whats going on with my PC? (repost)

**miz** · 12-02-2010

I use windows xp... in the toolbar I have PC tools spyware doctor, Avast anti virus pro and Outpost firewall pro... I also have registry mechanic and uniblue registry booster to hand...

recently my pc has been showing a box saying that says something about generic host processor has an error, doesnt matter if i press 'send' or 'dont send' within a few minutes my task bar and start menu revert back the windows 98 style and i have no option allowing me to change it back. also after this i lose all sound that is coming from the net, 'youtube, radio, etc.'... i have run all my anti spyware, anti virus, everything but the report always come back clean... also theere is something from the outside constantly trying to connect itself to some file csrss.exe in my system 32 folder... i have been told this is safe but i dunnom cos i aint never seen it before... Also when i search google despite the link i am looking for i end up redirected to some abstract site nothing to do with my search almost 75% of the time and have to manually copty the address myself...

i aint no whizz but to me it sounds like spyware or virus but all my checks come back clean... shed some light on this for me please

edit:

The exact message for the generic process is that of a usual box when something crashes... it says "Generic Host Process For Win32 Services Has Encountered An Error And Needs To Close"... it then gives me the usual send, dont send buttons...

I ran my pctools spyware doctor this morning and it said that it had found a 'trojan' on a file called sdra64.exe... I googled it and it certainly appeared to find it as a virus... there was instruction to use process explorer to search and delete it that way but it never showed up... i assume that when i told spyware doctor to fix it then that did the trick...

I followed the instruction further and it told me the place that this file would be... windows/system32... i looked and indeed it was not there, nor was the folder lowsec assosiated with it...

despite this i am still having the same trouble as described before the edit with my tool bar and browser and generic host crash, etc...

please help

also could someone explain this to me... whilst i was in my windows folder i noticed that some of the folders and files names were blue instead of the usual black... what does this mean?

many thanks

**broni** · 12-02-2010

I also have registry mechanic and uniblue registry booster to hand...

Please, uninstall both immediately. Registry tools are nothing else but a disaster waiting to happen.

whilst i was in my windows folder i noticed that some of the folders and files names were blue instead of the usual black... what does this mean?

It's normal. Blue folders are compressed folders.

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 3. Download HijackThis:
HijackThis - Trend Micro USA
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**miz** · 13-02-2010

I have run the programs suggested, however during the scan with gmer it got to a file called atapi.sys and stopped responding then my pc froze completely for about 10mins before shutting gmer down... i did manage to get the first logs for it tho

<<mbam log 1>>
Malwarebytes' Anti-Malware 1.44
Database version: 3732
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

13/02/2010 13:46:15
mbam-log-2010-02-13 (13-46-09).txt

Scan type: Quick Scan
Objects scanned: 133607
Time elapsed: 12 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\Folders\c:\program files\adwarealert\(default) (Rogue.AdwareAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> No action taken.

Files Infected:
C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc58.tmp (Trojan.Hiloti) -> No action taken.
C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc34.tmp (Trojan.FakeAlert) -> No action taken.
C:\RECYCLER\S-1-5-21-1177238915-1004336348-839522115-1004\Dc182.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\INTERNET ONLY\Local Settings\temp\Ogj.exe (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\len3pu.dll (Trojan.Hiloti) -> No action taken.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000016de .tmp (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> No action taken.

<<mbam log 2 >>
Malwarebytes' Anti-Malware 1.44
Database version: 3732
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

13/02/2010 13:50:51
mbam-log-2010-02-13 (13-50-51).txt

Scan type: Quick Scan
Objects scanned: 133607
Time elapsed: 12 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\Folders\c:\program files\adwarealert\(default) (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc58.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc34.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1177238915-1004336348-839522115-1004\Dc182.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\INTERNET ONLY\Local Settings\temp\Ogj.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\len3pu.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000016de .tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

seeing that makes it patently obvious that there was indeed some viruses that spyware doctor and avast had not noticed in its scans

<<gmer log 1>>
GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit quick scan 2010-02-13 14:12:14
Windows 5.1.2600 Service Pack 1
Running: gmer.exe; Driver: C:\DOCUME~1\INTERN~1\LOCALS~1\Temp\aweyrpod.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\System32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xF50158A0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8366A8D4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

thats all i could get from gmer as i said it stopped responding during the scan

<<hijack this log>>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:20:36, on 13/02/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm6.ocx
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump

s_startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\BookWorm\Images\armhelper.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\System32\mqsv32.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--
End of file - 6920 bytes

and thats it, thanks for the help, hope you can make my pc well again

**broni** · 13-02-2010

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**miz** · 13-02-2010

Combo Fix Log

ComboFix 10-02-12.01 - Miz 13/02/2010 19:57:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.735.532 [GMT 0:00]
Running from: c:\documents and settings\INTERNET ONLY\My Documents\dowloads\New Folder\ComboFix.exe
.
/wow section - STAGE 4
'play.lnk' is not recognized as an internal or external command
'Malware' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'Malware' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\INTERNET ONLY\Application Data\Desktopicon
c:\documents and settings\INTERNET ONLY\Application Data\Desktopicon\config.ini
c:\documents and settings\INTERNET ONLY\Application Data\Desktopicon\eBayShortcuts.exe
c:\windows\EventSystem.log
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\4.tmp
c:\windows\system32\5.tmp
c:\windows\system32\msvcsv60.dll
c:\windows\system32\SHELLLNK.TLB

