DNS changer

My laptop is infected. It enforces dns to be 85.255.112.156 and i can't update my XP nor my AV.
Thanks in advance for your precious help

DDS (Version 1.1.0) - NTFSx86
Run by Georgy at 16:12:32,54 on ƒœ¬ 05/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1253.30.1033.18.2047.1347 [GMT 2:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\FlashGet\flashget.exe
C:\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.1.20/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 10.192.1.82:3128
mCustomizeSearch = hxxp://search.jword.jp/jwd_sb_srchcust.htm?ielang={SUB_RFC1766}
mSearchAssistant = hxxp://www.google.com
mWinlogon: System=kdcwr.exe
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [c:\windows\system32\kdcwr.exe] c:\windows\system32\kdcwr.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [NodLogin] "c:\program files\eset\eset nod32 antivirus\nodlogin.exe" /o
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
TCP: {60A41531-C6FA-4AF5-A35A-1F4E2CF493AA} = 85.255.112.156;85.255.112.190
TCP: {CEF4D860-537F-4A02-9749-2E46B0D1913F} = 85.255.112.156;85.255.112.190
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\georgy\applic~1\mozilla\firefox\profiles\7lxaruuw.backed\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\georgy\application data\mozilla\firefox\profiles\7lxaruuw.backed\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\georgy\application data\mozilla\firefox\profiles\7lxaruuw.backed\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\georgy\application data\mozilla\firefox\profiles\7lxaruuw.backed\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: e:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2004-11-15 71961]
R4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-12-2 27904]
S3 Orphalese Deck Service;Orphalese Deck Service;c:\program files\orphalese\orphalese tarot\DeckService.exe [2007-4-21 36864]

=============== Created Last 30 ================

2009-01-05 15:14 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 14:32 <DIR> --d----- c:\program files\Perfect Optimizer
2008-12-24 12:41 <DIR> --d----- c:\program files\NOD32view
2008-12-21 23:59 <DIR> --d----- c:\program files\IrfanView
2008-12-21 16:24 <DIR> --d----- C:\ATI
2008-12-21 15:33 <DIR> --d----- c:\program files\Uniblue
2008-12-21 15:33 <DIR> --d----- c:\docume~1\georgy\applic~1\Uniblue
2008-12-21 15:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2008-12-21 15:31 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-21 15:30 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-21 15:27 121,984 -------- c:\windows\system32\drivers\usbvideo.sys
2008-12-21 15:23 <DIR> --d----- c:\program files\Ashampoo
2008-12-21 15:17 <DIR> --d----- c:\program files\Yamicsoft
2008-12-21 14:48 32,592 a------- c:\windows\system32\msonpmon.dll
2008-12-21 14:31 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2008-12-11 19:47 1,871 a------- c:\windows\Settings.ini
2008-12-11 19:47 86,016 a------- c:\windows\system32\MSFilter.dll
2008-12-11 19:47 68,096 a------- c:\windows\system32\Itcc.dll
2008-12-11 07:05 <DIR> --d----- C:\download
2008-12-08 13:54 <DIR> --d----- c:\program files\U.S. Robotics

==================== Find3M ====================

2008-12-21 15:39 887,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-21 15:16 715,248 a------- c:\windows\system32\drivers\sptd.sys
2008-12-02 12:01 27,904 a------- c:\windows\system32\drivers\ndisprot.sys

============= FINISH: 16:14:00,01 ===============

Noone? Is something not clear?

Hi sehar,

Welcome to the BleepingComputer forums.

We apologize for the delay in responding to your request for assistance. Every one of our team members is a volunteer and unfortunately, there are often just not enough to keep up with demand. Thank you so much for your patience.

If your issue has been resolved or you have received help elsewhere, please post a reply here and let us know so that we can close this thread.

If you still need assistance, my name is SpotCheckBilly (SCB for short) and I will be happy to help you.

>>>>Please read the Posting Guidelines at the top of this page.<<<<

Please submit a new DDS log.

