Xp smart security malware/virus

**zulander** · 16-03-2010

Somehow got on my machine despite kasperskys best attempts.
Process lsited as ave.exe it loads up as lists pc state as infected, pops up in the system tray saying there is a security breech and firefox, chrome and ie dont want to load. thanks for any help

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 20:07:53, on 16/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\windows\system32\wuaucldt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zoom Wireless-G USB\WLANUTL.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\ave.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hijack This\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Sky.com - your home for the latest news, sport and entertainment
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - your home for the latest news, sport and entertainment
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [syncman] c:\documents and settings\chris\wuaucldt.exe
O4 - HKUS\S-1-5-21-1844237615-2139871995-725345543-1003\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (User '?')
O4 - HKUS\S-1-5-21-1844237615-2139871995-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1844237615-2139871995-725345543-1003\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-1844237615-2139871995-725345543-1003\..\Run: [syncman] c:\documents and settings\chris\wuaucldt.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - (no file)
O9 - Extra button: (no name) - {4248FE82-7FCB-46AC-B270-339F08212110} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: (no name) - {CCF151D8-D089-449F-A5A4-D9909053F20F} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - (no file)
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - (no file)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - (no file)
O23 - Service: Application Layer Gateway Service (ALG) - - (no file)
O23 - Service: Application Management (AppMgmt) - - (no file)
O23 - Service: ASP.NET State Service (aspnet_state) - - (no file)
O23 - Service: Ati HotKey Poller - - (no file)
O23 - Service: ATI Smart - - (no file)
O23 - Service: Windows Audio (AudioSrv) - - (no file)
O23 - Service: Kaspersky Internet Security (AVP) - - (no file)
O23 - Service: Background Intelligent Transfer Service (BITS) - - (no file)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - - (no file)
O23 - Service: Computer Browser (Browser) - - (no file)
O23 - Service: Indexing Service (CiSvc) - - (no file)
O23 - Service: COM+ System Application (COMSysApp) - - (no file)
O23 - Service: Cryptographic Services (CryptSvc) - - (no file)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - - (no file)
O23 - Service: DHCP Client (Dhcp) - - (no file)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - - (no file)
O23 - Service: Logical Disk Manager (dmserver) - - (no file)
O23 - Service: DNS Client (Dnscache) - - (no file)
O23 - Service: Wired AutoConfig (Dot3svc) - - (no file)
O23 - Service: Extensible Authentication Protocol Service (EapHost) - - (no file)
O23 - Service: Error Reporting Service (ERSvc) - - (no file)
O23 - Service: Event Log (Eventlog) - - (no file)
O23 - Service: COM+ Event System (EventSystem) - - (no file)
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - - (no file)
O23 - Service: Health Key and Certificate Management Service (hkmsvc) - - (no file)
O23 - Service: HTTP SSL (HTTPFilter) - - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - - (no file)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - - (no file)
O23 - Service: iPod Service - - (no file)
O23 - Service: Infrared Monitor (Irmon) - - (no file)
O23 - Service: Server (lanmanserver) - - (no file)
O23 - Service: Workstation (lanmanworkstation) - - (no file)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - - (no file)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - - (no file)
O23 - Service: Windows Installer (MSIServer) - - (no file)
O23 - Service: Network Access Protection Agent (napagent) - - (no file)
O23 - Service: Net Logon (Netlogon) - - (no file)
O23 - Service: Network Connections (Netman) - - (no file)
O23 - Service: Network Location Awareness (NLA) (Nla) - - (no file)
O23 - Service: NetLimiter (nlsvc) - - (no file)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - - (no file)
O23 - Service: Removable Storage (NtmsSvc) - - (no file)
O23 - Service: Office Source Engine (ose) - - (no file)
O23 - Service: Plug and Play (PlugPlay) - - (no file)
O23 - Service: IPSEC Services (PolicyAgent) - - (no file)
O23 - Service: Protected Storage (ProtectedStorage) - - (no file)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - - (no file)
O23 - Service: Remote Access Connection Manager (RasMan) - - (no file)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - - (no file)
O23 - Service: Remote Registry (RemoteRegistry) - - (no file)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - - (no file)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - - (no file)
O23 - Service: QoS RSVP (RSVP) - - (no file)
O23 - Service: Security Accounts Manager (SamSs) - - (no file)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - - (no file)
O23 - Service: Task Scheduler (Schedule) - - (no file)
O23 - Service: Secondary Logon (seclogon) - - (no file)
O23 - Service: System Event Notification (SENS) - - (no file)
O23 - Service: ServiceLayer - - (no file)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - - (no file)
O23 - Service: Print Spooler (Spooler) - - (no file)
O23 - Service: System Restore Service (srservice) - - (no file)
O23 - Service: SSDP Discovery Service (SSDPSRV) - - (no file)
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - - (no file)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - - (no file)
O23 - Service: Performance Logs and Alerts (SysmonLog) - - (no file)
O23 - Service: Telephony (TapiSrv) - - (no file)
O23 - Service: Terminal Services (TermService) - - (no file)
O23 - Service: Themes - - (no file)
O23 - Service: Distributed Link Tracking Client (TrkWks) - - (no file)
O23 - Service: Universal Plug and Play Device Host (upnphost) - - (no file)
O23 - Service: Volume Shadow Copy (VSS) - - (no file)
O23 - Service: Windows Time (W32Time) - - (no file)
O23 - Service: WebClient - - (no file)
O23 - Service: Windows Management Instrumentation (winmgmt) - - (no file)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - - (no file)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - - (no file)
O23 - Service: WMI Performance Adapter (WmiApSrv) - - (no file)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - - (no file)
O23 - Service: Security Center (wscsvc) - - (no file)
O23 - Service: Automatic Updates (wuauserv) - - (no file)
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - - (no file)
O23 - Service: Wireless Zero Configuration (WZCSVC) - - (no file)
O23 - Service: Network Provisioning Service (xmlprov) - - (no file)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 13412 bytes