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0020\DriverFi les\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-13 19:41 . 2010-02-13 19:41 -------- d-----w- c:\documents and settings\Miz\Application Data\SUPERAntiSpyware.com
2010-02-13 19:29 . 2010-02-13 19:29 -------- d-----w- c:\program files\Bullfrog
2010-02-13 15:46 . 2010-02-13 15:46 -------- d-----w- c:\program files\Sophos
2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com
2010-02-13 14:20 . 2010-02-13 14:20 -------- d-----w- c:\program files\Trend Micro
2010-02-13 13:54 . 2010-02-13 13:54 54016 ----a-w- c:\windows\system32\drivers\ivlxc.sys
2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Malwarebytes
2010-02-13 09:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-13 09:39 . 2010-01-07 16:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 12:28 . 2010-02-12 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2010-02-12 12:25 . 2010-02-12 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-02-12 12:24 . 2010-02-13 19:35 -------- d-----w- c:\program files\Alawar
2010-02-12 12:17 . 2002-09-03 16:39 930304 ----a-w- c:\windows\system32\Ole32drv.DLL
2010-02-12 12:14 . 2010-02-12 12:16 -------- d-----w- c:\program files\EzGenerator3
2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\windows\system32\aspi
2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\program files\intelliScore Ensemble
2010-02-11 15:46 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\Miz\Application Data\Absolutist
2010-02-11 15:46 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Absolutist
2010-02-11 15:39 . 2010-02-11 15:40 -------- d-----w- c:\documents and settings\Miz\Application Data\OnlineArmor
2010-02-11 15:02 . 2009-04-06 11:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2010-02-11 15:02 . 2009-02-10 16:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2010-02-11 15:02 . 2009-02-18 17:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2010-02-11 15:02 . 2010-02-11 15:02 -------- d-----w- c:\program files\Agnitum
2010-02-11 15:01 . 2010-02-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2010-02-11 14:55 . 2010-02-11 14:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OnlineArmor
2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-02-11 14:55 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-02-11 14:55 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-02-11 14:55 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\program files\Tall Emu
2010-02-11 12:14 . 2010-02-11 12:14 -------- d-----w- c:\documents and settings\Miz\Application Data\Uniblue
2010-02-11 12:14 . 2010-02-11 12:14 -------- d-----w- c:\program files\Uniblue
2010-02-11 10:44 . 2002-08-29 01:32 57856 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-02-11 10:44 . 2002-08-29 01:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-02-11 10:44 . 2002-08-29 02:01 134272 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-02-11 10:44 . 2002-08-29 02:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-02-11 09:18 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-11 09:18 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-11 09:18 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-11 09:17 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-11 09:17 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-11 09:17 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-11 09:17 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-11 09:17 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-10 21:16 . 2010-02-11 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-10 21:16 . 2010-02-10 21:16 -------- d-----w- c:\program files\Alwil Software
2010-02-10 16:49 . 2010-02-10 16:51 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-02-10 16:49 . 2007-12-10 14:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-02-10 16:49 . 2007-12-10 14:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-02-10 16:49 . 2007-12-10 14:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-02-10 16:49 . 2010-02-11 16:33 -------- d-----w- c:\program files\Spyware Doctor
2010-02-10 16:49 . 2010-02-10 16:49 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\PC Tools
2010-02-10 16:25 . 2010-02-10 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-10 16:19 . 2010-02-10 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-10 11:45 . 2010-02-10 11:45 -------- d-----w- c:\documents and settings\Miz\Application Data\Spyware Terminator
2010-02-10 11:39 . 2010-02-10 11:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-10 11:30 . 2010-02-10 11:30 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-02-10 11:05 . 2010-02-10 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-10 11:03 . 2010-02-10 11:03 -------- d-----w- c:\program files\Common Files\iS3
2010-02-10 11:03 . 2010-02-10 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-09 18:30 . 2010-02-09 18:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-09 18:30 . 2010-02-09 18:30 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\skypePM
2010-02-09 18:25 . 2010-02-09 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-09 10:22 . 2010-02-10 15:55 -------- d-----w- c:\program files\WNAS
2010-02-08 14:23 . 2009-08-06 19:24 209632 ----a-w- c:\windows\system32\wuweb.dll
2010-02-08 14:23 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-08 14:23 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-05 08:53 . 2010-02-05 08:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Sony
2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Publish Providers
2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NetMedia Providers
2010-02-04 14:09 . 2010-02-04 14:09 -------- d-----w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\Sony
2010-02-04 12:25 . 2010-02-04 12:25 -------- d-----w- c:\documents and settings\Miz\Local Settings\Application Data\Oberon Games