I look forward to your reply. -- SCB

Thank you SCB. I will post the new logs and hopefully we will kill this sneaky viruses .
DDS (Ver_09-01-18.01) - NTFSx86
Run by Georgy at 10:26:23,67 on ƒœ¬ 19/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1253.30.1033.18.2047.966 [GMT 2:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\FlashGet\flashget.exe
C:\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.1.20/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 10.192.1.82:3128
mCustomizeSearch = hxxp://search.jword.jp/jwd_sb_srchcust.htm?ielang={SUB_RFC1766}
mSearchAssistant = hxxp://www.google.com
mWinlogon: System=kdcwr.exe
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [c:\windows\system32\kdcwr.exe] c:\windows\system32\kdcwr.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [NodLogin] "c:\program files\eset\eset nod32 antivirus\nodlogin.exe" /o
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
TCP: {60A41531-C6FA-4AF5-A35A-1F4E2CF493AA} = 85.255.112.156;85.255.112.190
TCP: {BBF196F4-310D-4883-A8D1-2A2CB38A08A2} = 85.255.112.156;85.255.112.190
TCP: {CEF4D860-537F-4A02-9749-2E46B0D1913F} = 85.255.112.156;85.255.112.190
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\georgy\applic~1\mozilla\firefox\profiles\7lxaruuw.backed\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\georgy\application

data\mozilla\firefox\profiles\7lxaruuw.backed\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\georgy\application

data\mozilla\firefox\profiles\7lxaruuw.backed\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\georgy\application

data\mozilla\firefox\profiles\7lxaruuw.backed\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: e:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2004-11-15 71961]
R4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-12-2 27904]
S3 Orphalese Deck Service;Orphalese Deck Service;c:\program files\orphalese\orphalese tarot\DeckService.exe [2007-4-21 36864]

=============== Created Last 30 ================

2009-01-10 01:04 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-10 01:04 1,409 a------- c:\windows\QTFont.for
2009-01-07 17:21 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-07 16:59 <DIR> --d----- c:\docume~1\georgy\applic~1\Locktime
2009-01-07 16:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Locktime
2009-01-07 16:58 <DIR> --d----- c:\program files\NetLimiter 2 Pro
2009-01-07 16:57 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-05 15:14 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 14:32 <DIR> --d----- c:\program files\Perfect Optimizer
2008-12-24 12:41 <DIR> --d----- c:\program files\NOD32view
2008-12-21 23:59 <DIR> --d----- c:\program files\IrfanView
2008-12-21 16:24 <DIR> --d----- C:\ATI
2008-12-21 15:33 <DIR> --d----- c:\program files\Uniblue
2008-12-21 15:33 <DIR> --d----- c:\docume~1\georgy\applic~1\Uniblue
2008-12-21 15:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2008-12-21 15:31 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-21 15:30 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-21 15:27 121,984 -------- c:\windows\system32\drivers\usbvideo.sys
2008-12-21 15:23 <DIR> --d----- c:\program files\Ashampoo
2008-12-21 15:17 <DIR> --d----- c:\program files\Yamicsoft
2008-12-21 14:48 32,592 a------- c:\windows\system32\msonpmon.dll
2008-12-21 14:31 <DIR> --d----- c:\program files\Microsoft Visual Studio 8

==================== Find3M ====================

2008-12-21 15:39 887,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-21 15:16 715,248 a------- c:\windows\system32\drivers\sptd.sys
2008-12-02 12:01 27,904 a------- c:\windows\system32\drivers\ndisprot.sys

============= FINISH: 10:28:56,35 ===============

Hi sehar,

All righty then, let's get started.

Please note that if you are unable to download/update these programs, download them on another computer and transfer to your machine.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick Scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
• Click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
  
  If Malware is found...
• Be sure that >>everything is checked<<, and click Remove Selected.
• When completed, a log will open in Notepad.
• Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

• Launch Malwarebytes' Anti-Malware.
• Click the Logs tab.
• Double-click log-mm.dd.yyyy [xxxxxx].txt.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next,

Download ComboFix from one of these locations:
>>>>A word of warning: Please DO NOT run ComboFix on your own. Used incorrectly, it can render your computer completely useless<<<<

>>>If you already have Combofix, delete previous copy(s) and download the latest version.<<<

Link 1
Link 2
Link 3

Save ComboFix.exe to your Desktop

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before continuing the scan. They can interfere with ComboFix and may cause unpredictable results. Note: Combofix will disconnect you from the Internet, then restore your connection as it finishes.

Double click on ComboFix.exe.

• Follow the prompts. NOTE:
  ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
• Allow ComboFix to download the Recovery Console.
• Accept the End-User License Agreement.
• The Recovery Console will be installed.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



***If you have an always on Internet connection, unplug from your DSL/cable modem before proceeding. Reconnect only after Combofix has finished its scan.***

• Click on Yes, to allow Combofix to finish its scan.This can take a while, so please be patient.
• When finished, it will produce a report for you at C:\ComboFix.txt.

***Do not mouseclick combofix's window while it's running. That may cause it to stall***

In your next post, please include

• The results of the Malwarebytes Anti-Malware scan.
• C.:\Combofix.txt.