Uninstall log:

3ivx D4 4.5.1 (remove only)
7digital Locker 1.1
7-Zip 4.42
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3 Presets
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe Media Player
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0.5
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Advanced Uninstaller PRO 2005 - version 7
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avi2Dvd 0.5
AviSynth 2.5
Call of Juarez
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Combined Community Codec Pack 2006-12-15
Company of Heroes
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CureROM Pro 2.0.2
DivX Codec
DivX Web Player
DivxToDVD 0.5.2b
DVD Shrink 3.2
EA SPORTS online 2007
Easy CD-DA Extractor 12
Far Cry
ffdshow [beta 1] [2006-12-11]
FIFA 07
Football Manager 2006
Free CD Ripper 3.1
Free Download Manager 2.5
Google Earth
GTA San Andreas
HiJackThis
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 6
Kaspersky Internet Security 2010
Kaspersky Internet Security 2010
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Press Readiness Review Suite 70-271
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.8)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Natural Color
Nero 6 Ultra Edition
NetLimiter 2 Monitor (remove only)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Drivers
Oblivion
Oblivion - Knights of the Nine
Oblivion - Mehrunes Razor
Oblivion - Spell Tomes
Oblivion - Vile Lair
Oblivion - Wizard's Tower
PC Connectivity Solution
PDF Settings
PeerGuardian 2.0
PowerDVD
PowerQuest PartitionMagic 8.0
Prince of Persia The Sands of Time
Pro Evolution Soccer 4
QuickTime
Real Alternative 1.50
Realtek AC'97 Audio
Sapphire TRIXX
SD4Blocker for fm
SD4Blocker for XIII
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
Sensible Soccer 2006
SigmaTel MSCN Audio Player
SiSoftware Sandra Lite XIIc
Sky Broadband
Sony Ericsson PC Suite
Spotify
TestOut Products
The Battle for Middle-earth (tm) II
Thief - Deadly Shadows
Transcender Test Engine
Transcender: Exam Cert-70-270
Transcender: Exam Cert-70-271
TreeSize Free V2.2.1
Unreal Tournament 2004
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Service
VLC media player 1.0.1
WinAce Archiver
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
XIII
Xvid 1.2.1 final uninstall
Zoom Wireless-G USB

