[SSingh]

Hi there

I seem to have picked up this nasty little bug. I'm using NOD32, and it's detected that it is Win32/TrojanDropper.Agent.DGO which seems to make it think that legitimate files are viruses, and quarantine them. It also seems to be doing all sorts of weird things such as preventing certain programs from starting up (for example my laptop touchpad) and causing my laptop to run slower. I've read a few previous topics regarding this issue, however each solution seems to have been specific to the poster. Below is the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:27:34 AM, on 2008/01/17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\DOCUME~1\SHALIN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Route Sentry\RouteSentry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.c...://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.za.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.za.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com.../readstep2.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Silica Weather.lnk = C:\Program Files\Object Desktop\DesktopX\Widgets\Silica Weather.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF65E404-630B-42BB-A70A-AAE5E3D4F998}: NameServer = 168.210.2.2 196.14.239.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA4D5B83-D926-4578-9D94-F2C0E1944545}: NameServer = 168.210.2.2 196.14.239.2
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6027 bytes

Any help would be much appreciated. Much thanks

[Advertisements]

Hello

Don't put the logs in quote boxes as it makes them hard to read

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Rorschach112]

Hello

Don't put the logs in quote boxes as it makes them hard to read

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[SSingh]

Hi,

Thank you for the reply. Here are the contents of the .txt files as requested.

Deckard's System Scanner v20071014.68
Run by Shalin Singh on 2008-01-20 18:21:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).
System Drive C: has 2.93 GiB (less than 15%) free.


-- HijackThis (run as Shalin Singh.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:21:17 PM, on 2008/01/20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\DOCUME~1\SHALIN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Shalin Singh\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SHALIN~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.c...://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.za.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.za.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com.../readstep2.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0347CFD4-A4D2-4244-9256-8934675019FD} - C:\WINDOWS\system32\gebcy.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - C:\WINDOWS\system32\rqrqqpn.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [9612aeac] rundll32.exe "C:\WINDOWS\system32\guunmwjt.dll",b
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Silica Weather.lnk = C:\Program Files\Object Desktop\DesktopX\Widgets\Silica Weather.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: rqrqqpn - C:\WINDOWS\SYSTEM32\rqrqqpn.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6745 bytes

-- Files created between 2007-12-20 and 2008-01-20 -----------------------------

2008-01-19 22:41:31 87104 --a------ C:\WINDOWS\system32\guunmwjt.dll
2008-01-17 01:24:38 0 d-------- C:\Program Files\Trend Micro
2008-01-17 00:25:06 0 d--h----- C:\WINDOWS\PIF
2008-01-17 00:15:30 3584 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-17 00:15:26 3584 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-17 00:13:44 3584 --a------ C:\WINDOWS\system32\gebcy.exe
2008-01-16 23:53:40 7168 --a------ C:\WINDOWS\system32\windows
2008-01-12 23:41:17 0 d-------- C:\Program Files\FlashGet
2008-01-12 15:05:33 6238208 --a------ C:\Documents and Settings\Shalin Singh\ntuser.dat
2008-01-12 15:04:56 297087 --ahs---- C:\WINDOWS\system32\ycbeg.ini2
2008-01-12 15:03:39 335360 --a------ C:\WINDOWS\system32\gebcy.dll
2008-01-12 14:58:18 39424 --a------ C:\WINDOWS\system32\rqrqqpn.dll
2007-12-26 19:13:42 0 d-------- C:\Bloopers
2007-12-26 00:33:27 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-26 00:32:52 0 d-------- C:\Program Files\Real
2007-12-26 00:32:45 0 d-------- C:\Program Files\Common Files\Real
2007-12-26 00:32:44 0 d-------- C:\Documents and Settings\Shalin Singh\Application Data\Real
2007-12-25 10:25:28 0 d--hs---- C:\FOUND.001
2007-12-20 14:18:53 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 2