***use separate posts if necessary to ensure the logs don't get cut off!***

That should give us a good start at hammering this bugger down. -- SCB

Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

20/1/2009 6:48:16 πμ
mbam-log-2009-01-20 (06-48-16).txt

Scan type: Quick Scan
Objects scanned: 62430
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 21
Folders Infected: 20
Files Infected: 143

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\perfect optimizer (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PerfectOptimizer.exe (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\netsearchsoft.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.netsearchsoft.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdcwr.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bbf196f4-310d-4883-a8d1-2a2cb38a08a2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bbf196f4-310d-4883-a8d1-2a2cb38a08a2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{bbf196f4-310d-4883-a8d1-2a2cb38a08a2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{bbf196f4-310d-4883-a8d1-2a2cb38a08a2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{60a41531-c6fa-4af5-a35a-1f4e2cf493aa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{cef4d860-537f-4a02-9749-2e46b0d1913f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Delete on reboot.
C:\Program Files\DomPlayer (Trojan.Lop) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Application (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Registry (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Registry\FirstBackup (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Registry\FullBackup (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Service (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Data (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Data\Service (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Home (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Temp (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Update (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Documents and Settings\Georgy\Start Menu\Programs\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Georgy\Start Menu\Programs\Perfect Optimizer (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kdcwr.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
C:\Program Files\Perfect Optimizer\ActiveX.dat (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Apps.dat (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Components.dat (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\MFC42D.DLL (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\MFCO42D.DLL (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\MSVCRTD.DLL (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Perfect Optimizer.url (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\PerfectOptimizer.exe (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\PerfectOptimizer.exe.orig (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\PerfectOptimizerShell.exe (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\SEClean.dll (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\SERepair.dll (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\SEStyle.dll (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\uninst.exe (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Update.exe (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Backup\Registry\FirstBackup\20090105143259.Reg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Alert.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Bad.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Bad_24x24.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Bad_32x32.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Check.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Data.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Disk.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\DotLine.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Error.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Frame.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Good_24x24.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Good_32x32.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Info.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Progrss.bmp (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Safe.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Sys.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Thumbs.db (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Uncheck.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Home\green.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Home\orange.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Home\Red.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Home\Thumbs.db (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Home\yellow.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon\block_activeX.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon\evidence_clean.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon\junk_file_clean.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon\registry_clean.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon\startup_optimize.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon\system_optimize.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Icon\Thumbs.db (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_EC_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_FSR_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_FSS_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_FST_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_Home_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_MO_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_RSO_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_RSO_Image_Info.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_RSR_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_RSS_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_RST_Image_BG.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\SEM_Top.jpg (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Jpg\Thumbs.db (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_BackGround.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_BackGround.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Backup_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Backup_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Backup_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Clean_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Clean_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Clean_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_DriveBackup_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_DriveBackup_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_DriveBackup_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_EvidenceClean_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_EvidenceClean_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_EvidenceClean_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_FavoritesBackup_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_FavoritesBackup_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_FavoritesBackup_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Home_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Home_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Home_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_IERepair_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_IERepair_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_IERepair_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_JunkFileClean_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_JunkFileClean_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_JunkFileClean_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_MomeryOptimizer_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_MomeryOptimizer_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_MomeryOptimizer_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_OneClick_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_OneClick_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_OneClick_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Optimize_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Optimize_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Optimize_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Options_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Options_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Options_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_RegistryClean_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_RegistryClean_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_RegistryClean_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_RegsitryBackup_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_RegsitryBackup_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_RegsitryBackup_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Repair_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Repair_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Repair_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Results_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Results_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Results_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_Small_BackGround.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SpyClean_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SpyClean_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SpyClean_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_StartupManager_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_StartupManager_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_StartupManager_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemOptimizer_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemOptimizer_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemOptimizer_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemRepair_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemRepair_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemRepair_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemRestore_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemRestore_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_SystemRestore_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_UninstallManager_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_UninstallManager_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_UninstallManager_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_WindowsRepair_Down.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_WindowsRepair_Normal.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\SEM_Button_WindowsRepair_Over.png (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Res\Menu\Thumbs.db (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Temp\__clean_disk.bat (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Temp\__repair_components.bat (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Temp\__repair_errors.bat (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Perfect Optimizer\Temp\__start_schedule.bat (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Documents and Settings\Georgy\Start Menu\Programs\Perfect Optimizer\Perfect Optimizer.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Documents and Settings\Georgy\Start Menu\Programs\Perfect Optimizer\Uninstall.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Documents and Settings\Georgy\Start Menu\Programs\Perfect Optimizer\Website.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wini104552502.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Georgy\Desktop\Perfect Optimizer.lnk (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully.

