Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spoolsv.exe virus/ sometimes threats are getting detected


  • This topic is locked This topic is locked
34 replies to this topic

#1 sachin naik

sachin naik

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 14 March 2009 - 09:11 AM

whenever i turn on my pc, windows xp loads fine, but while startup i get a spoolsv.exe application error which is a virus, whenever i run a full scan using avg or malwarebytes usually they dont detect anything but sometimes they rarely detect few threats, avg antirootkit tool and root repeal do not detect any rootkits

whenever i connect my pc to the internet sometimes my avg detects a trojan backdoor or sometimes my threatfire detects a pontentially unwanted alert (location c:/ Windows/temp/vrtc something)

and my pc restarts automatically only if i open my root alyzer program provided by spybot sd
whenever i run a fullscan using spybot sd it detects only 1 trojan win32.delf.uc

it looks simple but still its a really serious issue for me

someone plz helpppppppppppppppppppppppppppp



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:10 PM, on 3/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.85.153.85:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
R3 - URLSearchHook: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BF041273-AA50-4EAC-AAED-211D4C960BAE} - (no file)
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: (no name) - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O3 - Toolbar: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O3 - Toolbar: Anonymous Friend - {A3884B05-8D20-483A-A2E3-C70A66E75C34} - C:\Program Files\Anonymous Friend\AnonymousFriend.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [lfwwwnjy.exe] C:\WINDOWS\lfwwwnjy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hdhkzfvj.exe] C:\WINDOWS\hdhkzfvj.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Billeo.lnk = C:\Program Files\Billeo\billeo.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O15 - Trusted Zone: *.softmedia.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212070718296
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212729993734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07BCC021-4911-4138-94FE-9267B763BDD1}: NameServer = 218.248.240.179 218.248.240.180
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C427842-95D7-4BB3-BE3B-A953225C557C}: NameServer = 218.248.240.208,218.248.240.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{07BCC021-4911-4138-94FE-9267B763BDD1}: NameServer = 218.248.240.179 218.248.240.180
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: wbcnedph - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSXB - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\HSXB.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MNHQY - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\MNHQY.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PEIMLOVDV - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe (file missing)
O23 - Service: PHBMDXEVMX - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 16456 bytes

Edited by sachin naik, 14 March 2009 - 09:14 AM.


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:09 PM

Posted 14 March 2009 - 11:52 AM

Hello, sachin naik.
My name is aommaster and I will be helping you with your log.

If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • RSIT Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 sachin naik

sachin naik
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 15 March 2009 - 09:55 AM

Logfile of random's system information tool 1.05 (written by random/random)
Run by sachin at 2009-03-15 20:15:55
Microsoft Windows XP Professional Service Pack 2
System drive C: has 8 GB (40%) free of 20 GB
Total RAM: 959 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:26 PM, on 3/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\Star Downloader\stardown.exe
C:\Program Files\FlashGet\flashget.exe
C:\Documents and Settings\sachin\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\sachin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.85.153.85:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
R3 - URLSearchHook: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BF041273-AA50-4EAC-AAED-211D4C960BAE} - (no file)
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: (no name) - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O3 - Toolbar: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O3 - Toolbar: Anonymous Friend - {A3884B05-8D20-483A-A2E3-C70A66E75C34} - C:\Program Files\Anonymous Friend\AnonymousFriend.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [lfwwwnjy.exe] C:\WINDOWS\lfwwwnjy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hdhkzfvj.exe] C:\WINDOWS\hdhkzfvj.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Billeo.lnk = C:\Program Files\Billeo\billeo.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O15 - Trusted Zone: *.softmedia.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212070718296
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212729993734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C427842-95D7-4BB3-BE3B-A953225C557C}: NameServer = 218.248.240.208,218.248.240.135
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: wbcnedph - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HSXB - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\HSXB.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MNHQY - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\MNHQY.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PEIMLOVDV - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe (file missing)
O23 - Service: PHBMDXEVMX - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 16415 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3A612A48-CBA6-44F2-9E24-6784DBDB69C6}.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-813497703-1801674531-1003.job
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00011268-E188-40DF-A514-835FCD78B1BF}]
IE7Pro BHO - C:\Program Files\IEPro\iepro.dll [2008-07-27 736360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}]
Orkut Official Toolbar - C:\Program Files\Orkut_Official\tbOrk0.dll [2009-01-30 1784856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
C:\PROGRA~1\Crawler\ctbr.dll [2008-12-03 1194496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]
Flashget Catch Url Class - C:\Program Files\FlashGet\jccatch.dll [2006-12-11 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2008-08-03 1606680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-09 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{465E08E7-F005-4389-980F-1D8764B3486C}]
Billeo - C:\Program Files\Billeo\billeo.dll [2008-11-20 2753800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF041273-AA50-4EAC-AAED-211D4C960BAE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
C:\PROGRA~1\INBOXT~1\Inbox.dll [2008-10-14 540160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E16AB45F-35A8-4f4d-922F-8D00D760F85B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
gFlash Class - C:\Program Files\FlashGet\getflash.dll [2006-11-06 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFEF0-5B30-21D4-945D-000000000000}]
C:\PROGRA~1\STARDO~1\SDIEInt.dll [2006-02-26 135680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - Star Downloader Toolbar - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll [2008-07-27 499712]
{0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - Orkut Official Toolbar - C:\Program Files\Orkut_Official\tbOrk0.dll [2009-01-30 1784856]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet - C:\Program Files\FlashGet\fgiebar.dll [2006-11-19 98304]
{399d96ca-6f9a-4fff-95fe-284e45ebb935} - RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2008-08-03 1606680]
{A3884B05-8D20-483A-A2E3-C70A66E75C34} - Anonymous Friend - C:\Program Files\Anonymous Friend\AnonymousFriend.dll [2007-11-22 86016]
{D7E97865-918F-41E4-9CD0-25AB1C574CE8} - &Inbox Toolbar - C:\PROGRA~1\INBOXT~1\Inbox.dll [2008-10-14 540160]
{4B3803EA-5230-4DC3-A7FC-33638F3D3542} - &Crawler Toolbar - C:\PROGRA~1\Crawler\ctbr.dll [2008-12-03 1194496]
{6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - Billeo - C:\Program Files\Billeo\billeo.dll [2008-11-20 2753800]
{2318C2B1-4965-11d4-9B18-009027A5CD4F}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2003-10-02 176128]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2003-10-02 139264]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2008-07-27 139264]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2008-07-27 2899968]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 77408]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2008-07-27 54832]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2008-07-27 176128]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 77824]
""= []
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 180224]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-01-30 16135680]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-07-27 90112]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-09 1601304]
"flockbox"=C:\Program Files\My Lockbox\flockbox.exe [2007-12-14 1071472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-08-08 176128]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-06-20 1077248]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-11 515416]
"rspNotify"=C:\WINDOWS\TEMP\GenesisAluMsg.exe /delay []
"ThreatFire"=C:\Program Files\ThreatFire\TFTray.exe [2009-03-04 263440]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe [2006-09-02 100032]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-12-23 163840]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1684992]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 32768]
"Google Update"=C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 133104]
"IncrediMail"=C:\Program Files\IncrediMail\bin\IncMail.exe [2008-12-23 251264]
"MSGTAG"=C:\Program Files\MSGTAG\MSGTAG.exe [2003-09-16 1337344]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
Billeo.lnk - C:\Program Files\Billeo\billeo.exe