-- Find3M Report ---------------------------------------------------------------

2008-01-20 18:17:34 836 --a------ C:\WINDOWS\bthservsdp.dat
2007-12-12 18:02:44 0 d-------- C:\Program Files\Route Sentry
2007-11-23 16:36:32 0 d-------- C:\Program Files\Stardock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347CFD4-A4D2-4244-9256-8934675019FD}]
2008/01/12 03:04 PM 335360 --a------ C:\WINDOWS\system32\gebcy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4576C73-52BD-4401-B966-5A128C4433D4}]
2008/01/12 02:58 PM 39424 --a------ C:\WINDOWS\system32\rqrqqpn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"AGRSMMSG"="AGRSMMSG.exe" [2005/12/13 09:50 PM C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006/07/19 09:42 AM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006/07/19 09:42 AM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2006/07/19 09:41 AM C:\WINDOWS\Alcmtr.exe]
"@"="" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004/08/04 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
"AME_CSA"="amecsa.cpl" [2002/04/29 11:50 PM C:\WINDOWS\system32\AmeCSA.cpl]
"9612aeac"="C:\WINDOWS\system32\guunmwjt.dll" [2008/01/19 10:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" []
"updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Shalin Singh\Start Menu\Programs\Startup\
Y'z ToolBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe [2002/09/29 03:41:00 PM]
Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005/02/21 03:56:00 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D4576C73-52BD-4401-B966-5A128C4433D4}"= C:\WINDOWS\system32\rqrqqpn.dll [2008/01/12 02:58 PM 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqqpn]
rqrqqpn.dll 2008/01/12 02:58 PM 39424 C:\WINDOWS\system32\rqrqqpn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3288f7c4-7ce2-11dc-82ab-001636dd9094}]
AutoRun\command- tgejbcx.exe
explore\Command- tgejbcx.exe
open\Command- tgejbcx.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33561d1c-7a62-11dc-82a8-001636dd9094}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{609100ba-7e38-11dc-82ad-001636dd9094}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-01-20 18:21:50 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M CPU 430 @ 1.73GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 502.1 MiB / 253.72 MiB
Pagefile Memory (total/avail): 1224.58 MiB / 862.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1898.47 MiB

C: is Fixed (FAT32) - 34.57 GiB total, 2.94 GiB free.
D: is Fixed (FAT32) - 35.06 GiB total, 1.31 GiB free.
E: is CDROM (No Media)
F: is Fixed (NTFS) - 232.88 GiB total, 0.4 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD800BEVS-22RST0 - 74.53 GiB - 3 partitions
\PARTITION0 - Unknown - 4.88 GiB
\PARTITION1 (bootable) - Unknown - 34.58 GiB - C:
\PARTITION2 - Unknown - 35.07 GiB - D:

\\.\PHYSICALDRIVE1 - ST325082 0A USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"="C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe:*:Enabled:Speed"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\stunnel\\stunnel.exe"="C:\\Program Files\\stunnel\\stunnel.exe:*:Enabled:stunnel"
"D:\\mx\\2316473951452f5U.exe"="D:\\mx\\2316473951452f5U.exe:*:Enabled:2316473951452f5U.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Java\\jre1.6.0_02\\BIN\\java.exe"="C:\\Program Files\\Java\\jre1.6.0_02\\BIN\\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Java\\jre1.6.0_02\\BIN\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_02\\BIN\\javaw.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shalin Singh\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SHALIN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shalin Singh
INCLUDE=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
LIB=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
LOGONSERVER=\\SHALIN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\doxygen\bin;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SHALIN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SHALIN~1\LOCALS~1\Temp
USERDOMAIN=SHALIN
USERNAME=Shalin Singh
USERPROFILE=C:\Documents and Settings\Shalin Singh
VS71COMNTOOLS=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Shalin Singh (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Acer eDataSecurity Management --> C:\Acer\Empowering Technology\eDataSecurity\eDStbmngr.exe UNINSTALL 1
Acer eDataSecurity Management 2.0.3077 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{4AD13F68-CADA-4C6B-9759-C33753F89908} /l1033
Acer Empowering Technology --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer ePerformance Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7057702F-6D71-4F30-8000-9E72BC771887}\setup.exe" -l0x9 -removeonly
Acer ePower Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9 -removeonly
Acer ePresentation Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9 -removeonly
Acer eSettings Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F2C8256-2773-46C7-9ABA-3E39C24ABB51}\setup.exe" -l0x9 -removeonly
Acer GridVista --> C:\WINDOWS\UnInst32.exe GridV.UNI
Acer Screensaver --> MsiExec.exe /I{D458BBDC-0363-42E0-8FF9-4736E3CB3CA2}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
ADSL Modem Driver Suite Product --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEBED42E-0BF4-11D5-928C-0060677630C4}\Setup.exe"
Agere Systems HDA Modem --> agrsmdel
Alt.Binz 0.24.2 --> C:\Program Files\AltBinz\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
Avidemux 2.4 --> C:\Program Files\Avidemux 2.4\uninstall.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
doxygen 1.4.7 --> "C:\Program Files\doxygen\system\unins000.exe"
Ethereal 0.10.14 --> "C:\Program Files\Ethereal\uninstall.exe"
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
GrabIt 1.7.1 Beta (build 960) --> "C:\Program Files\GrabIt\unins000.exe"
GSpot Codec Information Appliance --> C:\Program Files\GSpot\Uninstall.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
iTunes --> MsiExec.exe /I{E0219810-16E4-437D-9165-93D7B22524F9}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Launch Manager --> C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
LimeWire PRO 4.14.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual Studio .NET Professional 2003 - English --> "C:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual Studio .NET Professional 2003 - English\setup.exe" /MaintMode
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Visual Studio .NET 2003 --> MsiExec.exe /I{5757AE1A-1DB4-4898-9806-09F77FBD5E57}
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Need For Speed Underground --> C:\Program Files\EA GAMES\Need For Speed Underground\EAUninstall.exe
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{B7757137-0A71-4A9F-8A82-1AE4A1B73420}
Nokia PC Suite --> MsiExec.exe /I{FF059F2A-62A7-4E6A-B305-559591D2769E}
NTI Backup NOW! 4.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B06B842F-2450-494F-BBDE-217CDC151A37}\setup.exe" -l0x9 -uninst -removeonly
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
Pack Vista Inspirat 1.1 --> C:\WINDOWS\BricoPacks\Vista Inspirat\Remove.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.EXE" -uninstall
QuickPar 0.9 --> C:\Program Files\QuickPar\uninst.exe
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
R4 --> "C:\Program Files\R4\uninstall.exe"
RadLight Ogg Media DirectShow filter (remove only) --> "C:\WINDOWS\system32\RadLightOggUninstall.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Route Sentry v0.04 --> "C:\Program Files\Route Sentry\unins000.exe"
StarUML 5.0.2.1570 --> "C:\Program Files\StarUML\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
TortoiseSVN 1.4.5.10425 (32 bit) --> MsiExec.exe /X{F4BBA950-56F0-4335-8D93-EE64BFF593A0}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual Task Tips 2.1 --> C:\Program Files\VisualTaskTips\uninst.exe
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinHTTrack Website Copier 3.41-3 --> "C:\Program Files\WinHTTrack\unins000.exe"
WinPcap 4.0.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Toolbar --> C:\PROGRA~1\YAHOO!\common\unyt.exe
yEnc32 (remove only) --> "C:\Program Files\yEnc32\uninstall.exe"
Zune Desktop Theme --> MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}


-- Application Event Log -------------------------------------------------------

Event Record #/Type11158 / Warning
Event Submitted/Written: 01/18/2008 02:14:19 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type11152 / Warning
Event Submitted/Written: 01/17/2008 03:40:20 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type11146 / Warning
Event Submitted/Written: 01/17/2008 00:16:40 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type11141 / Warning
Event Submitted/Written: 01/17/2008 00:04:38 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type11137 / Error
Event Submitted/Written: 01/16/2008 05:29:35 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20071.12718, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10470 / Warning
Event Submitted/Written: 01/20/2008 01:45:21 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00029640F2E1. The IP address being used is 169.254.5.96.