ComboFix 09-01-19.03 - Georgy 2009-01-20 6:58:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1253.1.1033.18.2047.1432 [GMT 2:00]
Running from: c:\downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\cnsinfo.dat
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-20 06:41 . 2009-01-20 06:41 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Malwarebytes
2009-01-20 06:40 . 2009-01-20 06:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 06:40 . 2009-01-20 06:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 06:40 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 06:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-10 01:05 . 2009-01-10 01:05 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Nokia Multimedia Player
2009-01-10 01:04 . 2009-01-10 01:04 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-10 01:04 . 2009-01-10 01:04 1,409 --a------ c:\windows\QTFont.for
2009-01-07 17:21 . 2009-01-07 17:21 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-07 16:59 . 2009-01-07 16:59 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Locktime
2009-01-07 16:59 . 2009-01-07 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 16:58 . 2009-01-07 16:58 <DIR> d-------- c:\program files\NetLimiter 2 Pro
2009-01-07 16:58 . 2009-01-07 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-01-07 16:57 . 2009-01-07 17:00 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-05 15:14 . 2009-01-05 15:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-24 12:41 . 2009-01-05 14:57 <DIR> d-------- c:\program files\NOD32view
2008-12-21 23:59 . 2008-12-21 23:59 <DIR> d-------- c:\program files\IrfanView
2008-12-21 16:24 . 2008-12-21 16:24 <DIR> d-------- C:\ATI
2008-12-21 15:33 . 2008-12-21 15:33 <DIR> d-------- c:\program files\Uniblue
2008-12-21 15:33 . 2008-12-21 15:33 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Uniblue
2008-12-21 15:33 . 2008-12-21 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-21 15:31 . 2008-12-21 15:31 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-21 15:30 . 2008-12-21 15:33 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-21 15:27 . 2008-04-14 00:16 121,984 --------- c:\windows\system32\drivers\usbvideo.sys
2008-12-21 15:23 . 2008-12-21 15:23 <DIR> d-------- c:\program files\Ashampoo
2008-12-21 15:17 . 2008-12-21 15:21 <DIR> d-------- c:\program files\Yamicsoft
2008-12-21 14:59 . 2008-12-21 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-21 14:48 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-21 14:42 . 2008-12-21 14:42 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-21 14:31 . 2008-12-21 14:31 <DIR> d-------- c:\program files\Microsoft Visual Studio 8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 04:48 --------- d-----w c:\program files\FlashGet
2009-01-09 23:57 --------- d-----w c:\documents and settings\Georgy\Application Data\dvdcss
2009-01-05 12:57 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-01-05 12:57 --------- d-----w c:\program files\MagicDisc
2009-01-05 12:57 --------- d-----w c:\program files\KEPLER70
2009-01-05 12:57 --------- d-----w c:\program files\Four_Pillars
2008-12-21 14:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 14:03 --------- d-----w c:\program files\Sony
2008-12-21 13:16 715,248 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-21 13:15 --------- d-----w c:\program files\Alcohol Soft
2008-12-21 13:02 --------- d-----w c:\program files\ESET
2008-12-21 12:54 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-21 12:44 --------- d-----w c:\program files\Microsoft Works
2008-12-21 12:22 --------- d-----w c:\program files\U.S. Robotics
2008-12-21 12:18 --------- d-----w c:\program files\OpenOffice.org 2.3
2008-12-21 12:12 --------- d-----w c:\program files\DAEMON Tools
2008-12-17 22:13 --------- d-----w c:\program files\Avant Browser
2008-12-09 21:21 --------- d-----w c:\documents and settings\Georgy\Application Data\vlc