**broni** · 16-03-2010

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**zulander** · 17-03-2010

Thanks for your help Broni:

Am posting this from the infected machine which is a good sign and im not getting any pop ups. I had to run combofix a few times as it seemed to hang but heres the log anyway

combofix log

ComboFix 10-03-16.05 - Chris 17/03/2010 20:26:35.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.634 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Start Menu\Programs\Startup\monnwb32.exe
.
---- Previous Run -------
.
c:\documents and settings\Chris\Application Data\avdrn.dat
c:\documents and settings\Chris\Local Settings\Application Data\av.exe
c:\documents and settings\Chris\Local Settings\Application Data\ave.exe
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\11I67S4.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\76YXG4TAG.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\m7H136X66.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\W8bl5qh8N.jpg
c:\documents and settings\Chris\oashdihasidhasuidhiasdhiashdiuasdha sd
c:\documents and settings\LocalService\Local Settings\Application Data\av.exe
c:\documents and settings\LocalService\Local Settings\Application Data\ave.exe
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashd iuasdhasd
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll

-- Previous Run --

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys

--------

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys

.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-16 20:06 . 2010-03-16 20:06 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-16 20:06 . 2010-03-16 20:06 -------- d-----w- c:\program files\Hijack This
2010-03-16 19:54 . 2008-03-11 13:35 812344 ----a-w- C:\HJTInstall.exe
2010-03-16 19:53 . 2010-03-16 19:53 -------- d-----w- c:\program files\Trend Micro
2010-03-16 19:20 . 2010-03-16 19:20 203264 --sha-w- c:\documents and settings\Chris\Local Settings\Application Data\1191510367.dll
2010-03-16 19:05 . 2010-03-16 19:05 51807 ----a-w- c:\windows\system32\wuaucldt.exe
2010-03-16 19:05 . 2010-03-16 19:05 51807 ----a-w- c:\windows\system32\config\systemprofile\wuaucldt. exe
2010-02-23 20:40 . 2010-02-23 20:40 -------- d-----w- c:\program files\vso

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-03-17 20:42 . 2005-11-13 01:34 -------- d-----w- c:\program files\PeerGuardian2
2010-03-17 20:40 . 2004-08-04 12:00 98240 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-03-17 20:40 . 2009-09-06 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-17 19:11 . 2010-03-17 19:11 20 ----a-w- c:\documents and settings\NetworkService\Application Data\zxcdyt.dat
2010-03-16 19:05 . 2010-03-16 19:05 16 ----a-w- c:\documents and settings\LocalService\Application Data\zxcdyt.dat
2010-03-15 23:08 . 2009-09-11 19:54 -------- d-----w- c:\documents and settings\Chris\Application Data\vlc
2010-03-15 22:11 . 2009-11-24 20:12 -------- d-----w- c:\documents and settings\Chris\Application Data\Spotify
2010-03-15 22:06 . 2008-03-03 18:35 -------- d-----w- c:\documents and settings\Chris\Application Data\uTorrent
2010-02-14 21:56 . 2010-02-14 21:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 21:50 . 2010-02-14 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2010-02-14 21:50 . 2010-02-14 21:50 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2010-02-04 18:24 . 2010-01-24 13:42 -------- d-----w- c:\program files\FreeCDRipper
2009-09-06 11:58 . 2009-09-06 11:58 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-29 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 344064]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 577536]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"syncman"="c:\windows\system32\wuaucldt.exe" [2010-03-16 51807]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2005-12-28 155715]
Zoom Wireless-G USB.lnk - c:\program files\Zoom Wireless-G USB\WLANUTL.exe [2009-3-18 770048]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-22 19:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 09:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"helpsvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"CCALib8"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\RpcSandraSrv.exe"=
"c:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\PROGRA~1\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"51658:TCP"= 51658:TCP:utorrent port
"56609:TCP"= 56609:TCP:utorrent