2010-02-04 12:11 . 2010-02-04 12:11 -------- d-----w- c:\documents and settings\Miz\Saved Games
2010-02-03 18:43 . 2010-02-04 12:04 -------- d-----w- c:\documents and settings\Miz\Application Data\MysteryStudio
2010-02-03 18:29 . 2010-02-03 18:42 -------- d-----w- c:\program files\FreeGamePick.com
2010-02-03 14:20 . 2010-02-03 14:20 -------- d-----w- c:\documents and settings\Miz\Application Data\SerpentOfIsis
2010-02-02 13:56 . 2004-02-25 18:19 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_9.dll
2010-02-02 13:56 . 2004-01-15 12:41 65536 ----a-w- c:\windows\system32\NI_DFD_1_2_8.dll
2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_7.dll
2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD.dll
2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_KOMPAKT.dll
2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_4.dll
2010-02-02 13:56 . 2004-06-07 13:18 258048 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-02-01 19:31 . 2010-02-01 19:31 -------- d-----w- c:\program files\Total War
2010-02-01 08:40 . 2010-02-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\East West
2010-01-31 18:42 . 2010-01-31 18:42 -------- d-----w- c:\program files\Stringer
2010-01-31 18:40 . 2002-09-03 16:46 323072 ----a-w- c:\windows\system32\msvcrt.dll
2010-01-31 18:39 . 2010-01-31 18:40 -------- d-----w- c:\windows\speech
2010-01-31 18:39 . 2010-01-31 18:39 -------- d-----w- c:\program files\VoiceMX
2010-01-31 18:39 . 2001-10-13 23:48 28672 ----a-w- c:\windows\system32\SmartMenuXP.dll
2010-01-31 11:10 . 2010-01-31 11:11 -------- d-----w- c:\documents and settings\Miz\Application Data\GetRightToGo
2010-01-26 11:59 . 2010-01-26 11:59 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\KORG
2010-01-25 20:10 . 2010-01-25 20:10 -------- d-----w- c:\documents and settings\Miz\Application Data\KORG
2010-01-25 20:05 . 2010-01-25 20:05 -------- d-----w- c:\documents and settings\Miz\Application Data\Music Recognition
2010-01-25 20:04 . 2010-01-25 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\KORG
2010-01-25 16:10 . 2010-01-25 16:10 -------- d-----w- c:\program files\Audacity
2010-01-25 15:23 . 2010-01-25 15:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 10:57 . 2003-11-12 23:38 510976 ----a-w- c:\windows\system32\synsoacc.dll
2010-01-19 12:52 . 2010-02-03 14:00 -------- d-----w- c:\program files\bfgclient
2010-01-19 12:52 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-01-18 22:01 . 2010-01-18 22:01 -------- d-----w- c:\documents and settings\Miz\Local Settings\Application Data\Xara Online Dreamweaver Cache
2010-01-18 21:54 . 2010-01-18 21:54 -------- d-----w- c:\program files\DatawareGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-02-13 20:06 . 2009-11-20 16:51 857 --sha-w- c:\windows\system32\mmf.sys
2010-02-13 19:46 . 2002-08-13 23:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-13 19:41 . 2010-02-13 19:41 52224 ----a-w- c:\documents and settings\Miz\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ SD10005.dll
2010-02-13 19:41 . 2010-02-13 19:41 117760 ----a-w- c:\documents and settings\Miz\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2010-02-13 19:36 . 2010-01-05 10:18 -------- d-----w- c:\program files\Native Instruments
2010-02-13 16:03 . 2010-01-09 20:06 2464 ----a-w- c:\program files\Absynth 1.3 prefs.ini
2010-02-13 15:45 . 2010-02-13 15:45 52224 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ SD10005.dll
2010-02-13 15:44 . 2010-02-13 15:44 117760 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2010-02-13 15:44 . 2009-09-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 19:48 . 2007-12-01 23:43 141192 ----a-w- c:\documents and settings\Miz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 16:49 . 2009-12-15 08:16 -------- d-----w- c:\program files\Registry Easy
2010-02-11 12:16 . 2009-09-18 17:19 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Uniblue
2010-02-10 22:28 . 2008-01-27 00:09 -------- d-----w- c:\program files\CROSS
2010-02-10 22:25 . 2009-09-16 11:36 141192 ----a-w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 16:08 . 2009-09-18 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-10 15:33 . 2008-01-19 22:08 -------- d-----w- c:\program files\Java
2010-02-10 11:08 . 2010-02-10 11:08 200 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-02-10 11:07 . 2010-02-10 11:07 1192 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-09 21:14 . 2007-03-28 15:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 21:13 . 2010-01-08 20:58 -------- d-----w- c:\program files\Sony
2010-02-09 16:46 . 2009-04-19 19:16 -------- d-----w- c:\program files\LG PC Suite II
2010-02-04 14:06 . 2010-01-08 20:57 -------- d-----w- c:\program files\Sony Setup
2010-02-01 20:04 . 2009-08-14 19:05 1575 -c--a-w- c:\windows\eReg.dat
2010-02-01 08:55 . 2010-01-04 16:18 -------- d-----w- c:\documents and settings\Miz\Application Data\PACE Anti-Piracy
2010-02-01 08:55 . 2010-01-04 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2010-01-31 09:10 . 2009-12-29 12:14 -------- d-----w- c:\documents and settings\Miz\Application Data\NCH Swift Sound
2010-01-24 18:00 . 2009-12-10 09:53 48 ----a-w- c:\windows\msocreg32.dat
2010-01-18 20:29 . 2007-12-14 16:20 -------- d-----w- c:\program files\Xara
2010-01-18 20:29 . 2007-03-27 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Auslogics
2010-01-12 21:44 . 2010-01-12 21:44 -------- d-----w- c:\program files\FDF
2010-01-11 12:01 . 2007-08-08 21:24 -------- d-----w- c:\program files\Image-Line
2010-01-10 21:07 . 2010-01-10 21:07 -------- d-----w- c:\program files\Pro-53
2010-01-10 20:09 . 2010-01-10 20:09 -------- d-----w- c:\documents and settings\Miz\Application Data\Deckadance
2010-01-10 18:44 . 2010-01-10 18:39 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-01-10 18:31 . 2010-01-10 18:31 -------- d-----w- c:\program files\Tone2