2008-12-02 10:01 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2004-07-19 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 344064]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"NodLogin"="c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [2008-11-19 359656]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 8:05:26 AM 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2004-10-27 17:40 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i263_32.drv
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Georgy^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Georgy\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Georgy^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Georgy\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced LAN Pump]
--a------ 2006-04-01 13:30 1177600 c:\program files\SoftSolo\Advanced LAN Pump\alp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D_V_T]
--a------ 2006-07-09 01:57 3584 C:\dvt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
--a------ 2004-02-20 16:12 32768 c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 11:09 49152 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2005-08-31 20:27 1658592 c:\progra~1\MESSEN~1\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 17:41 1232896 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-04-16 11:53 1079808 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrepareYourVAIO]
--a------ 2004-09-09 23:57 106496 c:\program files\Sony\Prepare your VAIO\PYVAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 22:57 30208 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
--a------ 2004-10-21 21:12 184320 c:\program files\Sony\VAIO Power Management\SPMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
--a------ 2006-02-14 12:11 176128 c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VzFw"=3 (0x3)
"VzCdbSvc"=3 (0x3)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment Task Scheduler"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"VMware NAT Service"=3 (0x3)
"vmount2"=3 (0x3)
"VMnetDHCP"=3 (0x3)
"VMAuthdService"=3 (0x3)
"RichVideo"=2 (0x2)
"NBService"=3 (0x3)
"ServiceLayer"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VAIO Update 4"="c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe" /Stationary
"c:\windows\system32\kdcwr.exe"=c:\windows\system32\kdcwr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04:40 AM 34312]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/23/2007 1:03:04 PM 82200]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [11/15/2004 3:49:53 AM 71961]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7/1/2008 9:02:28 AM 468224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [12/2/2008 12:01:50 PM 27904]
S3 Orphalese Deck Service;Orphalese Deck Service;c:\program files\Orphalese\Orphalese Tarot\DeckService.exe [4/21/2007 11:27:18 AM 36864]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\system32\kdcwr.exe - c:\windows\system32\kdcwr.exe
HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE
MSConfigStartUp-brastk - c:\windows\system32\brastk.exe
MSConfigStartUp-Inter dead support mp3 - c:\documents and settings\All Users\Application Data\Drv Sect Inter Dead\PLAY BLEH.exe
MSConfigStartUp-L07AXLRD_164009171 - c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE
MSConfigStartUp-VAIO Update 2 - c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
MSConfigStartUp-VAIO Update 3 - c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
MSConfigStartUp-WinMsg - c:\windows\winmsgr.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://192.168.1.20/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 10.192.1.82:3128
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {60A41531-C6FA-4AF5-A35A-1F4E2CF493AA} = 194.219.227.2,193.92.150.3
FF - ProfilePath - c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 07:01:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-197632628-1338670180-3431288156-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ac,d0,3d,c1,e4,74,cc,8e,45,fa,59,b9,62,69,28,88,b6,07,7c,fc,54,31,21,
9c,f3,d2,2b,2d,03,ee,7a,ab,8a,c7,f5,f0,d2,46,9a,7c,e8,ac,2f,89,ec,bc,7c,f1,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1500)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-01-20 7:04:10
ComboFix-quarantined-files.txt 2009-01-20 05:03:25