Event Record #/Type10466 / Warning
Event Submitted/Written: 01/20/2008 04:09:53 AM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type10462 / Warning
Event Submitted/Written: 01/20/2008 04:07:44 AM
Event ID/Source: 63 / RMSPPPOE
Event Description:
Received a PPPoE Session packet for an unknown session.
Ignoring this packet.

Event Record #/Type10453 / Warning
Event Submitted/Written: 01/19/2008 09:37:18 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00029640F2E1. The IP address being used is 169.254.5.96.

Event Record #/Type10451 / Warning
Event Submitted/Written: 01/19/2008 09:36:36 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 001636DD9094. The IP address being used is 169.254.199.122.



-- End of Deckard's System Scanner: finished at 2008-01-20 18:21:50 ------------

[Rorschach112]

Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[SSingh]

Hi

Here are the ComboFix and HijackThis logs as requested:

ComboFix 08-01-20.1 - Shalin Singh 2008-01-20 18:50:48.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.205 [GMT 2:00]
Running from: C:\Documents and Settings\Shalin Singh\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Shalin Singh\My Documents\pos1F7.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1F8.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1F9.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1FA.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1FB.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1FC.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1FD.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1FE.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos1FF.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos200.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos201.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos202.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos203.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos204.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos205.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos206.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos207.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos208.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos209.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos20A.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos20B.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos20C.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos20D.tmp
C:\Documents and Settings\Shalin Singh\My Documents\pos20E.tmp
C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos12.tmp
C:\WINDOWS\system32\fwmbqmcp.dllbox
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\guunmwjt.dll
C:\WINDOWS\system32\rqrqqpn.dll
C:\WINDOWS\system32\tjwmnuug.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini2
F:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 18:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 18:04 . 2008-01-20 18:04 <DIR> d-------- C:\Deckard
2008-01-17 01:24 . 2008-01-17 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 00:25 . 2008-01-17 00:25 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-17 00:15 . 2008-01-17 00:15 3,584 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-17 00:15 . 2008-01-17 00:15 3,584 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-17 00:13 . 2008-01-17 00:13 3,584 --a------ C:\WINDOWS\system32\gebcy.exe
2008-01-12 23:41 . 2008-01-12 23:41 <DIR> d-------- C:\Program Files\FlashGet
2008-01-12 23:41 . 2004-08-04 05:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2007-12-26 19:13 . 2007-12-26 19:13 <DIR> d-------- C:\Bloopers
2007-12-26 00:33 . 2007-12-26 00:33 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-26 00:32 . 2007-12-26 00:32 <DIR> d-------- C:\Program Files\Real
2007-12-26 00:32 . 2007-12-26 00:32 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-25 10:25 . 2007-12-25 10:25 <DIR> d--hs---- C:\FOUND.001
2007-12-24 20:37 . 2008-01-20 18:09 244 --ah----- C:\sqmnoopt19.sqm
2007-12-24 20:37 . 2008-01-20 18:09 232 --ah----- C:\sqmdata19.sqm
2007-12-24 01:01 . 2008-01-20 13:54 244 --ah----- C:\sqmnoopt18.sqm
2007-12-24 01:01 . 2008-01-20 13:54 232 --ah----- C:\sqmdata18.sqm
2007-12-23 17:20 . 2008-01-16 21:32 244 --ah----- C:\sqmnoopt17.sqm
2007-12-23 17:20 . 2008-01-16 21:32 232 --ah----- C:\sqmdata17.sqm
2007-12-22 13:54 . 2008-01-16 19:26 244 --ah----- C:\sqmnoopt16.sqm
2007-12-22 13:54 . 2008-01-16 19:26 232 --ah----- C:\sqmdata16.sqm
2007-12-21 18:25 . 2008-01-16 16:13 244 --ah----- C:\sqmnoopt15.sqm
2007-12-21 18:25 . 2008-01-16 16:13 232 --ah----- C:\sqmdata15.sqm
2007-12-20 14:18 . 2007-12-20 14:18 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 16:02 --------- d-----w C:\Program Files\Route Sentry
2007-11-23 14:36 --------- d-----w C:\Program Files\Stardock
2007-09-13 23:28 0 ----a-w C:\Documents and Settings\Shalin Singh\ethereal-setup-0.99.0.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [ ]
"updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AME_CSA"="amecsa.cpl" [2002-04-29 23:50 720896 C:\WINDOWS\system32\AmeCSA.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Shalin Singh\Start Menu\Programs\Startup\
Y'z ToolBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe [2002-09-29 15:41:00 90112]
Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 15:56:00 1826885]