2010-01-10 18:27 . 2010-01-10 18:27 -------- d-----w- c:\program files\ASIO4ALL v2
2010-01-09 18:01 . 2009-12-10 09:38 -------- d-----w- c:\program files\IK Multimedia
2010-01-09 18:01 . 2010-01-09 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\IK Multimedia
2010-01-09 15:12 . 2010-01-09 15:12 -------- d-----w- c:\program files\Absynth 1.3
2010-01-08 20:59 . 2010-01-08 20:59 -------- d-----w- c:\documents and settings\Miz\Application Data\Sony
2010-01-05 22:19 . 2010-01-01 12:55 -------- d-----w- c:\program files\Google
2010-01-05 12:40 . 2010-01-05 12:37 -------- d-----w- c:\program files\Waves
2010-01-05 12:39 . 2010-01-05 12:39 -------- d-----w- c:\documents and settings\Miz\Application Data\Waves Preferences
2010-01-04 16:18 . 2010-01-04 16:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-04 16:12 . 2010-01-04 16:12 -------- d-----w- c:\program files\InterLok
2010-01-04 16:10 . 2010-01-04 16:10 -------- d-----w- c:\program files\delaydots
2010-01-04 11:16 . 2010-01-04 11:08 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
2010-01-02 13:16 . 2009-12-31 08:37 -------- d-----w- c:\program files\SWiSH Max2
2010-01-02 13:16 . 2009-12-29 12:06 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-01 20:09 . 2007-04-07 16:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-01 20:06 . 2009-12-30 11:12 -------- d-----w- c:\program files\AnvSoft Web FLV Player Free
2009-12-31 08:52 . 2009-12-31 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SWiSHMax2WorkFolder
2009-12-31 08:38 . 2009-12-31 08:38 -------- d-----w- c:\program files\Common Files\SWiSHzone.com
2009-12-30 10:19 . 2009-12-30 10:17 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\itsourtree
2009-12-30 09:36 . 2009-12-30 09:36 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Family Tree Pilot
2009-12-30 08:17 . 2009-12-29 18:59 -------- d-----w- c:\program files\MyHeritage
2009-12-29 19:51 . 2009-12-29 19:51 -------- d-----w- c:\documents and settings\Miz\Application Data\MyHeritage
2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\MyHeritage
2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MyHeritage
2009-12-29 14:56 . 2009-12-29 09:56 -------- d-----w- c:\program files\Super Internet TV
2009-12-29 14:56 . 2009-12-28 14:08 -------- d-----w- c:\program files\RapidSolution
2009-12-29 14:55 . 2009-12-27 19:30 -------- d-----w- c:\program files\NCH Software
2009-12-29 12:15 . 2009-12-29 12:15 -------- d-----w- c:\documents and settings\Miz\Application Data\NCH Software
2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Software
2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-12-29 12:08 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Swift Sound
2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OverDrive
2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\program files\OverDrive Media Console
2009-12-28 18:19 . 2009-12-28 17:55 -------- d-----w- c:\program files\NoteCable
2009-12-28 17:56 . 2009-12-28 17:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NoteCable
2009-12-28 15:22 . 2009-12-28 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
2009-12-28 14:29 . 2009-12-28 13:46 -------- d-----w- c:\program files\Mp3 Convert Master
2009-12-28 14:28 . 2009-12-28 13:36 -------- d-----w- c:\program files\MP3 Convert Lord
2009-12-28 14:11 . 2009-12-28 14:11 476512 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip .dll
2009-12-28 14:11 . 2009-12-28 14:11 169312 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSound click.dll
2009-12-28 14:11 . 2009-12-28 14:11 128352 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspa ce.dll
2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPando ra.dll
2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastf m.dll
2009-12-28 14:11 . 2009-12-28 14:11 99680 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg .dll
2009-12-28 14:11 . 2009-12-28 14:11 230752 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypem achine.dll
2009-12-28 14:11 . 2009-12-28 14:11 120160 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGener al.dll
2009-12-28 14:11 . 2009-12-28 14:11 87392 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefau lt.dll
2009-12-28 14:11 . 2009-12-28 14:11 140640 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeeze r.dll
2009-12-28 13:53 . 2009-12-28 13:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AccurateRip
2009-12-28 13:52 . 2008-01-07 00:52 5640880 -c--a-w- c:\windows\system32\SpoonUninstall.exe
2009-12-28 13:26 . 2009-10-20 12:59 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-27 20:51 . 2009-12-27 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
2009-12-27 19:46 . 2009-12-27 19:46 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AVS4YOU
2009-12-27 19:25 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-23 23:22 . 2009-12-23 23:21 -------- d-----w- c:\documents and settings\DVD\Application Data\.clamwin
2009-12-23 22:59 . 2009-12-23 22:59 53 ----a-w- c:\windows\DelToolbox.bat
2009-12-22 16:50 . 2009-12-22 16:50 25214 ----a-r- c:\documents and settings\Miz\Application Data\Microsoft\Installer\{F1A36967-8AF5-4BDB-90BB-F6B2750839E1}\_294823.exe
2009-12-22 16:50 . 2009-12-22 16:50 25214 ----a-r- c:\documents and settings\Miz\Application Data\Microsoft\Installer\{F1A36967-8AF5-4BDB-90BB-F6B2750839E1}\_18be6784.exe
2009-12-22 16:50 . 2009-12-22 16:50 -------- d-----w- c:\program files\SynthEdit
2009-12-21 14:34 . 2009-12-28 15:42 25120 ----a-w- c:\windows\system32\drivers\rsvcdwdr.sys
2009-12-21 14:34 . 2009-12-21 14:34 27168 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
2009-12-11 10:15 . 2009-12-11 10:09 720896 ----a-w- c:\windows\iun6002.exe
2009-12-02 13:56 . 2009-12-02 13:56 92792 ----a-w- c:\windows\system32\drivers\tpkd.sys
2009-12-02 13:51 . 2009-12-02 13:51 54328 ----a-w- c:\windows\system32\drivers\iLokDrvr.sys
.