Pre-Run: 32.703.025.152 bytes free
Post-Run: 33,037,996,032 bytes free

266 --- E O F --- 2008-12-21 17:27:23

After this powerfull antimalware i was able to chang my dns and have access to c:
Combofix did his thing although it didn't prompt me for recovery console so i guessed i had it, but the log said i didn't.

Please check if any other things are necessary and i hopefully won't use more of your time. I'm against formats and after so many years i couldn't help myself. Sincerely thank you so much you and the community here

Hi sehar,

Things are looking good. I think we almost have this little beastie subdued.

Please perform the following:

• Close any open browsers.
• Open Notepad ( Not Word or WordPad) and copy/paste the text in the codebox below into it:
  
  

  File::
   c:\windows\system32\drivers\ndisprot.sys

• Save this as CFScript.txt, save it to your desktop. Save it as file type: all files.
  
• Refering to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Next, please rescan with Malwarebytes Anti-Malware

In your next post, please include:

• C.:\ComboFix.txt.
• The results of the Malwarebytes Anti-Malware scan.
• A fresh HijackThis log.-- SCB

ComboFix 09-01-19.03 - Georgy 2009-01-22 0:40:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1253.1.1033.18.2047.1488 [GMT 2:00]
Running from: c:\downloads\ComboFix.exe
Command switches used :: c:\downloads\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\ndisprot.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndisprot.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-20 11:36 . 2009-01-20 11:40 <DIR> d-------- c:\windows\LastGood
2009-01-20 06:41 . 2009-01-20 06:41 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Malwarebytes
2009-01-20 06:40 . 2009-01-20 06:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 06:40 . 2009-01-20 06:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 06:40 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 06:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-10 01:05 . 2009-01-10 01:05 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Nokia Multimedia Player
2009-01-10 01:04 . 2009-01-10 01:04 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-10 01:04 . 2009-01-10 01:04 1,409 --a------ c:\windows\QTFont.for
2009-01-07 17:21 . 2009-01-07 17:21 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-07 16:59 . 2009-01-07 16:59 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Locktime
2009-01-07 16:59 . 2009-01-07 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 16:58 . 2009-01-07 16:58 <DIR> d-------- c:\program files\NetLimiter 2 Pro
2009-01-07 16:58 . 2009-01-07 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-01-07 16:57 . 2009-01-07 17:00 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-05 15:14 . 2009-01-05 15:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-24 12:41 . 2009-01-20 11:46 <DIR> d-------- c:\program files\NOD32view
2008-12-21 23:59 . 2008-12-21 23:59 <DIR> d-------- c:\program files\IrfanView
2008-12-21 16:24 . 2008-12-21 16:24 <DIR> d-------- C:\ATI
2008-12-21 15:33 . 2008-12-21 15:33 <DIR> d-------- c:\program files\Uniblue
2008-12-21 15:33 . 2008-12-21 15:33 <DIR> d-------- c:\documents and settings\Georgy\Application Data\Uniblue
2008-12-21 15:33 . 2008-12-21 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-21 15:31 . 2008-12-21 15:31 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-21 15:30 . 2008-12-21 15:33 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-21 15:27 . 2008-04-14 00:16 121,984 --------- c:\windows\system32\drivers\usbvideo.sys
2008-12-21 15:23 . 2008-12-21 15:23 <DIR> d-------- c:\program files\Ashampoo
2008-12-21 15:17 . 2008-12-21 15:21 <DIR> d-------- c:\program files\Yamicsoft
2008-12-21 14:59 . 2008-12-21 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-21 14:48 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-21 14:42 . 2008-12-21 14:42 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-21 14:31 . 2008-12-21 14:31 <DIR> d-------- c:\program files\Microsoft Visual Studio 8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 22:28 --------- d-----w c:\program files\FlashGet
2009-01-09 23:57 --------- d-----w c:\documents and settings\Georgy\Application Data\dvdcss
2009-01-05 12:57 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-01-05 12:57 --------- d-----w c:\program files\MagicDisc
2009-01-05 12:57 --------- d-----w c:\program files\KEPLER70
2009-01-05 12:57 --------- d-----w c:\program files\Four_Pillars
2008-12-21 14:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 14:03 --------- d-----w c:\program files\Sony
2008-12-21 13:16 715,248 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-21 13:15 --------- d-----w c:\program files\Alcohol Soft
2008-12-21 13:02 --------- d-----w c:\program files\ESET
2008-12-21 12:54 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-21 12:44 --------- d-----w c:\program files\Microsoft Works
2008-12-21 12:22 --------- d-----w c:\program files\U.S. Robotics
2008-12-21 12:18 --------- d-----w c:\program files\OpenOffice.org 2.3
2008-12-21 12:12 --------- d-----w c:\program files\DAEMON Tools
2008-12-17 22:13 --------- d-----w c:\program files\Avant Browser
2008-12-09 21:21 --------- d-----w c:\documents and settings\Georgy\Application Data\vlc
.