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
R2 int15;int15;C:\WINDOWS\system32\drivers\int15.sys [2006-06-02 13:59]
R2 tvicport;tvicport;C:\WINDOWS\system32\drivers\tvicport.sys [2006-06-02 13:59]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2005-12-27 00:09]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-29 02:01]
S3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys [2006-04-07 20:17]
S3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys [2006-03-08 17:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3288f7c4-7ce2-11dc-82ab-001636dd9094}]
\Shell\AutoRun\command - tgejbcx.exe
\Shell\explore\Command - tgejbcx.exe
\Shell\open\Command - tgejbcx.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33561d1c-7a62-11dc-82a8-001636dd9094}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{609100ba-7e38-11dc-82ad-001636dd9094}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 16:21:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 19:06:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
C:\Program Files\TortoiseSVN\iconv\windows-1252.so
C:\Program Files\TortoiseSVN\iconv\utf-8.so
-> C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\DockShellHook.dll
.
Completion time: 2008-01-20 19:08:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 17:08:16


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:13:22 PM, on 2008/01/20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\DOCUME~1\SHALIN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.za.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.za.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com.../readstep2.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Silica Weather.lnk = C:\Program Files\Object Desktop\DesktopX\Widgets\Silica Weather.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6080 bytes

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\FOUND.001

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3288f7c4-7ce2-11dc-82ab-001636dd9094}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33561d1c-7a62-11dc-82a8-001636dd9094}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{609100ba-7e38-11dc-82ad-001636dd9094}]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

[SSingh]

Ok I've done that

[Rorschach112]

Can you post that log and then do this

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[SSingh]

Hi

Below is the ComboFix log as requested, followed by the log of the Kaspersky scan

