrent
2009-05-08 08:49 . 2009-05-08 08:49 -------- d-----w- c:\program files\WinDjView
2009-05-07 15:46 . 2009-05-07 15:45 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-07 15:20 . 2009-05-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-07 15:11 . 2009-05-07 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
.

------- Sigcheck -------

[-] 2004-08-03 12:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\system32\drivers\tcpip.sys
[-] 2004-08-03 12:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-28 499712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-09-08 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-24 132608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Winkq62.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"e:\\Program Files\\Rediff Bol\\RediffMessenger.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\hkcmd.exe"= c:\\WINDOWS\\system32\\hkcmd.exe
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\3quuvdu7.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThise.exe"=
"e:\\Program Files\\Mario Forever\\Mario Forever.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2008 5:17 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [4/2/2008 5:17 PM 20560]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ lhllpn.sys --> c:\windows\system32\drivers\lhllpn.sys [?]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [1/9/2008 9:10 PM 18004]
S0 dfzIw;dfzIw;c:\windows\system32\drivers\chlixoxc.s ys --> c:\windows\system32\drivers\chlixoxc.sys [?]
S0 kxzkm;kxzkm;c:\windows\system32\drivers\wwzbgb.sys --> c:\windows\system32\drivers\wwzbgb.sys [?]
S0 Winkq62;Winkq62;c:\windows\system32\Drivers\Winkq6 2.sys --> c:\windows\system32\Drivers\Winkq62.sys [?]
S0 Yla19;Yla19; [x]
S1 d1d76351;d1d76351;c:\windows\system32\drivers\d1d7 6351.sys --> c:\windows\system32\drivers\d1d76351.sys [?]
S1 e43d787d;e43d787d;c:\windows\system32\drivers\e43d 787d.sys --> c:\windows\system32\drivers\e43d787d.sys [?]
S2 AdobeHidServ;Adobe LM Service AdobeHidServ; srv --> srv [?]
S2 ALGlanmanserverWmi;Application Layer Gateway Service ALGlanmanserverWmi; srv --> srv [?]
S2 AudioSrvRemoteAccess;Windows Audio AudioSrvRemoteAccess; srv --> srv [?]
S2 AudioSrvScheduleThemesose;Windows Audio AudioSrvScheduleThemesose; srv --> srv [?]
S2 AudioSrvUPSWZCSVC;Windows Audio AudioSrvUPSWZCSVC; srv --> srv [?]
S2 avast!lanmanserverWmiNetDDE;avast! Web Scanner avast!lanmanserverWmiNetDDE; srv --> srv [?]
S2 dmadminSCardSvr;Logical Disk Manager Administrative Service dmadminSCardSvr; srv --> srv [?]
S2 dmserverBITS;Logical Disk Manager dmserverBITS; srv --> srv [?]
S2 ERSvcNtLmSsp;Error Reporting Service ERSvcNtLmSsp; srv --> srv [?]
S2 ERSvcRemoteRegistryAdobeHidServ;Error Reporting Service ERSvcRemoteRegistryAdobeHidServ; srv --> srv [?]
S2 EventlogDhcp;Event Log EventlogDhcp; srv --> srv [?]
S2 EventSystemWZCSVC;COM+ Event System EventSystemWZCSVC; srv --> srv [?]
S2 lanmanserverWmi;Server lanmanserverWmi; srv --> srv [?]
S2 lanmanserverWmiNetDDE;Server lanmanserverWmi lanmanserverWmiNetDDE; srv --> srv [?]
S2 LmHostsAudioSrvRemoteAccess;TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess; srv --> srv [?]
S2 LmHostsMSIServerRemoteRegistry;TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistry;Windows Installer MSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistryRemoteAccess;Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess; srv --> srv [?]
S2 NetDDEAppMgmt;Network DDE NetDDEAppMgmt; srv --> srv [?]
S2 NetDDEdsdmFastUserSwitchingCompatibility;Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility; srv --> srv [?]
S2 NetlogonNetDDEdsdm;Net Logon NetlogonNetDDEdsdm; srv --> srv [?]
S2 NetlogonW32Time;Net Logon NetlogonW32Time; srv --> srv [?]
S2 PlugPlayThemes;Plug and Play PlugPlayThemes; srv --> srv [?]
S2 RemoteRegistryAdobeHidServ;Remote Registry RemoteRegistryAdobeHidServ; srv --> srv [?]
S2 RemoteRegistryMSIServer;Remote Registry RemoteRegistryMSIServer; srv --> srv [?]
S2 RpcSsxmlprov;Remote Procedure Call (RPC) RpcSsxmlprov; srv --> srv [?]
S2 RSVPTermService;QoS RSVP RSVPTermService; srv --> srv [?]
S2 RSVPUPSWZCSVC;QoS RSVP RSVPUPSWZCSVC; srv --> srv [?]
S2 ScheduleThemes;Schedule ScheduleThemes; srv --> srv [?]
S2 ScheduleThemesose;Schedule ScheduleThemes ScheduleThemesose; srv --> srv [?]
S2 SpoolerNetlogonNetDDEdsdm;Print Spooler SpoolerNetlogonNetDDEdsdm; srv --> srv [?]
S2 TapiSrvLmHosts;Telephony TapiSrvLmHosts; srv --> srv [?]
S2 TermServiceUMWdf;Terminal Services TermServiceUMWdf; srv --> srv [?]
S2 UPSThemes;Uninterruptible Power Supply UPSThemes; srv --> srv [?]
S2 UPSWZCSVC;Uninterruptible Power Supply UPSWZCSVC; srv --> srv [?]
S2 UPSWZCSVCWmiApSrvEventlogDhcp;Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp; srv --> srv [?]
S2 W32TimeHTTPFilter;Windows Time W32TimeHTTPFilter; srv --> srv [?]
S2 WmiApSrvEventlogDhcp;WMI Performance Adapter WmiApSrvEventlogDhcp; srv --> srv [?]
S2 WZCSVCMSIServer;Wireless Zero Configuration WZCSVCMSIServer; srv --> srv [?]
S3 muxrxroeg;MUXRXROEG;c:\docume~1\ADMINI~1\LOCALS~1\ Temp\MUXRXROEG.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe [?]