((((((((((((((((((((((((((((( snapshot@2009-01-20_ 7.02.10,09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-21 13:00:09 10,134 ----a-r c:\windows\Installer\{3407FD83-0A2F-475E-BE94-34F1FA342C84}\callmsi.exe
+ 2009-01-20 09:50:41 10,134 ----a-r c:\windows\Installer\{3407FD83-0A2F-475E-BE94-34F1FA342C84}\callmsi.exe
- 2008-12-21 13:00:09 136,448 ----a-r c:\windows\Installer\{3407FD83-0A2F-475E-BE94-34F1FA342C84}\egui.exe
+ 2009-01-20 09:50:41 136,448 ----a-r c:\windows\Installer\{3407FD83-0A2F-475E-BE94-34F1FA342C84}\egui.exe
+ 2007-07-30 16:19:20 92,504 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2007-07-30 16:19:10 271,224 ----a-w c:\windows\LastGood\system32\mucltui.dll
+ 2007-07-30 16:19:04 207,736 ----a-w c:\windows\LastGood\system32\muweb.dll
+ 2007-07-30 16:19:36 549,720 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2007-07-30 16:19:16 53,080 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2007-07-30 16:19:42 1,712,984 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2007-07-30 16:19:32 325,976 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2007-07-30 16:18:40 33,624 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2007-07-30 16:19:12 43,352 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2007-07-30 16:19:28 203,096 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2007-07-30 16:19:20 92,504 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 12:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2007-07-30 16:19:20 92,504 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 12:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2007-07-30 16:19:36 549,720 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 12:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2007-07-30 16:19:16 53,080 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 12:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2007-07-30 16:19:42 1,712,984 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 12:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2007-07-30 16:19:32 325,976 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 12:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-07-30 16:19:28 203,096 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 12:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2007-07-30 16:19:10 271,224 ----a-w c:\windows\system32\mucltui.dll
+ 2008-10-16 12:06:48 268,648 ----a-w c:\windows\system32\mucltui.dll
- 2007-07-30 16:19:04 207,736 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 12:06:48 208,744 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 12:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 12:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2007-07-30 16:19:36 549,720 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 12:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2007-07-30 16:19:16 53,080 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 12:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2007-07-30 16:19:42 1,712,984 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 12:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2007-07-30 16:19:32 325,976 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 12:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2007-07-30 16:19:28 203,096 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 12:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
- 2009-01-20 04:50:59 32,768 --sha-w c:\windows\Temp\History\History.IE5\MSHist012009012020090121\index.dat
+ 2009-01-20 06:40:13 65,536 --sha-w c:\windows\Temp\History\History.IE5\MSHist012009012020090121\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2004-07-19 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 344064]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"NodLogin"="c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [2008-11-19 359656]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 8:05:26 AM 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2004-10-27 17:40 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i263_32.drv
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Georgy^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Georgy\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Georgy^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Georgy\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced LAN Pump]
--a------ 2006-04-01 13:30 1177600 c:\program files\SoftSolo\Advanced LAN Pump\alp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D_V_T]
--a------ 2006-07-09 01:57 3584 C:\dvt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
--a------ 2004-02-20 16:12 32768 c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 11:09 49152 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2005-08-31 20:27 1658592 c:\progra~1\MESSEN~1\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 17:41 1232896 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-04-16 11:53 1079808 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrepareYourVAIO]
--a------ 2004-09-09 23:57 106496 c:\program files\Sony\Prepare your VAIO\PYVAlert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 22:57 30208 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
--a------ 2004-10-21 21:12 184320 c:\program files\Sony\VAIO Power Management\SPMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
--a------ 2006-02-14 12:11 176128 c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VzFw"=3 (0x3)
"VzCdbSvc"=3 (0x3)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment Task Scheduler"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"VMware NAT Service"=3 (0x3)
"vmount2"=3 (0x3)
"VMnetDHCP"=3 (0x3)
"VMAuthdService"=3 (0x3)
"RichVideo"=2 (0x2)
"NBService"=3 (0x3)
"ServiceLayer"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VAIO Update 4"="c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe" /Stationary
"c:\windows\system32\kdcwr.exe"=c:\windows\system32\kdcwr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04:40 AM 34312]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/23/2007 1:03:04 PM 82200]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [11/15/2004 3:49:53 AM 71961]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7/1/2008 9:02:28 AM 468224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys --> c:\windows\system32\drivers\Ndisprot.sys [?]
S3 Orphalese Deck Service;Orphalese Deck Service;c:\program files\Orphalese\Orphalese Tarot\DeckService.exe [4/21/2007 11:27:18 AM 36864]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://192.168.1.20/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 10.192.1.82:3128
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Λήψη όλων με το FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Λήψη με χρήση του FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {60A41531-C6FA-4AF5-A35A-1F4E2CF493AA} = 194.219.227.2,193.92.150.3
FF - ProfilePath - c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Georgy\Application Data\Mozilla\Firefox\Profiles\7lxaruuw.Backed\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 00:41:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-197632628-1338670180-3431288156-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ac,d0,3d,c1,e4,74,cc,8e,45,fa,59,b9,62,69,28,88,b6,07,7c,fc,54,31,21,
9c,f3,d2,2b,2d,03,ee,7a,ab,8a,c7,f5,f0,d2,46,9a,7c,e8,ac,2f,89,ec,bc,7c,f1,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1500)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-01-22 0:43:59
ComboFix-quarantined-files.txt 2009-01-21 22:43:13
ComboFix2.txt 2009-01-20 05:04:11

Pre-Run: 32.321.695.744 bytes free
Post-Run: 32,303,095,808 bytes free

310 --- E O F --- 2008-12-21 17:27:23


Malwarebytes' Anti-Malware 1.33
Database version: 1675
Windows 5.1.2600 Service Pack 3

22/1/2009 12:48:51 πμ
mbam-log-2009-01-22 (00-48-51).txt

Scan type: Quick Scan
Objects scanned: 60927
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:16 πμ, on 22/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.20/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.192.1.82:3128
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [NodLogin] "C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" /o
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Αποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Α&ποστολή στο OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maps.flash.gr/inc/activex/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185836820875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185835903187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60A41531-C6FA-4AF5-A35A-1F4E2CF493AA}: NameServer = 194.219.227.2,193.92.150.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Orphalese Deck Service - Orphalese Data Solutions Ltd - C:\Program Files\Orphalese\Orphalese Tarot\DeckService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 10004 bytes

Hi sehar,

OK, just a couple of things that I need to check before we can tidy up.

First, regarding these two entries in your HJT log:

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present These are usually set by either a system administrator or using Spybot S & D. I don't see Spybot S & D anywhere in your log files. Did you set those two entries yourself? Did someone that you know set them?