ComboFix 08-01-20.1 - Shalin Singh 2008-01-20 20:25:22.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.188 [GMT 2:00]
Running from: C:\Documents and Settings\Shalin Singh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shalin Singh\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.001
C:\FOUND.001\FILE0000.CHK
C:\FOUND.001\FILE0001.CHK
C:\FOUND.001\FILE0002.CHK
C:\FOUND.001\FILE0003.CHK
C:\FOUND.001\FILE0004.CHK
F:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 18:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 18:04 . 2008-01-20 18:04 <DIR> d-------- C:\Deckard
2008-01-17 01:24 . 2008-01-17 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 00:25 . 2008-01-17 00:25 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-17 00:15 . 2008-01-17 00:15 3,584 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-17 00:15 . 2008-01-17 00:15 3,584 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-17 00:13 . 2008-01-17 00:13 3,584 --a------ C:\WINDOWS\system32\gebcy.exe
2008-01-12 23:41 . 2008-01-12 23:41 <DIR> d-------- C:\Program Files\FlashGet
2008-01-12 23:41 . 2004-08-04 05:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2007-12-26 19:13 . 2007-12-26 19:13 <DIR> d-------- C:\Bloopers
2007-12-26 00:33 . 2007-12-26 00:33 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-26 00:32 . 2007-12-26 00:32 <DIR> d-------- C:\Program Files\Real
2007-12-26 00:32 . 2007-12-26 00:32 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-24 20:37 . 2008-01-20 18:09 244 --ah----- C:\sqmnoopt19.sqm
2007-12-24 20:37 . 2008-01-20 18:09 232 --ah----- C:\sqmdata19.sqm
2007-12-24 01:01 . 2008-01-20 13:54 244 --ah----- C:\sqmnoopt18.sqm
2007-12-24 01:01 . 2008-01-20 13:54 232 --ah----- C:\sqmdata18.sqm
2007-12-23 17:20 . 2008-01-16 21:32 244 --ah----- C:\sqmnoopt17.sqm
2007-12-23 17:20 . 2008-01-16 21:32 232 --ah----- C:\sqmdata17.sqm
2007-12-22 13:54 . 2008-01-16 19:26 244 --ah----- C:\sqmnoopt16.sqm
2007-12-22 13:54 . 2008-01-16 19:26 232 --ah----- C:\sqmdata16.sqm
2007-12-21 18:25 . 2008-01-16 16:13 244 --ah----- C:\sqmnoopt15.sqm
2007-12-21 18:25 . 2008-01-16 16:13 232 --ah----- C:\sqmdata15.sqm
2007-12-20 14:18 . 2007-12-20 14:18 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 16:02 --------- d-----w C:\Program Files\Route Sentry
2007-11-23 14:36 --------- d-----w C:\Program Files\Stardock
2007-09-13 23:28 0 ----a-w C:\Documents and Settings\Shalin Singh\ethereal-setup-0.99.0.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_19.07.52.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 16:49:42 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 18:25:18 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 16:49:42 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 18:25:18 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 16:49:42 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 18:25:18 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 16:49:42 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 18:25:18 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 16:49:42 6,242,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-20 18:25:18 6,242,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 16:49:42 208,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 18:25:18 208,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\F3M\ERDNT.EXE
+ 2008-01-20 18:28:52 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_1f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [ ]
"updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AME_CSA"="amecsa.cpl" [2002-04-29 23:50 720896 C:\WINDOWS\system32\AmeCSA.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Shalin Singh\Start Menu\Programs\Startup\
Y'z ToolBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe [2002-09-29 15:41:00 90112]
Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 15:56:00 1826885]

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
R2 int15;int15;C:\WINDOWS\system32\drivers\int15.sys [2006-06-02 13:59]
R2 tvicport;tvicport;C:\WINDOWS\system32\drivers\tvicport.sys [2006-06-02 13:59]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2005-12-27 00:09]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-29 02:01]
S3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys [2006-04-07 20:17]
S3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys [2006-03-08 17:10]


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 12:05:39 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524902
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 83264
Number of viruses found: 9
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 02:43:58