------- Sigcheck -------

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0 c41f4dfdb4d3cc228a4f819\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0 c41f4dfdb4d3cc228a4f819\xmlprov.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI. exe" [2010-02-11 2756488]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_ mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-03 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"link"= 00000000

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"=usbmn1x1.dll
"midi4"=usbmn1x1.dll
"midi7"=usbmn1x1.dll
"midi8"=usbmn1x1.dll
"midi9"=usbmn1x1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/02/2010 09:18 162512]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBo x.sys [11/02/2010 15:02 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/02/2010 15:02 1195008]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [20/11/2009 16:41 2560]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/02/2010 15:02 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcor e.sys [11/02/2010 15:02 257432]
R3 cdiport;cdiport;c:\windows\system32\drivers\cdipor t.sys [08/04/2007 22:30 72064]
R3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys [03/01/2010 10:40 5664]
R3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys [03/01/2010 10:39 23328]
S0 nullcd;nullcd; [x]
S2 MSMQSVC;Message Queuing Service;c:\windows\System32\mqsv32.exe --> c:\windows\System32\mqsv32.exe [?]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [13/12/2009 09:24 10122]
S3 DbusAudio;DbusAudio;c:\windows\system32\drivers\Db usAudio.sys [28/12/2009 17:34 23096]
S3 EN1207D;Accton EN1207D/2242A Adapter Driver;c:\windows\system32\drivers\ACC07D.sys [09/07/2001 15:57 23661]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\Mu sCAudio.sys [27/12/2009 19:36 23096]
S3 notecable;NoteCable Driver (WDM);c:\windows\System32\drivers\notcable.sys --> c:\windows\System32\drivers\notcable.sys [?]
S3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pc tplfw.sys --> c:\windows\system32\drivers\pctplfw.sys [?]
S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvc dwdr.sys [28/12/2009 15:42 25120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S3 ScratchAmp;ScratchAmp Driver (ScratchAmp.sys);c:\windows\system32\drivers\Scrat chAmp.sys [05/01/2010 10:19 22912]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/02/2010 16:51 337800]
S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2010-01-30 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-12-15 13:13]
c:\windows\Tasks\zuluSevenDaysInit.job
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = ;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - Sign In
IE: Keyword Density
IE: Link Popularity
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?8d06aa4bc5444d8ea8fea09c27556402
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?8d06aa4bc5444d8ea8fea09c27556402
IE: Position Reporter
IE: SE Optimizer
IE: SE Submission
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Handler: DirectDVD - {85A81A02-336B-43FF-998B-FE8E194FBA4D} - c:\windows\system32\DirectDVDProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-13 20:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtr l\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af, c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d, b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af, c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de ,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtr l\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\0ECC3A43B9416605BEB3AE7E61B07718]
"1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63, 21,d4,11,b1,7e,c5,ed,aa,8e,
1a,42,2c,55,e0,34,81,ae,ca
"2"=hex:14,ce,87,8d,79,74,ee,b2
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52, f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb ,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3, 39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9 ,d4,1a,3d,68,9d,00,32,20
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a, fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd ,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8, a4,fc,b2,a0,c4,0f,9f,bf,5f,
2d,98,42,c1,23,08,65,81,7e,37,62,bf,dc,f3,71,e2,a0
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\System32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(956)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\System32\wdfmgr.exe
c:\windows\System32\UAService7.exe
c:\windows\SOUNDMAN.EXE
.
************************************************** ************************
.
Completion time: 2010-02-13 20:17:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 20:17

Pre-Run: 8,755,236,864 bytes free
Post-Run: 10,632,888,320 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - BD8EB5CB5CDBF8061305C2D38FAC7FE6

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37:28, on 13/02/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm6.ocx
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump

s_startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\BookWorm\Images\armhelper.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\System32\mqsv32.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--
End of file - 7366 bytes

Thanks for all your help with this

**broni** · 13-02-2010

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\drivers\ivlxc.sys
c:\windows\system32\Ole32drv.DLL
c:\windows\system32\ezsidmv.dat
c:\windows\system32\drivers\kgpfr2.cfg
c:\windows\system32\drivers\kgpcpy.cfg


Folder::

Driver::
nullcd


Registry::

RegLockDel::

MIA::
c:\windows\System32\wscntfy.exe
c:\windows\System32\xmlprov.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**miz** · 14-02-2010

Todays\Logs

<<COMBO-FIX>>

ComboFix 10-02-12.01 - INTERNET ONLY 14/02/2010 10:23:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.735.454 [GMT 0:00]
Running from: c:\documents and settings\INTERNET ONLY\My Documents\dowloads\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\INTERNET ONLY\My Documents\CFScript.txt

FILE ::
"c:\windows\system32\drivers\ivlxc.sys"
"c:\windows\system32\drivers\kgpcpy.cfg"
"c:\windows\system32\drivers\kgpfr2.cfg"
"c:\windows\system32\ezsidmv.dat"
"c:\windows\system32\Ole32drv.DLL"
.
/wow section - STAGE 4
'play.lnk' is not recognized as an internal or external command
'Malware' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'Malware' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command
'play.lnk' is not recognized as an internal or external command

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\ivlxc.sys
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\drivers\kgpfr2.cfg
c:\windows\system32\ezsidmv.dat
c:\windows\system32\Ole32drv.DLL

c:\windows\System32\wscntfy.exe . . . is missing!!

c:\windows\System32\xmlprov.dll . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_nullcd