S3 partizan;Partizan;c:\windows\system32\drivers\Part izan.sys [5/28/2009 12:12 PM 34760]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [3/30/2009 2:47 PM 48896]
S3 regguard;RegGuard;c:\windows\system32\drivers\regg uard.sys [5/28/2009 12:14 PM 29584]
S4 fjl;fjl;c:\docume~1\ADMINI~1\LOCALS~1\Temp\FJL.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\FJL.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 16:14]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)
Notify-!saswinlogon - c:\program files\SUPERAntiSpyware\SASWINLO.dll
SafeBoot-Gmr30.sys
SafeBoot-Winag17.sys
SafeBoot-Winag28.sys
SafeBoot-Winag40.sys
SafeBoot-Winag51.sys
SafeBoot-Winag62.sys
SafeBoot-Winag84.sys
SafeBoot-Winci05.sys
SafeBoot-Winci84.sys
SafeBoot-Windj30.sys
SafeBoot-Windj51.sys
SafeBoot-Winek17.sys
SafeBoot-Winfl27.sys
SafeBoot-Winfl38.sys
SafeBoot-Winfl40.sys
SafeBoot-Winfl74.sys
SafeBoot-Wingm17.sys
SafeBoot-Wingm38.sys
SafeBoot-Wingm84.sys
SafeBoot-Winhn73.sys
SafeBoot-Winhn84.sys
SafeBoot-Winio84.sys
SafeBoot-Winkq06.sys
SafeBoot-Winkq17.sys
SafeBoot-Winms05.sys
SafeBoot-Winms16.sys
SafeBoot-Winms27.sys
SafeBoot-Winms28.sys
SafeBoot-Winnt38.sys
SafeBoot-Winnt51.sys
SafeBoot-Winou40.sys
SafeBoot-Winou51.sys
SafeBoot-Winou74.sys
SafeBoot-Winpv73.sys
SafeBoot-Winpw51.sys
SafeBoot-Winqw16.sys
SafeBoot-Winqw62.sys
SafeBoot-Winrx07.sys
SafeBoot-Winrx16.sys
SafeBoot-Winrx17.sys
SafeBoot-Winrx74.sys
SafeBoot-Winsy06.sys
SafeBoot-Winsy16.sys
SafeBoot-Winsy17.sys
SafeBoot-Winsy27.sys
SafeBoot-Winsy38.sys
SafeBoot-Winsy51.sys
SafeBoot-Winsy73.sys
SafeBoot-Winta40.sys
SafeBoot-Winta84.sys
SafeBoot-Winta85.sys
SafeBoot-Wintb17.sys
SafeBoot-Winub73.sys
SafeBoot-Winvc27.sys
SafeBoot-Winvc38.sys
SafeBoot-Winvc63.sys
SafeBoot-Winwd06.sys
SafeBoot-Winwd51.sys
SafeBoot-Winwd62.sys
SafeBoot-Winxe16.sys
SafeBoot-Winxe17.sys
SafeBoot-Winxe30.sys
SafeBoot-Winxe73.sys
SafeBoot-Winxf28.sys
SafeBoot-Winyf16.sys
SafeBoot-Winyf38.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orissalinks.com/archive
IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
TCP: {DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D} = 218.248.255.162 218.248.255.194
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyi0rjd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Ehu&q=displacement+current+filety pe%3Aswf&btnG=Search&meta=
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-28 22:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A dobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A LGlanmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvScheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\a vast!lanmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d madminSCardSvr]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d mserverBITS]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcNtLmSsp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcRemoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventSystemWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsAudioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsMSIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistryRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEAppMgmt]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEdsdmFastUserSwitchingCompatibility]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonW32Time]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\P lugPlayThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryMSIServer]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R pcSsxmlprov]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPTermService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S poolerNetlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T apiSrvLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T ermServiceUMWdf]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVCWmiApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W 32TimeHTTPFilter]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W miApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W ZCSVCMSIServer]
"ImagePath"=" srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3840)
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-06-28 22:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 17:00

Pre-Run: 3,130,220,544 bytes free
Post-Run: 3,617,447,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

403
------------------------------------------------------------------------------------------------------
HJT log after the combofix operation
-------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:59 PM, on 6/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Archive
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D}: NameServer = 218.248.255.162 218.248.255.194
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: MUXRXROEG (muxrxroeg) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 8184 bytes
-------------------------------------------------------------------------------------------------------
Thank you

Just now I was again shown the error message:

Again after restarting, Avast started. Shortly afterwards the usual message:

After the next restart Avast has started (unlike it did before) but, the above dialog is displayed and it gets disabled.