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\gebcy.exe Object is locked skipped
C:\WINDOWS\system32\igfxpers.exe Object is locked skipped
C:\WINDOWS\system32\igfxtray.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{95E0ACED-5763-41C7-A1D1-346774BB964B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1f4.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-09012007-210445.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Shared\CCProxy\svcpack\CCProxy642.exe/file01 Infected: not-a-virus:Server-Proxy.Win32.CCProxy.6301 skipped
C:\Documents and Settings\All Users\Documents\Shared\CCProxy\svcpack\CCProxy642.exe Inno: infected - 1 skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shalin Singh\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shalin Singh\Local Settings\Temp\Perflib_Perfdata_848.dat Object is locked skipped
C:\Documents and Settings\Shalin Singh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shalin Singh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shalin Singh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shalin Singh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shalin Singh\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shalin Singh\ntuser.dat Object is locked skipped
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe Object is locked skipped
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Object is locked skipped
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe Object is locked skipped
C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\E1EH3TAA.NQF Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\ESET\infected\BTAJQUAA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\Program Files\ESET\infected\Q5M4UQBA.NQF Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Program Files\ESET\infected\JK52HLCA.NQF Infected: Trojan.Win32.Zapchast.dt skipped
C:\Program Files\ESET\infected\NKA1WNBA.NQF Infected: Trojan.Win32.Zapchast.dt skipped
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe Object is locked skipped
C:\Program Files\Windows Defender\MSASCui.exe Object is locked skipped
C:\Program Files\iTunes\iTunesHelper.exe Object is locked skipped
C:\Program Files\Nokia\Nokia PC Suite 6\LAUNCH~1.EXE Object is locked skipped
C:\Program Files\QuickTime\QTTask.exe Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP130\A0020038.exe Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP135\A0021018.dll Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP135\A0021019.dll Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP135\A0021151.dll Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP136\A0021179.exe Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP136\A0021181.exe Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP136\A0021182.exe Object is locked skipped
C:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP141\change.log Object is locked skipped
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe Object is locked skipped
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe Object is locked skipped
C:\Acer\Empowering Technology\ePower\Boot.exe Object is locked skipped
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe Object is locked skipped
C:\QooBox\Quarantine\catchme2008-01-20_190629.65.zip/rqrqqpn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\QooBox\Quarantine\catchme2008-01-20_190629.65.zip/Autorun.inf Infected: Worm.Win32.AutoRun.aox skipped
C:\QooBox\Quarantine\catchme2008-01-20_190629.65.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2008-01-20_202918.25.zip/Autorun.inf Infected: Worm.Win32.AutoRun.aox skipped
C:\QooBox\Quarantine\catchme2008-01-20_202918.25.zip ZIP: infected - 1 skipped
D:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP141\change.log Object is locked skipped
D:\Files\ProgramAddons CCProxy 6.4.2.cab/svcpack/CCProxy642.exe/file01 Infected: not-a-virus:Server-Proxy.Win32.CCProxy.6301 skipped
D:\Files\ProgramAddons CCProxy 6.4.2.cab/svcpack/CCProxy642.exe Infected: not-a-virus:Server-Proxy.Win32.CCProxy.6301 skipped
D:\Files\ProgramAddons CCProxy 6.4.2.cab CAB: infected - 2 skipped
F:\autorun.inf Object is locked skipped
F:\ntde1ect.com Infected: Packed.Win32.NSAnti.r skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP141\change.log Object is locked skipped
F:\CCProxy\svcpack\CCProxy642.exe/file01 Infected: not-a-virus:Server-Proxy.Win32.CCProxy.6301 skipped
F:\CCProxy\svcpack\CCProxy642.exe Inno: infected - 1 skipped

Scan process completed.

[Rorschach112]

Hello

• 1 - Flash Drive Disinfector
  Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
F:\ntde1ect.com

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also tell me how your PC is running

[SSingh]

Hi thank you for your help and patience. I've done that and posted the ComboFix log below. My machine seems to be a little more responsive - although my antivirus (NOD32), touchpad (Synaptics) and phone suite (Nokia PC Suite) no longer start when Windows starts up (they haven't been starting since I've been infected). Should I uninstall them and reinstall?