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-13 19:29 . 2010-02-13 19:29 -------- d-----w- c:\program files\Bullfrog
2010-02-13 15:46 . 2010-02-13 15:46 -------- d-----w- c:\program files\Sophos
2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com
2010-02-13 14:20 . 2010-02-13 14:20 -------- d-----w- c:\program files\Trend Micro
2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Malwarebytes
2010-02-13 09:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-13 09:39 . 2010-01-07 16:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 12:28 . 2010-02-12 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2010-02-12 12:25 . 2010-02-12 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-02-12 12:24 . 2010-02-13 19:35 -------- d-----w- c:\program files\Alawar
2010-02-12 12:14 . 2010-02-12 12:16 -------- d-----w- c:\program files\EzGenerator3
2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\windows\system32\aspi
2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\program files\intelliScore Ensemble
2010-02-11 15:46 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Absolutist
2010-02-11 15:02 . 2009-04-06 11:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2010-02-11 15:02 . 2009-02-10 16:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2010-02-11 15:02 . 2009-02-18 17:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2010-02-11 15:02 . 2010-02-11 15:02 -------- d-----w- c:\program files\Agnitum
2010-02-11 15:01 . 2010-02-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2010-02-11 14:55 . 2010-02-11 14:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OnlineArmor
2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-02-11 14:55 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-02-11 14:55 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-02-11 14:55 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\program files\Tall Emu
2010-02-11 12:14 . 2010-02-11 12:14 -------- d-----w- c:\program files\Uniblue
2010-02-11 10:44 . 2002-08-29 01:32 57856 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-02-11 10:44 . 2002-08-29 01:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-02-11 10:44 . 2002-08-29 02:01 134272 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-02-11 10:44 . 2002-08-29 02:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-02-11 09:18 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-11 09:18 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-11 09:18 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-11 09:17 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-11 09:17 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-11 09:17 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-11 09:17 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-11 09:17 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-10 21:16 . 2010-02-11 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-10 21:16 . 2010-02-10 21:16 -------- d-----w- c:\program files\Alwil Software
2010-02-10 16:49 . 2010-02-10 16:51 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-02-10 16:49 . 2007-12-10 14:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-02-10 16:49 . 2007-12-10 14:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-02-10 16:49 . 2007-12-10 14:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-02-10 16:49 . 2010-02-11 16:33 -------- d-----w- c:\program files\Spyware Doctor
2010-02-10 16:49 . 2010-02-10 16:49 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\PC Tools
2010-02-10 16:25 . 2010-02-10 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-10 16:19 . 2010-02-10 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-10 11:39 . 2010-02-10 11:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-10 11:30 . 2010-02-10 11:30 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-02-10 11:05 . 2010-02-10 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-10 11:03 . 2010-02-10 11:03 -------- d-----w- c:\program files\Common Files\iS3
2010-02-10 11:03 . 2010-02-10 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-09 18:30 . 2010-02-09 18:30 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\skypePM
2010-02-09 18:25 . 2010-02-09 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-09 10:22 . 2010-02-10 15:55 -------- d-----w- c:\program files\WNAS
2010-02-08 14:23 . 2009-08-06 19:24 209632 ----a-w- c:\windows\system32\wuweb.dll
2010-02-08 14:23 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-08 14:23 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-05 08:53 . 2010-02-05 08:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Sony
2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Publish Providers
2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NetMedia Providers
2010-02-04 14:09 . 2010-02-04 14:09 -------- d-----w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\Sony
2010-02-03 18:29 . 2010-02-03 18:42 -------- d-----w- c:\program files\FreeGamePick.com
2010-02-02 13:56 . 2004-02-25 18:19 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_9.dll
2010-02-02 13:56 . 2004-01-15 12:41 65536 ----a-w- c:\windows\system32\NI_DFD_1_2_8.dll
2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_7.dll
2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD.dll
2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_KOMPAKT.dll
2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_4.dll
2010-02-02 13:56 . 2004-06-07 13:18 258048 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-02-01 19:31 . 2010-02-01 19:31 -------- d-----w- c:\program files\Total War
2010-02-01 08:40 . 2010-02-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\East West
2010-01-31 18:42 . 2010-01-31 18:42 -------- d-----w- c:\program files\Stringer
2010-01-31 18:40 . 2002-09-03 16:46 323072 ------w- c:\windows\system32\msvcrt.dll
2010-01-31 18:39 . 2010-01-31 18:40 -------- d-----w- c:\windows\speech
2010-01-31 18:39 . 2010-01-31 18:39 -------- d-----w- c:\program files\VoiceMX
2010-01-31 18:39 . 2001-10-13 23:48 28672 ----a-w- c:\windows\system32\SmartMenuXP.dll
2010-01-26 11:59 . 2010-01-26 11:59 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\KORG
2010-01-25 20:04 . 2010-01-25 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\KORG
2010-01-25 16:10 . 2010-01-25 16:10 -------- d-----w- c:\program files\Audacity
2010-01-25 15:23 . 2010-01-25 15:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-23 10:57 . 2003-11-12 23:38 510976 ----a-w- c:\windows\system32\synsoacc.dll
2010-01-19 12:52 . 2010-02-03 14:00 -------- d-----w- c:\program files\bfgclient
2010-01-19 12:52 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-01-18 21:54 . 2010-01-18 21:54 -------- d-----w- c:\program files\DatawareGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-02-14 10:39 . 2002-08-13 23:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 10:37 . 2009-11-20 16:51 857 --sha-w- c:\windows\system32\mmf.sys
2010-02-13 19:36 . 2010-01-05 10:18 -------- d-----w- c:\program files\Native Instruments
2010-02-13 16:03 . 2010-01-09 20:06 2464 ----a-w- c:\program files\Absynth 1.3 prefs.ini
2010-02-13 15:45 . 2010-02-13 15:45 52224 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ SD10005.dll
2010-02-13 15:44 . 2010-02-13 15:44 117760 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2010-02-13 15:44 . 2009-09-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-11 16:49 . 2009-12-15 08:16 -------- d-----w- c:\program files\Registry Easy