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [15/12/2008 19:41 33808]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29/12/2005 17:03 717296]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23/04/2007 16:08 81688]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.s ys [03/04/2008 18:59 31232]
R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16/08/2005 11:17 15360]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13/05/2009 16:46 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [16/05/2009 19:59 19472]
R3 XG762NXP;Zoom 802.11g XG762 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [18/03/2009 21:25 519168]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\Chris\LOCALS~1\T emp\iMSPCLOj.sys --> c:\docume~1\Chris\LOCALS~1\Temp\iMSPCLOj.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-2139871995-725345543-1003Core.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-29 20:46]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-2139871995-725345543-1003UA.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-29 20:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - your home for the latest news, sport and entertainment
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\od046o4e.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\compone nts\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .
- - - - ORPHANS REMOVED - - - -

HKCU-Run-syncman - c:\documents and settings\chris\wuaucldt.exe
HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-03-17 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\cch4E.tmp 32768 bytes
c:\windows\TEMP\cch4F.tmp 32768 bytes

scan completed successfully
hidden files: 2

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c3,b4,7e,a7,33,06,1b,5d,99,e0,eb,6 b,7c,22,67,85,a4,e2,e3,17,81,
b9,4a,21,44,74,2c,c6,c0,de,9e,2f,ec,10,43,4a,5e,e2 ,26,cb,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6fb154a 4-c07f-4121-b008-717d71005357}]
@Denied: (Full) (Everyone)
"Model"=dword:000000e7
"Therad"=dword:0000002b
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5 ,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,c6,e1,ad,7a,a6,50 ,39,f2,c4,9f,27,cf,25,5d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1476)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7864)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NetLimiter 2 Monitor\nlsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\NetLimiter 2 Monitor\NLClient.exe
c:\windows\SOUNDMAN.EXE
c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.e xe
.
************************************************** ************************
.
Completion time: 2010-03-17 20:46:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 20:46

Pre-Run: 6,667,153,408 bytes free
Post-Run: 6,530,936,832 bytes free

- - End Of File - - F5B1B1481128D8A0ABDA005C33F84830

**zulander** · 17-03-2010

i spoke to soon. Kaspersky is picking up attacks - not sure if its managing to repel them. No pops ups at the minute

heres the hijack this log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 21:16:19, on 17/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\windows\system32\wuaucldt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Zoom Wireless-G USB\WLANUTL.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.e xe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - your home for the latest news, sport and entertainment
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [syncman] c:\documents and settings\chris\wuaucldt.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Zoom Wireless-G USB.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - your home for the latest news, sport and entertainment (file missing)
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://headintheclouds4eva.spaces.li...d/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188249745765
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8251 bytes

**broni** · 18-03-2010

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\documents and settings\NetworkService\Application Data\zxcdyt.dat
c:\documents and settings\LocalService\Application Data\zxcdyt.dat
c:\docume~1\Chris\LOCALS~1\Temp\iMSPCLOj.sys
c:\windows\TEMP\cch4E.tmp 
c:\windows\TEMP\cch4F.tmp


Folder::

Driver::
iMSPCLOj


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"=-


RegLockDel::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6fb154a 4-c07f-4121-b008-717d71005357}]

SecCenter::
{043803A3-4F86-4ef6-AFC5-F6E02A79969B}

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**zulander** · 18-03-2010

Still pop ups and rubbish in system tray

Combofix log:

ComboFix 10-03-16.05 - Chris 18/03/2010 9:20.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.644 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\docume~1\Chris\LOCALS~1\Temp\iMSPCLOj.sys"
"c:\documents and settings\LocalService\Application Data\zxcdyt.dat"
"c:\documents and settings\NetworkService\Application Data\zxcdyt.dat"
"c:\windows\TEMP\cch4E.tmp"
"c:\windows\TEMP\cch4F.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\oashdihasidhasuidhiasdhiashdiuasdha sd
c:\documents and settings\LocalService\Application Data\zxcdyt.dat
c:\documents and settings\LocalService\Local Settings\Application Data\ave.exe
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashd iuasdhasd
c:\documents and settings\NetworkService\Application Data\zxcdyt.dat

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IMSPCLOJ
-------\Service_iMSPCLOj

((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-16 20:06 . 2010-03-16 20:06 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-16 20:06 . 2010-03-16 20:06 -------- d-----w- c:\program files\Hijack This
2010-03-16 19:54 . 2008-03-11 13:35 812344 ----a-w- C:\HJTInstall.exe
2010-03-16 19:53 . 2010-03-16 19:53 -------- d-----w- c:\program files\Trend Micro
2010-03-16 19:20 . 2010-03-16 19:20 203264 --sha-w- c:\documents and settings\Chris\Local Settings\Application Data\1191510367.dll
2010-03-16 19:05 . 2010-03-16 19:05 51807 ----a-w- c:\windows\system32\wuaucldt.exe
2010-03-16 19:05 . 2010-03-16 19:05 51807 ----a-w- c:\windows\system32\config\systemprofile\wuaucldt. exe
2010-02-23 20:40 . 2010-02-23 20:40 -------- d-----w- c:\program files\vso

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-03-18 10:44 . 2005-11-13 01:34 -------- d-----w- c:\program files\PeerGuardian2
2010-03-18 10:42 . 2004-08-04 12:00 98240 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-03-18 10:42 . 2009-09-06 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-15 23:08 . 2009-09-11 19:54 -------- d-----w- c:\documents and settings\Chris\Application Data\vlc
2010-03-15 22:11 . 2009-11-24 20:12 -------- d-----w- c:\documents and settings\Chris\Application Data\Spotify
2010-03-15 22:06 . 2008-03-03 18:35 -------- d-----w- c:\documents and settings\Chris\Application Data\uTorrent
2010-02-14 21:56 . 2010-02-14 21:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 21:50 . 2010-02-14 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2010-02-14 21:50 . 2010-02-14 21:50 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2010-02-04 18:24 . 2010-01-24 13:42 -------- d-----w- c:\program files\FreeCDRipper
2009-09-06 11:58 . 2009-09-06 11:58 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-29 135664]
"syncman"="c:\documents and settings\chris\wuaucldt.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 344064]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 577536]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"syncman"="c:\windows\system32\wuaucldt.exe" [2010-03-16 51807]
"Regedit32"="c:\windows\system32\regedit.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2005-12-28 155715]
Zoom Wireless-G USB.lnk - c:\program files\Zoom Wireless-G USB\WLANUTL.exe [2009-3-18 770048]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-22 19:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 09:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"helpsvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"CCALib8"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\RpcSandraSrv.exe"=
"c:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\PROGRA~1\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"51658:TCP"= 51658:TCP:utorrent port
"56609:TCP"= 56609:TCP:utorrent

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [15/12/2008 19:41 33808]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29/12/2005 17:03 717296]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23/04/2007 16:08 81688]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.s ys [03/04/2008 18:59 31232]
R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16/08/2005 11:17 15360]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13/05/2009 16:46 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [16/05/2009 19:59 19472]
R3 XG762NXP;Zoom 802.11g XG762 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [18/03/2009 21:25 519168]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-2139871995-725345543-1003Core.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-29 20:46]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-2139871995-725345543-1003UA.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-29 20:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - your home for the latest news, sport and entertainment
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\od046o4e.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\compone nts\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-03-18 10:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c3,b4,7e,a7,33,06,1b,5d,99,e0,eb,6 b,7c,22,67,85,a4,e2,e3,17,81,
b9,4a,21,44,74,2c,c6,c0,de,9e,2f,ec,10,43,4a,5e,e2 ,26,cb,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6fb154a 4-c07f-4121-b008-717d71005357}]
@Denied: (Full) (Everyone)
"Model"=dword:000000e7
"Therad"=dword:0000002b
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5 ,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,c6,e1,ad,7a,a6,50 ,39,f2,c4,9f,27,cf,25,5d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1468)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(31036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NetLimiter 2 Monitor\nlsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\NetLimiter 2 Monitor\NLClient.exe
c:\windows\SOUNDMAN.EXE
c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.e xe
.
************************************************** ************************
.
Completion time: 2010-03-18 10:47:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-18 10:47
ComboFix2.txt 2010-03-17 20:46