C:\Documents and Settings\sachin\Start Menu\Programs\Startup
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-09 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2003-10-02 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wbcnedph]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3mcxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati3mcxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Program Files\FlashGet\flashget.exe"="C:\Program Files\FlashGet\flashget.exe:*:Disabled:Flashget"
"C:\Program Files\IncrediMail\BIN\IncMail.exe"="C:\Program Files\IncrediMail\BIN\IncMail.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\BIN\ImApp.exe"="C:\Program Files\IncrediMail\BIN\ImApp.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\BIN\ImpCnt.exe"="C:\Program Files\IncrediMail\BIN\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\Documents and Settings\SACHIN\Local Settings\Temp\ImInstaller\incredimail_installer.exe"="C:\Documents and Settings\SACHIN\Local Settings\Temp\ImInstaller\incredimail_installer.exe:*:Enabled:IncrediMail Installer"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-03-15 20:15:55 ----D---- C:\rsit
2009-03-07 19:06:20 ----SHD---- C:\FOUND.039
2009-03-07 10:29:01 ----A---- C:\WINDOWS\system32\1B.tmp
2009-03-07 10:25:10 ----A---- C:\WINDOWS\system32\F.tmp
2009-03-05 19:00:12 ----SHD---- C:\FOUND.038
2009-03-05 13:54:37 ----A---- C:\WINDOWS\system32\E.tmp
2009-03-05 13:54:35 ----A---- C:\WINDOWS\system32\C.tmp
2009-03-05 13:54:33 ----A---- C:\WINDOWS\system32\B.tmp
2009-03-04 19:18:02 ----SHD---- C:\FOUND.037
2009-03-04 19:14:57 ----A---- C:\WINDOWS\system32\17.tmp
2009-03-04 19:14:52 ----A---- C:\WINDOWS\system32\16.tmp
2009-03-04 19:09:34 ----D---- C:\Program Files\ThreatFire
2009-03-04 19:07:37 ----A---- C:\WINDOWS\system32\6.tmp
2009-03-04 19:07:34 ----A---- C:\WINDOWS\system32\4.tmp
2009-03-03 20:30:34 ----SHD---- C:\FOUND.036
2009-03-03 19:18:15 ----A---- C:\WINDOWS\system32\D.tmp
2009-03-03 19:15:34 ----A---- C:\WINDOWS\system32\rs32net.exe
2009-03-03 19:15:28 ----A---- C:\WINDOWS\system32\5.tmp
2009-03-01 21:09:34 ----D---- C:\Documents and Settings\sachin\Application Data\Symantec
2009-03-01 20:59:31 ----D---- C:\Program Files\Bazooka Scanner
2009-02-28 20:51:42 ----SHD---- C:\FOUND.035
2009-02-28 20:27:14 ----A---- C:\log2.txt
2009-02-28 20:27:14 ----A---- C:\log1.txt
2009-02-28 20:22:01 ----D---- C:\Documents and Settings\sachin\Application Data\True Sword
2009-02-28 20:20:56 ----D---- C:\Program Files\True Sword 5
2009-02-28 15:28:42 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-27 11:36:11 ----D---- C:\Documents and Settings\sachin\Application Data\Uniblue
2009-02-27 11:35:17 ----D---- C:\Program Files\Uniblue
2009-02-27 11:34:59 ----HD---- C:\Documents and Settings\All Users\Application Data\{6F6DBADD-35E9-42D7-82C1-1F65F2F31141}
2009-02-26 14:27:24 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-02-26 13:15:15 ----HD---- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-26 13:15:09 ----D---- C:\Program Files\Lavasoft
2009-02-26 13:15:09 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-25 23:24:01 ----D---- C:\Program Files\Trend Micro
2009-02-25 23:12:26 ----D---- C:\Program Files\EsetOnlineScanner
2009-02-24 13:11:48 ----SHD---- C:\WINDOWS\CSC
2009-02-24 12:42:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-23 22:27:36 ----SHD---- C:\FOUND.034
2009-02-23 11:09:58 ----SHD---- C:\FOUND.033
2009-02-17 22:40:43 ----D---- C:\WINDOWS\BDOSCAN8

======List of files/folders modified in the last 1 months======

2009-03-15 13:02:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-09 19:47:38 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-07 18:55:36 ----A---- C:\WINDOWS\DUMP150b.tmp
2009-03-07 10:19:50 ----A---- C:\WINDOWS\DUMP1375.tmp
2009-03-06 19:13:14 ----A---- C:\WINDOWS\DUMPf8e2.tmp
2009-03-06 11:56:20 ----A---- C:\WINDOWS\DUMPfa49.tmp
2009-03-05 18:50:10 ----A---- C:\WINDOWS\DUMPfba1.tmp
2009-03-04 19:00:38 ----A---- C:\WINDOWS\DUMP0f86.tmp
2009-03-03 19:13:06 ----A---- C:\WINDOWS\DUMPa9fb.tmp
2009-03-01 11:35:54 ----A---- C:\WINDOWS\DUMP0257.tmp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-09 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-09 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-09 107272]
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2007-03-22 43584]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-05 28352]
R2 BTSERIAL;Bluetooth Serial Driver; \??\C:\WINDOWS\system32\drivers\btserial.sys []
R2 BTSLBCSP;Bluetooth Port Client Driver; \??\C:\WINDOWS\system32\drivers\btslbcsp.sys []
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2006-05-12 401664]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2006-05-12 30363]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2006-05-12 1342602]
R3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2006-05-12 44163]
R3 btwmodem;Bluetooth Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2006-05-12 30189]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2006-05-12 57320]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-01-30 4474368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 ethlkctp;ethlkctp; C:\WINDOWS\system32\drivers\ethlkctp.sys []
S3 atirage3;atirage3; C:\WINDOWS\system32\DRIVERS\atimpae.sys [2001-08-17 75136]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2006-05-12 182912]
S3 GMSIPCI;GMSIPCI; \??\G:\INSTALL\GMSIPCI.SYS []
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-10-08 93979]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 rkhdrv40;Rootkit Unhooker Driver; C:\WINDOWS\system32\drivers\rkhdrv40.sys []
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-02 198336]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-03-09 903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-09 298264]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2006-05-12 278583]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-11 951632]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2005-08-07 188416]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2009-03-03 587776]
R2 ThreatFire;ThreatFire; C:\Program Files\ThreatFire\TFService.exe [2009-03-04 70928]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 56320]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2006-12-23 282624]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-15 137200]
S3 HSXB;HSXB; C:\DOCUME~1\sachin\LOCALS~1\Temp\HSXB.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 90112]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 MNHQY;MNHQY; C:\DOCUME~1\sachin\LOCALS~1\Temp\MNHQY.exe []
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-01-05 794624]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PEIMLOVDV;PEIMLOVDV; C:\DOCUME~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe []
S3 PHBMDXEVMX;PHBMDXEVMX; C:\DOCUME~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe []

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.05 2009-03-15 20:16:34

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2005 Happy Holidays Screen Saver-->C:\Documents and Settings\All Users\Application Data\Softdisk LLC\Screen Saver Studio\2005 Happy Holidays\UNINSTAL.EXE
AbiWord 2.4.6 (remove only)-->C:\Program Files\AbiSuite2\UninstallAbiWord2.exe
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AniTuner 1.1-->C:\Program Files\AniTuner\Uninst.exe
Anonymity 1.1-->"C:\Program Files\Anonymity\unins000.exe"
Anonymous Friend 2.9-->"C:\Program Files\Anonymous Friend\unins000.exe"
Antispyware-->MsiExec.exe /X{9BFE0C97-C21F-4F71-B614-3F27448326C7}
Audio Recorder for Free-->C:\PROGRA~1\AUDIOR~1\UNWISE.EXE C:\PROGRA~1\AUDIOR~1\INSTALL.LOG
AVG Anti-Rootkit Free-->C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Avira RootKit Detection-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FD25FCD-6F39-4686-AFBB-7056EBAE5E68}\setup.exe" -l0x9
Bazooka Scanner-->"C:\Program Files\Bazooka Scanner\Uninstall.exe" "C:\Program Files\Bazooka Scanner\install.log"
Billeo-->C:\Program Files\Billeo\uninstall.exe
CamStudio-->C:\Program Files\CamStudio\uninstall.exe
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Celestia 1.4.1-->"C:\Program Files\Celestia\unins000.exe"
Concise Encyclopedia-->"C:\Program Files\Britannica 8.0\Concise Encyclopedia\Uninstall_Concise Encyclopedia\Uninstall Concise Encyclopedia.exe"
Crawler Toolbar-->C:\PROGRA~1\Crawler\CToolbar.exe uninst
Das Unit Converter 6.25-->"C:\Program Files\Das Unit Converter\unins000.exe"
Dataone Usage Finder 2.0-->C:\Program Files\Dataone Usage Finder v2.0\uninst.exe
Debut Video Capture Software-->C:\Program Files\NCH Software\Debut\uninst.exe
Desktop Fay 2.8-->"C:\Program Files\Desktop Fay\unins000.exe"
DriverAgent by TouchStone Software-->RunDll32.exe advpack.dll,LaunchINFSection driveragent_exe.inf,TVICHW32Remove
DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
ESET Online Scanner-->C:\WINDOWS\system32\OnlineScannerUninstaller.exe
File Searcher-->MsiExec.exe /I{BE29C518-6D73-4C3C-8F80-FB6F8CE43CCE}
FlashGet(Jetcar) 1.80-->C:\PROGRA~1\FLASHGET\_UNWISE.EXE
FLV Player 1.3.3-->"C:\Program Files\FLVPlayer\uninstall.exe"
FormatFactory-->MsiExec.exe /X{DBC12450-EB73-4B1D-A2E0-EFEE811720B2}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
IE7Pro-->C:\Program Files\IEPro\uninst.exe
Image Resizer Powertoy for Windows XP-->MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Inbox Toolbar-->"C:\Program Files\Inbox Toolbar\unins000.exe"
IncrediMail-->C:\Program Files\IncrediMail\bin\ImSetup.exe /remove /addon:IncrediMail /log:IncMail.log
Infinite Password Generator 3.1-->C:\Program Files\Infinite Password Generator\uninst.exe
Intel® Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
LiveUpdate 3.1 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Magic AAC to MP3 Converter 3.7-->"C:\Program Files\Magic AAC to MP3 Converter\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.17)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSGTAG-->"C:\Program Files\MSGTAG\unins000.exe"
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
My Lockbox 1.2 for Windows 2000/XP-->"C:\Program Files\My Lockbox\unins000.exe"
Nero 7 Essentials-->MsiExec.exe /X{AAB93551-3FFE-42B2-8315-96252BBC1033}
Opera 9.22-->MsiExec.exe /X{AF708E87-ACA2-42FC-AF41-B50226F4C787}
Orkut Official Toolbar-->C:\PROGRA~1\ORKUT_~1\UNWISE.EXE C:\PROGRA~1\ORKUT_~1\INSTALL.LOG
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Prism Video Converter-->C:\Program Files\NCH Software\Prism\uninst.exe
Privoxy 3.0.6-->"C:\Program Files\Vidalia Bundle\Uninstall.exe"
Proxy Finder-->C:\Program Files\ProxyFinder\uninstal.exe
Proxy Vampire v.2.1-->"C:\Program Files\Proxy Vampire\unins000.exe"
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RadarSync Toolbar-->C:\PROGRA~1\RADARS~1\UNWISE.EXE C:\PROGRA~1\RADARS~1\INSTALL.LOG
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RootQuest-->C:\Program Files\RootQuest\Uninstal.exe
Secure Web Point Net Guard 2008-->C:\Program Files\Secure Web Point Net Guard 2008\Uninstal.exe
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
ServerMask-->C:\PROGRA~1\PORT80\SERVER~1\UNWISE.EXE C:\PROGRA~1\PORT80\SERVER~1\INSTALL.LOG
Sony Ericsson PC Suite-->MsiExec.exe /I{5F0FC860-ADE1-4B2D-B0A9-CB9FB17C46E8}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"
Star Downloader Free-->"C:\WINDOWS\Star_Downloader_Toolbar_Uninstaller_7531.exe" -hu _?=C:\Program Files\Star Downloader Toolbar
Star Downloader Toolbar-->"C:\WINDOWS\Star_Downloader_Toolbar_Uninstaller_7531.exe" _?=C:\Program Files\Star Downloader Toolbar
Stellarium 0.10.0-->"C:\Program Files\Stellarium\unins000.exe"
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
TextMessagePLUS-->MsiExec.exe /I{3B69632A-D70A-459E-A479-F0089F23F47F}
The Weather Channel Desktop 6-->C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
ThreatFire-->"C:\Program Files\ThreatFire\unins000.exe"
Tor 0.2.0.31-->"C:\Program Files\Vidalia Bundle\Uninstall.exe"
TV-->C:\Program Files\TV\Uninst0.exe
Uniblue RegistryBooster 2009-->"C:\Documents and Settings\All Users\Application Data\{6F6DBADD-35E9-42D7-82C1-1F65F2F31141}\Uniblue RegistryBooster.exe" REMOVE=TRUE MODIFY=FALSE
Uniblue RegistryBooster 2009-->C:\Documents and Settings\All Users\Application Data\{6F6DBADD-35E9-42D7-82C1-1F65F2F31141}\Uniblue RegistryBooster.exe
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Vidalia 0.1.9-->"C:\Program Files\Vidalia Bundle\Uninstall.exe"
VideoLAN VLC media player 0.8.5-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WavePad Sound Editor-->C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
WIDCOMM Bluetooth Software-->MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WordWeb-->C:\Program Files\WordWeb\uninst.exe
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger-->C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
Zilla Anonymous Surfer 4.3.0.1-->"C:\Program Files\zillasoft.ws\Zilla Anonymous Surfer\unins000.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free

System event log

Computer Name: SACHIN-EBE90A33
Event Code: 7036
Message: The Computer Browser service entered the stopped state.

Record Number: 32654
Source Name: Service Control Manager
Time Written: 20090227185731.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 32653
Source Name: Service Control Manager
Time Written: 20090227185731.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 32652
Source Name: Service Control Manager
Time Written: 20090227185729.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 7036
Message: The SSDP Discovery Service service entered the running state.

Record Number: 32651
Source Name: Service Control Manager
Time Written: 20090227185729.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 7036
Message: The Network Location Awareness (NLA) service entered the running state.