2010-02-11 12:16 . 2009-09-18 17:19 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Uniblue
2010-02-10 22:28 . 2008-01-27 00:09 -------- d-----w- c:\program files\CROSS
2010-02-10 22:25 . 2009-09-16 11:36 141192 ----a-w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 16:08 . 2009-09-18 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-10 15:33 . 2008-01-19 22:08 -------- d-----w- c:\program files\Java
2010-02-09 21:14 . 2007-03-28 15:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 21:13 . 2010-01-08 20:58 -------- d-----w- c:\program files\Sony
2010-02-09 16:46 . 2009-04-19 19:16 -------- d-----w- c:\program files\LG PC Suite II
2010-02-04 14:06 . 2010-01-08 20:57 -------- d-----w- c:\program files\Sony Setup
2010-02-01 20:04 . 2009-08-14 19:05 1575 -c--a-w- c:\windows\eReg.dat
2010-02-01 08:55 . 2010-01-04 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2010-01-24 18:00 . 2009-12-10 09:53 48 ----a-w- c:\windows\msocreg32.dat
2010-01-18 20:29 . 2007-12-14 16:20 -------- d-----w- c:\program files\Xara
2010-01-18 20:29 . 2007-03-27 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Auslogics
2010-01-12 21:44 . 2010-01-12 21:44 -------- d-----w- c:\program files\FDF
2010-01-11 12:01 . 2007-08-08 21:24 -------- d-----w- c:\program files\Image-Line
2010-01-10 21:07 . 2010-01-10 21:07 -------- d-----w- c:\program files\Pro-53
2010-01-10 18:44 . 2010-01-10 18:39 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-01-10 18:31 . 2010-01-10 18:31 -------- d-----w- c:\program files\Tone2
2010-01-10 18:27 . 2010-01-10 18:27 -------- d-----w- c:\program files\ASIO4ALL v2
2010-01-09 18:01 . 2009-12-10 09:38 -------- d-----w- c:\program files\IK Multimedia
2010-01-09 18:01 . 2010-01-09 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\IK Multimedia
2010-01-09 15:12 . 2010-01-09 15:12 -------- d-----w- c:\program files\Absynth 1.3
2010-01-05 22:19 . 2010-01-01 12:55 -------- d-----w- c:\program files\Google
2010-01-05 12:40 . 2010-01-05 12:37 -------- d-----w- c:\program files\Waves
2010-01-04 16:18 . 2010-01-04 16:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-04 16:12 . 2010-01-04 16:12 -------- d-----w- c:\program files\InterLok
2010-01-04 16:10 . 2010-01-04 16:10 -------- d-----w- c:\program files\delaydots
2010-01-04 11:16 . 2010-01-04 11:08 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
2010-01-02 13:16 . 2009-12-31 08:37 -------- d-----w- c:\program files\SWiSH Max2
2010-01-02 13:16 . 2009-12-29 12:06 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-01 20:09 . 2007-04-07 16:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-01 20:06 . 2009-12-30 11:12 -------- d-----w- c:\program files\AnvSoft Web FLV Player Free
2009-12-31 08:52 . 2009-12-31 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SWiSHMax2WorkFolder
2009-12-31 08:38 . 2009-12-31 08:38 -------- d-----w- c:\program files\Common Files\SWiSHzone.com
2009-12-30 10:19 . 2009-12-30 10:17 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\itsourtree
2009-12-30 09:36 . 2009-12-30 09:36 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Family Tree Pilot
2009-12-30 08:17 . 2009-12-29 18:59 -------- d-----w- c:\program files\MyHeritage
2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\MyHeritage
2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MyHeritage
2009-12-29 14:56 . 2009-12-29 09:56 -------- d-----w- c:\program files\Super Internet TV
2009-12-29 14:56 . 2009-12-28 14:08 -------- d-----w- c:\program files\RapidSolution
2009-12-29 14:55 . 2009-12-27 19:30 -------- d-----w- c:\program files\NCH Software
2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Software
2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-12-29 12:08 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Swift Sound
2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OverDrive
2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\program files\OverDrive Media Console
2009-12-28 18:19 . 2009-12-28 17:55 -------- d-----w- c:\program files\NoteCable
2009-12-28 17:56 . 2009-12-28 17:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NoteCable
2009-12-28 15:22 . 2009-12-28 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
2009-12-28 14:29 . 2009-12-28 13:46 -------- d-----w- c:\program files\Mp3 Convert Master
2009-12-28 14:28 . 2009-12-28 13:36 -------- d-----w- c:\program files\MP3 Convert Lord
2009-12-28 14:11 . 2009-12-28 14:11 476512 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip .dll
2009-12-28 14:11 . 2009-12-28 14:11 169312 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSound click.dll
2009-12-28 14:11 . 2009-12-28 14:11 128352 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspa ce.dll
2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPando ra.dll
2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastf m.dll
2009-12-28 14:11 . 2009-12-28 14:11 99680 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg .dll
2009-12-28 14:11 . 2009-12-28 14:11 230752 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypem achine.dll
2009-12-28 14:11 . 2009-12-28 14:11 120160 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGener al.dll
2009-12-28 14:11 . 2009-12-28 14:11 87392 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefau lt.dll
2009-12-28 14:11 . 2009-12-28 14:11 140640 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeeze r.dll
2009-12-28 13:53 . 2009-12-28 13:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AccurateRip
2009-12-28 13:52 . 2008-01-07 00:52 5640880 -c--a-w- c:\windows\system32\SpoonUninstall.exe
2009-12-28 13:26 . 2009-10-20 12:59 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-27 20:51 . 2009-12-27 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
2009-12-27 19:46 . 2009-12-27 19:46 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AVS4YOU
2009-12-27 19:25 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-23 23:22 . 2009-12-23 23:21 -------- d-----w- c:\documents and settings\DVD\Application Data\.clamwin
2009-12-23 22:59 . 2009-12-23 22:59 53 ----a-w- c:\windows\DelToolbox.bat
2009-12-22 16:50 . 2009-12-22 16:50 -------- d-----w- c:\program files\SynthEdit
2009-12-21 14:34 . 2009-12-28 15:42 25120 ----a-w- c:\windows\system32\drivers\rsvcdwdr.sys
2009-12-21 14:34 . 2009-12-21 14:34 27168 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
2009-12-11 10:15 . 2009-12-11 10:09 720896 ----a-w- c:\windows\iun6002.exe
2009-12-02 13:56 . 2009-12-02 13:56 92792 ----a-w- c:\windows\system32\drivers\tpkd.sys
2009-12-02 13:51 . 2009-12-02 13:51 54328 ----a-w- c:\windows\system32\drivers\iLokDrvr.sys
2009-12-02 12:03 . 2009-12-02 12:03 0 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\GUIcommon.dll
2009-11-27 18:23 . 2009-11-27 18:22 5394440 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\Blitware\DriverRobot\updates\1.2.0.1\DriverRo bot_Setup.exe
2009-11-20 16:41 . 2009-11-20 16:41 49152 ----a-w- c:\windows\mmfs.dll
2009-11-20 16:41 . 2009-11-20 16:41 2560 ----a-w- c:\windows\Runservice.exe
2009-11-19 16:52 . 2009-12-28 17:34 23096 ----a-w- c:\windows\system32\drivers\DbusAudio.sys
2009-11-19 16:43 . 2007-04-07 15:33 30 -c--a-w- c:\windows\popcinfo.dat
2009-11-19 16:34 . 2009-12-27 19:36 23096 ----a-w- c:\windows\system32\drivers\MusCAudio.sys
.