Pre-Run: 6,533,955,584 bytes free
Post-Run: 6,497,239,040 bytes free

- - End Of File - - 86031FDDD5EA911F673DDADA6CA60001

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:11:31, on 18/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\windows\system32\wuaucldt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.e xe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Zoom Wireless-G USB\WLANUTL.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\ave.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\ave.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\ave.exe
C:\Program Files\Hijack This\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - your home for the latest news, sport and entertainment
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [combofix] "C:\ComboFix\" /c "C:\ComboFix\C.bat"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [syncman] c:\documents and settings\chris\wuaucldt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Zoom Wireless-G USB.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - your home for the latest news, sport and entertainment (file missing)
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://headintheclouds4eva.spaces.li...d/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188249745765
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8600 bytes

thanks

**broni** · 18-03-2010

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\documents and settings\chris\wuaucldt.exe
c:\windows\system32\regedit.exe


Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"syncman"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Regedit32"=-

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**zulander** · 18-03-2010

ComboFix 10-03-18.01 - Chris 18/03/2010 21:50:55.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.622 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\documents and settings\chris\wuaucldt.exe"
"c:\windows\system32\regedit.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Local Settings\Application Data\av.exe
c:\documents and settings\Chris\Local Settings\Application Data\ave.exe
c:\documents and settings\LocalService\Local Settings\Application Data\ave.exe
c:\windows\system32\config\systemprofile\wuaucldt. exe
c:\windows\system32\wuaucldt.exe

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-18 11:08 . 2010-03-18 12:32 200704 --sha-w- c:\documents and settings\Chris\Local Settings\Application Data\20209530.dll
2010-03-16 20:06 . 2010-03-16 20:06 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-16 20:06 . 2010-03-16 20:06 -------- d-----w- c:\program files\Hijack This
2010-03-16 19:54 . 2008-03-11 13:35 812344 ----a-w- C:\HJTInstall.exe
2010-03-16 19:53 . 2010-03-16 19:53 -------- d-----w- c:\program files\Trend Micro
2010-03-16 19:20 . 2010-03-16 19:20 203264 --sha-w- c:\documents and settings\Chris\Local Settings\Application Data\1191510367.dll
2010-02-23 20:40 . 2010-02-23 20:40 -------- d-----w- c:\program files\vso