Record Number: 32650
Source Name: Service Control Manager
Time Written: 20090227185729.000000+330
Event Type: information
User:

Application event log

Computer Name: SACHIN-EBE90A33
Event Code: 0
Message:
Record Number: 5537
Source Name: NMIndexingService
Time Written: 20090219225425.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 5536
Source Name: SecurityCenter
Time Written: 20090219225420.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 1
Message:
Record Number: 5535
Source Name: avg8emc
Time Written: 20090219225419.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 0
Message:
Record Number: 5534
Source Name: RichVideo
Time Written: 20090219225350.000000+330
Event Type: information
User:

Computer Name: SACHIN-EBE90A33
Event Code: 0
Message:
Record Number: 5533
Source Name: btwdins
Time Written: 20090219225347.000000+330
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 5, GenuineIntel
"PROCESSOR_REVISION"=0605
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"DEFAULT_CA_NR"=CA6
"CLASSPATH"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:09 PM

Posted 15 March 2009 - 10:40 AM

Hello, sachin naik.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
---------------------------

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Symantec Antivirus or AVG Antivirus .


NEXT:

Please download the Suspicious File Packer from here: http://www.safer-networking.org/files/sfp.zip
  • Unzip it to the desktop and run it.
  • Paste the following bold part into the Suspicious File Packer window:

    C:\WINDOWS\TEMP\GenesisAluMsg.exe

  • Allow SFP to pack the file. This will generate a CAB archive on your desktop.
  • Now please send the file to the following email: malwareATmytidbits.de (replace the AT with @)
  • As Subjectline, please put: BleepingComputer - aommaster -
I shall receive the file then and will let you know what to do with them in my next reply.

NEXT:

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

NEXT:

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK



Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).


O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BF041273-AA50-4EAC-AAED-211D4C960BAE} - (no file)
O2 - BHO: (no name) - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay
O4 - HKUS\S-1-5-18\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [lfwwwnjy.exe] C:\WINDOWS\lfwwwnjy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hdhkzfvj.exe] C:\WINDOWS\hdhkzfvj.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe (User 'Default user')
O23 - Service: HSXB - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\HSXB.exe (file missing)
O23 - Service: MNHQY - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\MNHQY.exe (file missing)
O23 - Service: PEIMLOVDV - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe (file missing)
O23 - Service: PHBMDXEVMX - Unknown owner - C:\DOCUME~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe (file missing)


Then close all windows except HijackThis and click Fix Checked.

Restart

Use Windows Explorer to find and delete these files if they exist. If they don't, let me know:
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\lfwwwnjy.exe
C:\WINDOWS\hdhkzfvj.exe
C:\Documents and Settings\sachin\Local Settings\Temp\HSXB.exe
C:\Documents and Settings\sachin\Local Settings\Temp\MNHQY.exe
C:\Documents and Settings\sachin\Local Settings\Temp\PEIMLOVDV.exe
C:\Documents and Settings\sachin\Local Settings\Temp\PHBMDXEVMX.exe



As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


In your next reply, please include the following:
  • Report.txt
  • RSIT Log
  • Description of any remaining problems

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 sachin naik

sachin naik
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 18 March 2009 - 12:23 PM

problems are the same which i have mentioned in my above post
During start up i get a spoolsv.exe application error, whenever i connct my pc to the net my AVG/Threatfire detects 1 threat, no other problem
I dont use symantec, but some peaces of symantec are still there in my pc so u get it in my log file
Cannot open avira antirootkit tool but i can open other anti rootkit tools but they dont detect any rootkits
I use avg8, threatfire, spybot, ad-aware 2008, malwarebytes,rootrepeal, avg antirootkit tool- all free versions

i dont do any online transactions but i use orkut accounts etc, i am ready to uninstall my xp only if u are 100% sure that nothing can help me, but plz help


well u told me to delete some files out of which i found only 1 file and also deleted i.e C:\WINDOWS\System32\rs32net.exe, remaining files couldnt be found


SDFix: Version 1.240
Run by sachin on Tue 03/17/2009 at 10:52 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 22:55:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Disabled:Flashget"
"C:\\Program Files\\IncrediMail\\BIN\\IncMail.exe"="C:\\Program Files\\IncrediMail\\BIN\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\BIN\\ImApp.exe"="C:\\Program Files\\IncrediMail\\BIN\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\BIN\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\BIN\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Documents and Settings\\SACHIN\\Local Settings\\Temp\\ImInstaller\\incredimail_installer.exe"="C:\\Documents and Settings\\SACHIN\\Local Settings\\Temp\\ImInstaller\\incredimail_installer.exe:*:Enabled:IncrediMail Installer"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 2 Aug 2008 6,104,632 ...H. --- "C:\Program Files\Picasa2\setup.exe"
Sun 1 Mar 2009 25,600 ...H. --- "C:\Documents and Settings\sachin\Desktop\~WRL0001.tmp"
Fri 6 Mar 2009 25,088 ...H. --- "C:\Documents and Settings\sachin\Desktop\~WRL0003.tmp"
Fri 6 Mar 2009 25,600 ...H. --- "C:\Documents and Settings\sachin\Desktop\~WRL0005.tmp"
Fri 6 Mar 2009 25,600 ...H. --- "C:\Documents and Settings\sachin\Desktop\~WRL3742.tmp"
Fri 6 Mar 2009 25,600 ...H. --- "C:\Documents and Settings\sachin\Desktop\~WRL1725.tmp"
Fri 6 Mar 2009 27,648 ...H. --- "C:\Documents and Settings\sachin\Desktop\~WRL1617.tmp"
Fri 23 Jan 2009 25,755,448 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\46b01098655cc8f635f69264a2248643\BIT15.tmp"

Finished!


Logfile of random's system information tool 1.05 (written by random/random)
Run by sachin at 2009-03-18 22:32:34
Microsoft Windows XP Professional Service Pack 2
System drive C: has 8 GB (40%) free of 20 GB
Total RAM: 959 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:59 PM, on 3/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Billeo\billeo.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Downloads\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\sachin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.211.228.244:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
R3 - URLSearchHook: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O3 - Toolbar: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O3 - Toolbar: Anonymous Friend - {A3884B05-8D20-483A-A2E3-C70A66E75C34} - C:\Program Files\Anonymous Friend\AnonymousFriend.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Billeo.lnk = C:\Program Files\Billeo\billeo.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O15 - Trusted Zone: *.softmedia.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212070718296
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212729993734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C427842-95D7-4BB3-BE3B-A953225C557C}: NameServer = 218.248.240.208,218.248.240.135
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: wbcnedph - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 14371 bytes