------- Sigcheck -------

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0 c41f4dfdb4d3cc228a4f819\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0 c41f4dfdb4d3cc228a4f819\xmlprov.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI. exe" [2010-02-11 2756488]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_ mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-02-10 1107848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-03 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"link"= 00000000

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"=usbmn1x1.dll
"midi4"=usbmn1x1.dll
"midi7"=usbmn1x1.dll
"midi8"=usbmn1x1.dll
"midi9"=usbmn1x1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/02/2010 09:18 162512]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBo x.sys [11/02/2010 15:02 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/02/2010 15:02 1195008]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [20/11/2009 16:41 2560]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/02/2010 16:51 337800]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/02/2010 15:02 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcor e.sys [11/02/2010 15:02 257432]
R3 cdiport;cdiport;c:\windows\system32\drivers\cdipor t.sys [08/04/2007 22:30 72064]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
R3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys [03/01/2010 10:40 5664]
R3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys [03/01/2010 10:39 23328]
S2 MSMQSVC;Message Queuing Service;c:\windows\System32\mqsv32.exe --> c:\windows\System32\mqsv32.exe [?]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [13/12/2009 09:24 10122]
S3 DbusAudio;DbusAudio;c:\windows\system32\drivers\Db usAudio.sys [28/12/2009 17:34 23096]
S3 EN1207D;Accton EN1207D/2242A Adapter Driver;c:\windows\system32\drivers\ACC07D.sys [09/07/2001 15:57 23661]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\Mu sCAudio.sys [27/12/2009 19:36 23096]
S3 notecable;NoteCable Driver (WDM);c:\windows\System32\drivers\notcable.sys --> c:\windows\System32\drivers\notcable.sys [?]
S3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pc tplfw.sys --> c:\windows\system32\drivers\pctplfw.sys [?]
S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvc dwdr.sys [28/12/2009 15:42 25120]
S3 ScratchAmp;ScratchAmp Driver (ScratchAmp.sys);c:\windows\system32\drivers\Scrat chAmp.sys [05/01/2010 10:19 22912]
S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2010-01-30 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-12-15 13:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=KZdBalJOEowZgHW.. FBEFA
uInternet Connection Wizard,ShellNext = hxxp://www.savewealth.com/support/ie6/welcome.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - Sign In
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Handler: DirectDVD - {85A81A02-336B-43FF-998B-FE8E194FBA4D} - c:\windows\system32\DirectDVDProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{081230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
HKCU-Run-FAST Defrag - (no file)

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-14 10:40
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtr l\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af, c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d, b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af, c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de ,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtr l\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\0ECC3A43B9416605BEB3AE7E61B07718]
"1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63, 21,d4,11,b1,7e,c5,ed,aa,8e,
1a,42,2c,55,e0,34,81,ae,ca
"2"=hex:14,ce,87,8d,79,74,ee,b2
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52, f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb ,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3, 39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9 ,d4,1a,3d,68,9d,00,32,20
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a, fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd ,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8, a4,fc,b2,a0,c4,0f,9f,bf,5f,
2d,98,42,c1,23,08,65,81,7e,37,62,bf,dc,f3,71,e2,a0
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\System32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(956)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(404)
c:\windows\System32\SHDOCVW.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\System32\wdfmgr.exe
c:\windows\System32\UAService7.exe
c:\windows\SOUNDMAN.EXE
.
************************************************** ************************
.
Completion time: 2010-02-14 10:50:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 10:50
ComboFix2.txt 2010-02-13 20:17

Pre-Run: 10,640,949,248 bytes free
Post-Run: 10,612,191,232 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 24B951E710783CF2BAE527955D923551

<<HIJACK THIS>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:12, on 14/02/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm6.ocx
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump

s_startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\BookWorm\Images\armhelper.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\System32\mqsv32.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--
End of file - 7217 bytes

**broni** · 15-02-2010

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box into the main textfield:
Code:
```
:filefind
wscntfy.exe
xmlprov.dll
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

**miz** · 15-02-2010

Hi Broni, this is the log from system look

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:26 on 15/02/2010 by INTERNET ONLY (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscnthy.exe"
No files found.

Searching for "xmlprov.dll"
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0 c41f4dfdb4d3cc228a4f819\xmlprov.dll --a--- 129536 bytes [07:56 04/08/2004] [07:56 04/08/2004] EEF46DAB68229A14DA3D8E73C99E2959

-=End Of File=-

**broni** · 15-02-2010

Attached is zipped wscntfy.exe file. Unzip it and paste wscntfy.exe file into c:\windows\System32 folder.

Then.....

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::

Folder::

Driver::

Fcopy::
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll | c:\windows\System32\xmlprov.dll

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

whats going on with my PC? (repost)

whats going on with my PC? (repost)

Similar Threads

Whats up with my video???

Whats SLI?

whats your DJ name

Reply as requested by Nirvana = repost error