Secondly:

O17 - HKLM\System\CCS\Services\Tcpip\..\{60A41531-C6FA-4AF5-A35A-1F4E2CF493AA}: NameServer = 194.219.227.2,193.92.150.3 Is this your ISP?

Please let me know, OK? Thanks. Also, how are things running? -- SCB

I may have used spybot in the past . Now i have SpywareBlaster installed. I can;t think of any else.
For the 2nd yes its my providers dns which i put manually since i choose from 2 connections.

Hi sehar,

OK, thanks. Please launch HijackThis and Click "Do a system scan only."
Place a checkmark in the box next to the following entries:

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

With all other windows closed, click "Fix Checked".
Exit HijackThis.

Other than that:

Congratulations! Your log looks clean - good work!

Below is my standard Final Cleanup and All Clean speech. Included in it are tips on how to keep your computer from being reinfected. They are simple to set up and simple to maintain, and I HIGHLY recommend that you follow them.

Download and scan with CCleaner
NOTE: Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Slim version instead of the Standard Build.

Before first use:

• Select Options=>Advanced.
• UNcheck Only delete files in Windows Temp folder older than 48 hours

Select the items you wish to clean up.

• A note regarding cookies: CCleaner allows you to keep the cookies from selected sites such as those which use cookies to save your login information.
• From the main screen:Click Options=>Cookies.
• Highlight the web sites you wish to keep.
• Click the -> button.

Click the Cleaner button to return to the main screen.

• In the Windows tab:
  • Select all items.
• In the Applications tab:
  • Select all items. NOTE: UN-check Saved Form Information, where available. If you leave this box checked. You will lose all of your saved passwords.

Click the Run Cleaner button.

• A pop up box will appear advising this process will permanently delete files from your system.
• Click OK.

CCleaner will scan and clean your system..

• When cleaning is complete:
• Close the CCleaner window

If everything is running ok, let's do the final cleanup...

1. Uninstall Combofix. (If Combofix was not used, proceed to step 2.)

• Click START=>RUN
• Type Combofix /u in the runbox (make sure you add the space in between the x in Combofix and /u)
• Click OK

  

2. Disable, then reenable System Restore; with a reboot in-between. Then immediately create a new system restore point manually.

Here are some tips to reduce the potential for spyware infection in the future, I recommend the following applications:

• Spywareblaster => SpywareBlaster will prevent spyware from being installed, and uses NO system resources.
• Comodo BOCLEAN => Stop identity thieves from getting personal information. BOClean watches memory, registry, and the file system for malware loading up and shuts it down before it has a chance to launch.
• How to use Winpatrol to protect your computer. => Download and install the free version of Winpatrol to keep malicious software from running.
• How to use Malwarebytes Anti-Malware to remove Spyware=> Follow link for instructions on how to download, install and use Malwarebytes Anti-Malware.
• How to use Spybot to remove Spyware => Follow link for instructions on how to download, install and use Spybot.

To protect yourself further:

• IE/Spyad => IE/Spyad (now known as ZonedOut ) places over 5000 websites and domains in the IE Restricted Sites list, and uses NO system resources..
• Use a Firewall => I can not stress enough how important it is that you use a Firewall on your computer. See Computer Safety On line - Software Firewalls to learn why. I recommend any of these:
  • Comodo
  • Outpost
  • .Sunbelts Kerio.
• UPDATE!-UPDATE!-UPDATE! => This is, without a doubt, THE MOST IMPORTANT element in keeping your computer free of malware. Set Windows AND all of your anti-malware tools for Automatic Updates.
• Delete temp files =>Clear the contents of your Temporary (Temp) folders, Temporary Internet Files (TIF), Cookies, and Recycle bin for all users of your machine. (do not delete the temp folders themselves). This can be done either manually or by using using a program such as CCleaner. IMPORTANT: clearing the contents of the temp/Internet/cookies/recycle bin should be done on a regular basis.

Also, please see: So how did I get infected in the first place?

****** STAND UP AND BE COUNTED ******

It is very rewarding to see that your computer is clean. Now we urge you to stand up and be counted! Document your experience, and by doing so, launch a complaint against the makers of malware. You can make a difference. Click on the Malware Complaints icon in my signature and support our cause.

If you're having any other problems, please don't hesitate to post back. -- SCB

Can't thank you enough. I did the last steps and i joined malwarecomplaints, but what should i do further in malwarecomplaints.info? Just write down my experience?

By documenting how you got infected and the steps that it took to remove the infection you provide evidence against those who write the garbage in the first place. Especially the ones that try to force you, one way or another, into buying worthless products e.g. software. I know that it doesn't seem like much, but each and every little bit of information is helpful in bringing these people down. -- SCB