======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3A612A48-CBA6-44F2-9E24-6784DBDB69C6}.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-813497703-1801674531-1003.job
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00011268-E188-40DF-A514-835FCD78B1BF}]
IE7Pro BHO - C:\Program Files\IEPro\iepro.dll [2008-07-27 736360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}]
Orkut Official Toolbar - C:\Program Files\Orkut_Official\tbOrk0.dll [2009-01-30 1784856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
C:\PROGRA~1\Crawler\ctbr.dll [2008-12-03 1194496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]
Flashget Catch Url Class - C:\Program Files\FlashGet\jccatch.dll [2006-12-11 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2008-08-03 1606680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-09 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{465E08E7-F005-4389-980F-1D8764B3486C}]
Billeo - C:\Program Files\Billeo\billeo.dll [2008-11-20 2753800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
C:\PROGRA~1\INBOXT~1\Inbox.dll [2008-10-14 540160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
gFlash Class - C:\Program Files\FlashGet\getflash.dll [2006-11-06 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFEF0-5B30-21D4-945D-000000000000}]
C:\PROGRA~1\STARDO~1\SDIEInt.dll [2006-02-26 135680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - Star Downloader Toolbar - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll [2008-07-27 499712]
{0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - Orkut Official Toolbar - C:\Program Files\Orkut_Official\tbOrk0.dll [2009-01-30 1784856]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet - C:\Program Files\FlashGet\fgiebar.dll [2006-11-19 98304]
{399d96ca-6f9a-4fff-95fe-284e45ebb935} - RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2008-08-03 1606680]
{A3884B05-8D20-483A-A2E3-C70A66E75C34} - Anonymous Friend - C:\Program Files\Anonymous Friend\AnonymousFriend.dll [2007-11-22 86016]
{D7E97865-918F-41E4-9CD0-25AB1C574CE8} - &Inbox Toolbar - C:\PROGRA~1\INBOXT~1\Inbox.dll [2008-10-14 540160]
{4B3803EA-5230-4DC3-A7FC-33638F3D3542} - &Crawler Toolbar - C:\PROGRA~1\Crawler\ctbr.dll [2008-12-03 1194496]
{6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - Billeo - C:\Program Files\Billeo\billeo.dll [2008-11-20 2753800]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2003-10-02 176128]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2003-10-02 139264]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2008-07-27 139264]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2008-07-27 2899968]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 77408]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2008-07-27 54832]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2008-07-27 176128]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 77824]
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 180224]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-01-30 16135680]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-07-27 90112]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-09 1601304]
"flockbox"=C:\Program Files\My Lockbox\flockbox.exe [2007-12-14 1071472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-08-08 176128]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-06-20 1077248]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-11 515416]
"ThreatFire"=C:\Program Files\ThreatFire\TFTray.exe [2009-03-04 263440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-12-23 163840]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1684992]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 32768]
"Google Update"=C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 133104]
"IncrediMail"=C:\Program Files\IncrediMail\bin\IncMail.exe [2008-12-23 251264]
"MSGTAG"=C:\Program Files\MSGTAG\MSGTAG.exe [2003-09-16 1337344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
Billeo.lnk - C:\Program Files\Billeo\billeo.exe

C:\Documents and Settings\sachin\Start Menu\Programs\Startup
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-09 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2003-10-02 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wbcnedph]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3mcxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati3mcxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Program Files\FlashGet\flashget.exe"="C:\Program Files\FlashGet\flashget.exe:*:Disabled:Flashget"
"C:\Program Files\IncrediMail\BIN\IncMail.exe"="C:\Program Files\IncrediMail\BIN\IncMail.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\BIN\ImApp.exe"="C:\Program Files\IncrediMail\BIN\ImApp.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\BIN\ImpCnt.exe"="C:\Program Files\IncrediMail\BIN\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\Documents and Settings\SACHIN\Local Settings\Temp\ImInstaller\incredimail_installer.exe"="C:\Documents and Settings\SACHIN\Local Settings\Temp\ImInstaller\incredimail_installer.exe:*:Enabled:IncrediMail Installer"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-03-17 19:20:30 ----SHD---- C:\FOUND.040
2009-03-16 19:20:00 ----D---- C:\WINDOWS\ERUNT
2009-03-15 23:15:04 ----D---- C:\SDFix
2009-03-15 20:15:55 ----D---- C:\rsit
2009-03-07 19:06:20 ----SHD---- C:\FOUND.039
2009-03-05 19:00:12 ----SHD---- C:\FOUND.038
2009-03-04 19:18:02 ----SHD---- C:\FOUND.037
2009-03-04 19:09:34 ----D---- C:\Program Files\ThreatFire
2009-03-03 20:30:34 ----SHD---- C:\FOUND.036
2009-03-01 21:09:34 ----D---- C:\Documents and Settings\sachin\Application Data\Symantec
2009-03-01 20:59:31 ----D---- C:\Program Files\Bazooka Scanner
2009-02-28 20:51:42 ----SHD---- C:\FOUND.035
2009-02-28 20:27:14 ----A---- C:\log2.txt
2009-02-28 20:27:14 ----A---- C:\log1.txt
2009-02-28 20:22:01 ----D---- C:\Documents and Settings\sachin\Application Data\True Sword
2009-02-28 20:20:56 ----D---- C:\Program Files\True Sword 5
2009-02-28 15:28:42 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-27 11:36:11 ----D---- C:\Documents and Settings\sachin\Application Data\Uniblue
2009-02-27 11:35:17 ----D---- C:\Program Files\Uniblue
2009-02-27 11:34:59 ----HD---- C:\Documents and Settings\All Users\Application Data\{6F6DBADD-35E9-42D7-82C1-1F65F2F31141}
2009-02-26 14:27:24 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-02-26 13:15:15 ----HD---- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-26 13:15:09 ----D---- C:\Program Files\Lavasoft
2009-02-26 13:15:09 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-25 23:24:01 ----D---- C:\Program Files\Trend Micro
2009-02-25 23:12:26 ----D---- C:\Program Files\EsetOnlineScanner
2009-02-24 13:11:48 ----SHD---- C:\WINDOWS\CSC
2009-02-24 12:42:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-23 22:27:36 ----SHD---- C:\FOUND.034
2009-02-23 11:09:58 ----SHD---- C:\FOUND.033

======List of files/folders modified in the last 1 months======

2009-03-18 19:05:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-17 14:51:26 ----A---- C:\WINDOWS\DUMPe673.tmp
2009-03-09 19:47:38 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-07 18:55:36 ----A---- C:\WINDOWS\DUMP150b.tmp
2009-03-07 10:19:50 ----A---- C:\WINDOWS\DUMP1375.tmp
2009-03-06 19:13:14 ----A---- C:\WINDOWS\DUMPf8e2.tmp
2009-03-06 11:56:20 ----A---- C:\WINDOWS\DUMPfa49.tmp
2009-03-05 18:50:10 ----A---- C:\WINDOWS\DUMPfba1.tmp
2009-03-04 19:00:38 ----A---- C:\WINDOWS\DUMP0f86.tmp
2009-03-03 19:13:06 ----A---- C:\WINDOWS\DUMPa9fb.tmp
2009-03-01 11:35:54 ----A---- C:\WINDOWS\DUMP0257.tmp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-09 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-09 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-09 107272]
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2007-03-22 43584]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-05 28352]
R2 BTSERIAL;Bluetooth Serial Driver; \??\C:\WINDOWS\system32\drivers\btserial.sys []
R2 BTSLBCSP;Bluetooth Port Client Driver; \??\C:\WINDOWS\system32\drivers\btslbcsp.sys []
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2006-05-12 401664]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2006-05-12 30363]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2006-05-12 1342602]
R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2006-05-12 182912]
R3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2006-05-12 44163]
R3 btwmodem;Bluetooth Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2006-05-12 30189]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2006-05-12 57320]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-01-30 4474368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 ethlkctp;ethlkctp; C:\WINDOWS\system32\drivers\ethlkctp.sys []
S3 atirage3;atirage3; C:\WINDOWS\system32\DRIVERS\atimpae.sys [2001-08-17 75136]
S3 catchme;catchme; \??\C:\DOCUME~1\sachin\LOCALS~1\Temp\catchme.sys []
S3 GMSIPCI;GMSIPCI; \??\G:\INSTALL\GMSIPCI.SYS []
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-10-08 93979]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 rkhdrv40;Rootkit Unhooker Driver; C:\WINDOWS\system32\drivers\rkhdrv40.sys []
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-02 198336]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-03-09 903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-09 298264]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2006-05-12 278583]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-11 951632]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2005-08-07 188416]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2009-03-03 587776]
R2 ThreatFire;ThreatFire; C:\Program Files\ThreatFire\TFService.exe [2009-03-04 70928]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 56320]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2006-12-23 282624]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-15 137200]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 90112]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-01-05 794624]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 HSXB;HSXB; C:\DOCUME~1\sachin\LOCALS~1\Temp\HSXB.exe []
S4 MNHQY;MNHQY; C:\DOCUME~1\sachin\LOCALS~1\Temp\MNHQY.exe []
S4 PEIMLOVDV;PEIMLOVDV; C:\DOCUME~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe []
S4 PHBMDXEVMX;PHBMDXEVMX; C:\DOCUME~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe []

-----------------EOF-----------------

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:09 PM

Posted 18 March 2009 - 04:45 PM

Hello, sachin naik.
Your problem with spoolsv.exe doesn't seem to be virus related. However, it's better to be safe than sorry.
Please carry out the following and let me know if you still get the error message.