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-03-18 22:07 . 2005-11-13 01:34 -------- d-----w- c:\program files\PeerGuardian2
2010-03-18 21:43 . 2009-09-06 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-15 23:08 . 2009-09-11 19:54 -------- d-----w- c:\documents and settings\Chris\Application Data\vlc
2010-03-15 22:11 . 2009-11-24 20:12 -------- d-----w- c:\documents and settings\Chris\Application Data\Spotify
2010-03-15 22:06 . 2008-03-03 18:35 -------- d-----w- c:\documents and settings\Chris\Application Data\uTorrent
2010-02-14 21:56 . 2010-02-14 21:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 21:50 . 2010-02-14 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2010-02-14 21:50 . 2010-02-14 21:50 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2010-02-04 18:24 . 2010-01-24 13:42 -------- d-----w- c:\program files\FreeCDRipper
2009-09-06 11:58 . 2009-09-06 11:58 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-03-17_20.39.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-04-10 18:10 . 2010-03-18 22:05 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2006-04-10 18:10 . 2010-03-17 20:39 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-18 09:09 . 2010-03-18 22:05 32768 c:\windows\Temp\History\History.IE5\MSHist01201003 1820100319\index.dat
- 2006-04-10 18:10 . 2010-03-17 20:39 32768 c:\windows\Temp\History\History.IE5\index.dat
+ 2006-04-10 18:10 . 2010-03-18 22:05 32768 c:\windows\Temp\History\History.IE5\index.dat
+ 2006-04-10 18:10 . 2010-03-18 22:05 32768 c:\windows\Temp\Cookies\index.dat
- 2006-04-10 18:10 . 2010-03-17 20:39 32768 c:\windows\Temp\Cookies\index.dat
+ 2004-08-04 12:00 . 2008-04-13 18:40 62976 c:\windows\system32\drivers\cdrom.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-29 135664]
"syncman"="c:\documents and settings\chris\wuaucldt.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 344064]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2005-12-28 155715]
Zoom Wireless-G USB.lnk - c:\program files\Zoom Wireless-G USB\WLANUTL.exe [2009-3-18 770048]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-22 19:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 09:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"helpsvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"CCALib8"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\RpcSandraSrv.exe"=
"c:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\PROGRA~1\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"51658:TCP"= 51658:TCP:utorrent port
"56609:TCP"= 56609:TCP:utorrent

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [15/12/2008 19:41 33808]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29/12/2005 17:03 717296]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23/04/2007 16:08 81688]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.s ys [03/04/2008 18:59 31232]
R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16/08/2005 11:17 15360]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13/05/2009 16:46 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [16/05/2009 19:59 19472]
R3 XG762NXP;Zoom 802.11g XG762 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [18/03/2009 21:25 519168]
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-2139871995-725345543-1003Core.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-29 20:46]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-2139871995-725345543-1003UA.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-29 20:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - your home for the latest news, sport and entertainment
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\od046o4e.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\compone nts\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .
- - - - ORPHANS REMOVED - - - -

HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-03-18 22:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c3,b4,7e,a7,33,06,1b,5d,99,e0,eb,6 b,7c,22,67,85,a4,e2,e3,17,81,
b9,4a,21,44,74,2c,c6,c0,de,9e,2f,ec,10,43,4a,5e,e2 ,26,cb,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6fb154a 4-c07f-4121-b008-717d71005357}]
@Denied: (Full) (Everyone)
"Model"=dword:000000e7
"Therad"=dword:0000002b
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5 ,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,c6,e1,ad,7a,a6,50 ,39,f2,c4,9f,27,cf,25,5d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1460)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NetLimiter 2 Monitor\nlsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\NetLimiter 2 Monitor\NLClient.exe
c:\windows\SOUNDMAN.EXE
c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.e xe
.
************************************************** ************************
.
Completion time: 2010-03-18 22:10:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-18 22:10
ComboFix2.txt 2010-03-18 10:47
ComboFix3.txt 2010-03-17 20:46

Pre-Run: 6,481,084,416 bytes free
Post-Run: 6,443,241,472 bytes free

- - End Of File - - 05A2811F69D4EED6736E90BC51CECDE8

**zulander** · 18-03-2010

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 22:34:10, on 18/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Zoom Wireless-G USB\WLANUTL.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.e xe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - your home for the latest news, sport and entertainment
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [syncman] c:\documents and settings\chris\wuaucldt.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Zoom Wireless-G USB.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - your home for the latest news, sport and entertainment (file missing)
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://headintheclouds4eva.spaces.li...d/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188249745765
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7625 bytes

**broni** · 18-03-2010

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\documents and settings\chris\wuaucldt.exe


Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syncman"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=-


RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Xp smart security malware/virus

Xp smart security malware/virus

Similar Threads

Vista Smart Security

[Not curable - Virut] can't get rid of xp smart security or other infection

How to remove XP Smart Security Virus?

[Inactive] I think I have a really smart virus...

Eset Smart Security detecting lots of viruses