ComboFix 08-01-20.1 - Shalin Singh 2008-01-21 0:42:01.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.195 [GMT 2:00]
Running from: C:\Documents and Settings\Shalin Singh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shalin Singh\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
F:\ntde1ect.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\ntde1ect.com
F:\Autorun.inf . . . . failed to delete
.
---- Previous Run -------
.
C:\FOUND.001
C:\FOUND.001\FILE0000.CHK
C:\FOUND.001\FILE0001.CHK
C:\FOUND.001\FILE0002.CHK
C:\FOUND.001\FILE0003.CHK
C:\FOUND.001\FILE0004.CHK
F:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 21:05 . 2008-01-20 21:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 21:05 . 2008-01-20 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-20 18:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 18:04 . 2008-01-20 18:04 <DIR> d-------- C:\Deckard
2008-01-17 01:24 . 2008-01-17 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 00:25 . 2008-01-17 00:25 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-17 00:15 . 2008-01-17 00:15 3,584 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-17 00:15 . 2008-01-17 00:15 3,584 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-17 00:13 . 2008-01-17 00:13 3,584 --a------ C:\WINDOWS\system32\gebcy.exe
2008-01-12 23:41 . 2008-01-12 23:41 <DIR> d-------- C:\Program Files\FlashGet
2008-01-12 23:41 . 2004-08-04 05:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2007-12-26 19:13 . 2007-12-26 19:13 <DIR> d-------- C:\Bloopers
2007-12-26 00:33 . 2007-12-26 00:33 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-26 00:32 . 2007-12-26 00:32 <DIR> d-------- C:\Program Files\Real
2007-12-26 00:32 . 2007-12-26 00:32 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-24 20:37 . 2008-01-20 18:09 244 --ah----- C:\sqmnoopt19.sqm
2007-12-24 20:37 . 2008-01-20 18:09 232 --ah----- C:\sqmdata19.sqm
2007-12-24 01:01 . 2008-01-20 13:54 244 --ah----- C:\sqmnoopt18.sqm
2007-12-24 01:01 . 2008-01-20 13:54 232 --ah----- C:\sqmdata18.sqm
2007-12-23 17:20 . 2008-01-16 21:32 244 --ah----- C:\sqmnoopt17.sqm
2007-12-23 17:20 . 2008-01-16 21:32 232 --ah----- C:\sqmdata17.sqm
2007-12-22 13:54 . 2008-01-16 19:26 244 --ah----- C:\sqmnoopt16.sqm
2007-12-22 13:54 . 2008-01-16 19:26 232 --ah----- C:\sqmdata16.sqm
2007-12-21 18:25 . 2008-01-16 16:13 244 --ah----- C:\sqmnoopt15.sqm
2007-12-21 18:25 . 2008-01-16 16:13 232 --ah----- C:\sqmdata15.sqm
2007-12-20 14:18 . 2007-12-20 14:18 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 16:02 --------- d-----w C:\Program Files\Route Sentry
2007-11-23 14:36 --------- d-----w C:\Program Files\Stardock
2007-09-13 23:28 0 ----a-w C:\Documents and Settings\Shalin Singh\ethereal-setup-0.99.0.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_19.07.52.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 16:49:42 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 22:41:58 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 16:49:42 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 22:41:58 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 16:49:42 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 22:41:58 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 16:49:42 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 22:41:58 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 16:49:42 6,242,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-20 22:41:58 6,254,592 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 16:49:42 208,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 22:41:58 208,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\F3M\ERDNT.EXE
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-01-20 22:45:30 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_1f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [ ]
"updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AME_CSA"="amecsa.cpl" [2002-04-29 23:50 720896 C:\WINDOWS\system32\AmeCSA.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Shalin Singh\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 15:56:00 1826885]

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
R2 int15;int15;C:\WINDOWS\system32\drivers\int15.sys [2006-06-02 13:59]
R2 tvicport;tvicport;C:\WINDOWS\system32\drivers\tvicport.sys [2006-06-02 13:59]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2005-12-27 00:09]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-29 02:01]
S3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys [2006-04-07 20:17]
S3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys [2006-03-08 17:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 22:40:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 00:46:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
C:\Program Files\TortoiseSVN\iconv\windows-1252.so
C:\Program Files\TortoiseSVN\iconv\utf-8.so
-> C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\DockShellHook.dll
.
Completion time: 2008-01-21 0:48:04 - machine was rebooted [Shalin Singh]
ComboFix-quarantined-files.txt 2008-01-20 22:48:02
ComboFix2.txt 2008-01-20 17:08:18

[Rorschach112]

How is your PC running ?

[SSingh]

It's definitely a little more responsive compared to before. However since I've been infected my anti-virus (NOD32) and touchpad (Synaptics) no longer start when Windows starts up. Should I uninstall them and reinstall?

Edited by SSingh, 20 January 2008 - 05:07 PM.

[Rorschach112]

Hello

However since I've been infected my anti-virus (NOD32) and touchpad (Synaptics) no longer start when Windows starts up. Should I uninstall them and reinstall?

This was as a result of the malware you had. You will need to re-install them

Few things to do

You can delete the tools that we used


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

[SSingh]

Thank you very much for your time and patience. If you were a girl I would kiss you! Your help was much appreciated.