If you do, please let me know what the error message says exactly.

I also did not receieve the file that you were supposed to send (GenesisAluMsg.exe). Now, this file would have been deleted by SDFix during it's run, so you will need to locate the SDFix's backup folder, usually located in C:\SDFix. Please zip up that folder and follow the instructions in my previous post and send that whole zip file to me.

Thanks :thumbup2:




We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Services
    ethlkctp
    
    :files
    C:\Documents and Settings\sachin\Desktop\~WRL0003.tmp
    C:\Documents and Settings\sachin\Desktop\~WRL0005.tmp
    C:\Documents and Settings\sachin\Desktop\~WRL3742.tmp
    C:\Documents and Settings\sachin\Desktop\~WRL1725.tmp
    C:\Documents and Settings\sachin\Desktop\~WRL1617.tmp
    C:\WINDOWS\SoftwareDistribution\Download\46b01098655cc8f635f69264a2248643\BIT15.tmp
    C:\FOUND.040
    C:\FOUND.039
    C:\FOUND.038
    C:\FOUND.037
    C:\FOUND.036
    C:\FOUND.035
    C:\FOUND.034
    C:\FOUND.033
    C:\WINDOWS\SchedLgU.Txt
    C:\WINDOWS\DUMPe673.tmp
    C:\WINDOWS\DUMP150b.tmp
    C:\WINDOWS\DUMP1375.tmp
    C:\WINDOWS\DUMPf8e2.tmp
    C:\WINDOWS\DUMPfa49.tmp
    C:\WINDOWS\DUMPfba1.tmp
    C:\WINDOWS\DUMP0f86.tmp
    C:\WINDOWS\DUMPa9fb.tmp
    C:\WINDOWS\DUMP0257.tmp
    C:\WINDOWS\system32\drivers\ethlkctp.sys
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

NEXT:

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK



Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).


O20 - Winlogon Notify: wbcnedph - C:\WINDOWS


Then close all windows except HijackThis and click Fix Checked.

Restart



NEXT:

Please do the following:
  • Navigate to C:\Windows\System32\spool\PRINTERS
  • Delete all .SPL and and .SHD files present
Restart your computer

In your next reply, please include the following:
  • OTMoveIt Log
  • RSIT Log
  • Description of any remaining problems

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 sachin naik

sachin naik
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 19 March 2009 - 12:06 PM

"spoolsv.exe-application error" still appears, but at a very few times it doesnt appear i.e. right now (i dont have a printer)
whenever i start up, this error "spoolsv.exe-application error" is displayed by windows and the message displayed in the window is,
the instruction at xxxxxxxx referenced memory at xxxxxxx the memory could not be written

and according to many websites hackers make use of spooler service to generate backdoor so they say its a virus

one more problem which i did not mention is i cannot play any music using windows media player, but i can play using other media players



helpppppppppppppppppppppp

========== SERVICES/DRIVERS ==========

Service\Driver ethlkctp deleted successfully.
========== FILES ==========
C:\Documents and Settings\sachin\Desktop\~WRL0003.tmp moved successfully.
C:\Documents and Settings\sachin\Desktop\~WRL0005.tmp moved successfully.
C:\Documents and Settings\sachin\Desktop\~WRL3742.tmp moved successfully.
C:\Documents and Settings\sachin\Desktop\~WRL1725.tmp moved successfully.
C:\Documents and Settings\sachin\Desktop\~WRL1617.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\46b01098655cc8f635f69264a2248643\BIT15.tmp moved successfully.
C:\FOUND.040 moved successfully.
C:\FOUND.039 moved successfully.
C:\FOUND.038 moved successfully.
C:\FOUND.037 moved successfully.
C:\FOUND.036 moved successfully.
C:\FOUND.035 moved successfully.
C:\FOUND.034 moved successfully.
C:\FOUND.033 moved successfully.
File move failed. C:\WINDOWS\SchedLgU.Txt scheduled to be moved on reboot.
C:\WINDOWS\DUMPe673.tmp moved successfully.
C:\WINDOWS\DUMP150b.tmp moved successfully.
C:\WINDOWS\DUMP1375.tmp moved successfully.
C:\WINDOWS\DUMPf8e2.tmp moved successfully.
C:\WINDOWS\DUMPfa49.tmp moved successfully.
C:\WINDOWS\DUMPfba1.tmp moved successfully.
C:\WINDOWS\DUMP0f86.tmp moved successfully.
C:\WINDOWS\DUMPa9fb.tmp moved successfully.
C:\WINDOWS\DUMP0257.tmp moved successfully.
File/Folder C:\WINDOWS\system32\drivers\ethlkctp.sys not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03192009_151036

Files moved on Reboot...
File move failed. C:\WINDOWS\SchedLgU.Txt scheduled to be moved on reboot.



-------------------------------------------------------------------



Logfile of random's system information tool 1.05 (written by random/random)
Run by sachin at 2009-03-19 19:52:36
Microsoft Windows XP Professional Service Pack 2
System drive C: has 8 GB (40%) free of 20 GB
Total RAM: 959 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:02 PM, on 3/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\ThreatFire\TFService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\sachin\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\sachin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.211.228.244:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
R3 - URLSearchHook: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BF041273-AA50-4EAC-AAED-211D4C960BAE} - (no file)
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: (no name) - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O3 - Toolbar: Orkut Official Toolbar - {0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - C:\Program Files\Orkut_Official\tbOrk0.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O3 - Toolbar: Anonymous Friend - {A3884B05-8D20-483A-A2E3-C70A66E75C34} - C:\Program Files\Anonymous Friend\AnonymousFriend.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Billeo.lnk = C:\Program Files\Billeo\billeo.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O15 - Trusted Zone: *.softmedia.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212070718296
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212729993734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C427842-95D7-4BB3-BE3B-A953225C557C}: NameServer = 218.248.240.208,218.248.240.135
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 15328 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{3A612A48-CBA6-44F2-9E24-6784DBDB69C6}.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-813497703-1801674531-1003.job
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00011268-E188-40DF-A514-835FCD78B1BF}]
IE7Pro BHO - C:\Program Files\IEPro\iepro.dll [2008-07-27 736360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}]
Orkut Official Toolbar - C:\Program Files\Orkut_Official\tbOrk0.dll [2009-01-30 1784856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
C:\PROGRA~1\Crawler\ctbr.dll [2008-12-03 1194496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]
Flashget Catch Url Class - C:\Program Files\FlashGet\jccatch.dll [2006-12-11 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2008-08-03 1606680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-09 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{465E08E7-F005-4389-980F-1D8764B3486C}]
Billeo - C:\Program Files\Billeo\billeo.dll [2008-11-20 2753800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF041273-AA50-4EAC-AAED-211D4C960BAE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
C:\PROGRA~1\INBOXT~1\Inbox.dll [2008-10-14 540160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E16AB45F-35A8-4f4d-922F-8D00D760F85B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
gFlash Class - C:\Program Files\FlashGet\getflash.dll [2006-11-06 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFEF0-5B30-21D4-945D-000000000000}]
C:\PROGRA~1\STARDO~1\SDIEInt.dll [2006-02-26 135680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - Star Downloader Toolbar - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll [2008-07-27 499712]
{0f484b10-5ddb-47d0-a54e-254e78cc3d6f} - Orkut Official Toolbar - C:\Program Files\Orkut_Official\tbOrk0.dll [2009-01-30 1784856]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet - C:\Program Files\FlashGet\fgiebar.dll [2006-11-19 98304]
{399d96ca-6f9a-4fff-95fe-284e45ebb935} - RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2008-08-03 1606680]
{A3884B05-8D20-483A-A2E3-C70A66E75C34} - Anonymous Friend - C:\Program Files\Anonymous Friend\AnonymousFriend.dll [2007-11-22 86016]
{D7E97865-918F-41E4-9CD0-25AB1C574CE8} - &Inbox Toolbar - C:\PROGRA~1\INBOXT~1\Inbox.dll [2008-10-14 540160]
{4B3803EA-5230-4DC3-A7FC-33638F3D3542} - &Crawler Toolbar - C:\PROGRA~1\Crawler\ctbr.dll [2008-12-03 1194496]
{6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - Billeo - C:\Program Files\Billeo\billeo.dll [2008-11-20 2753800]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2003-10-02 176128]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2003-10-02 139264]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2008-07-27 139264]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2008-07-27 2899968]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 77408]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2008-07-27 54832]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2008-07-27 176128]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 77824]
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 180224]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-01-30 16135680]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-07-27 90112]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-09 1601304]
"flockbox"=C:\Program Files\My Lockbox\flockbox.exe [2007-12-14 1071472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-08-08 176128]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-06-20 1077248]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-11 515416]
"ThreatFire"=C:\Program Files\ThreatFire\TFTray.exe [2009-03-04 263440]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe [2006-09-02 100032]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-12-23 163840]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1684992]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 32768]
"Google Update"=C:\Documents and Settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 133104]
"IncrediMail"=C:\Program Files\IncrediMail\bin\IncMail.exe [2008-12-23 251264]
"MSGTAG"=C:\Program Files\MSGTAG\MSGTAG.exe [2003-09-16 1337344]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
Billeo.lnk - C:\Program Files\Billeo\billeo.exe

C:\Documents and Settings\sachin\Start Menu\Programs\Startup
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-09 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2003-10-02 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3mcxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati3mcxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Program Files\FlashGet\flashget.exe"="C:\Program Files\FlashGet\flashget.exe:*:Disabled:Flashget"
"C:\Program Files\IncrediMail\BIN\IncMail.exe"="C:\Program Files\IncrediMail\BIN\IncMail.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\BIN\ImApp.exe"="C:\Program Files\IncrediMail\BIN\ImApp.exe:*:Enabled:IncrediMail"
"C:\Program Files\IncrediMail\BIN\ImpCnt.exe"="C:\Program Files\IncrediMail\BIN\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\Documents and Settings\SACHIN\Local Settings\Temp\ImInstaller\incredimail_installer.exe"="C:\Documents and Settings\SACHIN\Local Settings\Temp\ImInstaller\incredimail_installer.exe:*:Enabled:IncrediMail Installer"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-03-19 15:10:36 ----D---- C:\_OTMoveIt
2009-03-16 19:20:00 ----D---- C:\WINDOWS\ERUNT
2009-03-15 23:15:04 ----D---- C:\SDFix
2009-03-15 20:15:55 ----D---- C:\rsit
2009-03-04 19:09:34 ----D---- C:\Program Files\ThreatFire
2009-03-01 21:09:34 ----D---- C:\Documents and Settings\sachin\Application Data\Symantec
2009-03-01 20:59:31 ----D---- C:\Program Files\Bazooka Scanner
2009-02-28 20:27:14 ----A---- C:\log2.txt
2009-02-28 20:27:14 ----A---- C:\log1.txt
2009-02-28 20:22:01 ----D---- C:\Documents and Settings\sachin\Application Data\True Sword
2009-02-28 20:20:56 ----D---- C:\Program Files\True Sword 5
2009-02-28 15:28:42 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-27 11:36:11 ----D---- C:\Documents and Settings\sachin\Application Data\Uniblue
2009-02-27 11:35:17 ----D---- C:\Program Files\Uniblue
2009-02-27 11:34:59 ----HD---- C:\Documents and Settings\All Users\Application Data\{6F6DBADD-35E9-42D7-82C1-1F65F2F31141}
2009-02-26 14:27:24 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-02-26 13:15:15 ----HD---- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-26 13:15:09 ----D---- C:\Program Files\Lavasoft
2009-02-26 13:15:09 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-25 23:24:01 ----D---- C:\Program Files\Trend Micro
2009-02-25 23:12:26 ----D---- C:\Program Files\EsetOnlineScanner
2009-02-24 13:11:48 ----SHD---- C:\WINDOWS\CSC
2009-02-24 12:42:19 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2009-03-19 19:46:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-09 19:47:38 ----A---- C:\WINDOWS\system32\avgrsstx.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-09 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-09 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-09 107272]
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2007-03-22 43584]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-05 28352]
R2 BTSERIAL;Bluetooth Serial Driver; \??\C:\WINDOWS\system32\drivers\btserial.sys []
R2 BTSLBCSP;Bluetooth Port Client Driver; \??\C:\WINDOWS\system32\drivers\btslbcsp.sys []
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2006-05-12 401664]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2006-05-12 30363]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2006-05-12 1342602]
R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2006-05-12 182912]
R3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2006-05-12 44163]
R3 btwmodem;Bluetooth Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2006-05-12 30189]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2006-05-12 57320]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-01-30 4474368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 atirage3;atirage3; C:\WINDOWS\system32\DRIVERS\atimpae.sys [2001-08-17 75136]
S3 catchme;catchme; \??\C:\DOCUME~1\sachin\LOCALS~1\Temp\catchme.sys []
S3 GMSIPCI;GMSIPCI; \??\G:\INSTALL\GMSIPCI.SYS []
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-10-08 93979]
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 rkhdrv40;Rootkit Unhooker Driver; C:\WINDOWS\system32\drivers\rkhdrv40.sys []
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-02 198336]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-03-09 903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-09 298264]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2006-05-12 278583]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-11 951632]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2005-08-07 188416]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2009-03-03 587776]
R2 ThreatFire;ThreatFire; C:\Program Files\ThreatFire\TFService.exe [2009-03-04 70928]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 56320]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2006-12-23 282624]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-15 137200]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 90112]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-01-05 794624]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 HSXB;HSXB; C:\DOCUME~1\sachin\LOCALS~1\Temp\HSXB.exe []
S4 MNHQY;MNHQY; C:\DOCUME~1\sachin\LOCALS~1\Temp\MNHQY.exe []
S4 PEIMLOVDV;PEIMLOVDV; C:\DOCUME~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe []
S4 PHBMDXEVMX;PHBMDXEVMX; C:\DOCUME~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe []

-----------------EOF-----------------

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:09 PM

Posted 20 March 2009 - 06:23 AM

Hello, sachin naik.
The error message you posted has x's in which I believe means that you do not have the exact numbers that appear.
Please get those numbers for me and type out the error message exactly as is. It helps when I am researching the problems with your computer :thumbup2:




I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG Antivirus or Symantec Antivirus .





Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 sachin naik

sachin naik
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 21 March 2009 - 09:05 AM

i ran combofix scan, because of power failure i had to stop it there, then really worst start up problems sometimes my pc gets stuck up completely (and i have to force shutdown using keyboard) at start up really irritating, but other times its fine, so should i run combofix again or i may damage my, pc really scared :thumbup2:

Edited by sachin naik, 21 March 2009 - 09:25 AM.


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:09 PM

Posted 21 March 2009 - 10:27 AM

Did combofix complete its scan? If so, send me the log file located at C:\ComboFix.txt. If it's not there, let me know.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 sachin naik

sachin naik
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 21 March 2009 - 12:07 PM

no, but i will scan once more
and u told me not to use symatec along with avg, actually i dont use symatec but its small pieces are still remaining in my pc, thats why the word "symantec" gets detected in my log file, this is to only simply inform u

but let me tell u one thing, whenever i connect my pc to the internet my threatfire detects one potentially unwanted threat, allways at this location only C:/WINDOWS/TEMP and promts me to allow or kill the process, and yes i kill it

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:09 PM

Posted 21 March 2009 - 12:34 PM

Hi there!

Yes, make sure you kill the process. Re-run combofix and send me the log. Also, you may want to try and open up your C:/WINDOWS/TEMP and deleting the files there.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 sachin naik

sachin naik
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 22 March 2009 - 10:11 AM

helpppppppppppppppppppppppppppppppppppppppppppppppp



ComboFix 09-03-19.01 - sachin 2009-03-22 20:15:55.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.458 [GMT 5.5:30]
Running from: c:\download\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ntndis.sys
.
---- Previous Run -------
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\ntndis.sys

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-19 15:10 . 2009-03-19 15:10 <DIR> d-------- C:\_OTMoveIt
2009-03-16 19:20 . 2009-03-16 19:20 <DIR> d-------- c:\windows\ERUNT
2009-03-15 23:15 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-03-15 20:15 . 2009-03-15 20:15 <DIR> d-------- C:\rsit
2009-03-08 19:45 . 2009-03-08 19:45 95,232 --ahs---- C:\Thumbs.db
2009-03-08 19:45 . 2009-03-08 19:45 7,168 --ahs---- c:\windows\Thumbs.db
2009-03-07 19:39 . 2009-03-07 19:39 6,959,470 --a------ C:\koi_mil_gaya.mp3
2009-03-07 19:39 . 2009-03-07 19:39 6,491,105 --a------ C:\Fitna_Dil_Shikhar.mp3
2009-03-07 19:39 . 2009-03-07 19:39 6,426,572 --a------ C:\Untitled 73.mp3
2009-03-07 19:39 . 2009-03-07 19:39 6,357,360 --a------ C:\Dhadak_Dhadak_BUNTY_AUR_BABLI.mp3
2009-03-04 19:09 . 2009-03-04 19:09 <DIR> d-------- c:\program files\ThreatFire
2009-03-04 19:09 . 2009-03-04 00:49 51,472 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-03-04 19:09 . 2009-03-04 00:49 39,184 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-03-04 19:09 . 2009-03-04 00:49 33,040 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-03-04 19:09 . 2009-03-04 00:49 12,560 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-03-01 21:09 . 2009-03-01 21:09 <DIR> d-------- c:\documents and settings\sachin\Application Data\Symantec
2009-03-01 20:59 . 2009-03-01 20:59 <DIR> d-------- c:\program files\Bazooka Scanner
2009-02-28 20:22 . 2009-02-28 20:22 <DIR> d-------- c:\documents and settings\sachin\Application Data\True Sword
2009-02-28 20:20 . 2009-02-28 20:20 <DIR> d-------- c:\program files\True Sword 5
2009-02-27 11:36 . 2009-02-27 11:36 <DIR> d-------- c:\documents and settings\sachin\Application Data\Uniblue
2009-02-27 11:35 . 2009-02-27 11:35 <DIR> d-------- c:\program files\Uniblue
2009-02-27 11:34 . 2009-02-27 11:35 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{6F6DBADD-35E9-42D7-82C1-1F65F2F31141}
2009-02-26 14:27 . 2009-03-11 21:30 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-26 13:16 . 2009-03-11 21:29 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-26 13:15 . 2009-02-26 13:15 <DIR> d-------- c:\program files\Lavasoft
2009-02-26 13:15 . 2009-02-26 13:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-26 13:15 . 2009-02-26 13:15 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 23:24 . 2009-02-25 23:24 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 23:12 . 2009-02-25 23:12 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-24 13:11 . 2009-02-24 13:11 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 14:17 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-09 14:17 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-09 14:17 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-07 04:57 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-07 04:57 182,912 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-02 13:19 32,768 ----a-w c:\documents and settings\sachin\das_uc_dat625.dat
2009-02-02 10:00 --------- d-----w c:\program files\Das Unit Converter
2009-01-28 14:48 --------- d-----w c:\program files\MariusSoft
2009-01-24 10:16 --------- d-----w c:\program files\Desktop Fay
2009-01-22 17:52 --------- d-----w c:\program files\NoAdware
2009-01-22 08:57 --------- d-----w c:\program files\MSGTAG
.

------- Sigcheck -------

2009-03-07 10:27 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys
2009-03-07 10:27 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys

2004-08-04 12:00 1049600 6ef18cc29c4d130f28a080e1d209fbf3 c:\windows\explorer.exe
2004-08-04 12:00 1049600 6c909a46d3a4568c7295507db0464588 c:\windows\system32\dllcache\explorer.exe

2004-08-04 12:00 32768 87cf04d16d83fef09c8bfd7833b8fbe7 c:\windows\system32\ctfmon.exe
2004-08-04 12:00 32256 c0ee856a0fdf3541bfcfce44029cbbb7 c:\windows\system32\dllcache\ctfmon.exe

2004-08-04 12:00 75264 5141c3e60f73480d587b87380f376907 c:\windows\system32\spoolsv.exe
2004-08-04 12:00 75264 2f1022e0a998774138835d3e19b07ea3 c:\windows\system32\dllcache\spoolsv.exe

2004-08-04 12:00 41472 1e8568fad7541c3aeba6e29acf342d6b c:\windows\system32\userinit.exe
2004-08-04 12:00 41984 d913798f7f0e15378580cd7c7122038e c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-20_22.39.48.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 14:32:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 14:32:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 02:30:00 179,712 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 02:30:00 180,224 ----a-w c:\windows\SWREG.exe
- 2009-03-20 16:48:38 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-22 10:44:34 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-20 16:48:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-22 10:44:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-20 16:48:38 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-22 10:44:34 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}"= "c:\program files\Orkut_Official\tbOrk0.dll" [2009-01-30 1784856]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2008-08-03 1606680]

[HKEY_CLASSES_ROOT\clsid\{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}]

[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}]
2009-01-30 13:57 1784856 --a------ c:\program files\Orkut_Official\tbOrk0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2008-08-03 22:01 1606680 --a------ c:\program files\RadarSync\tbRad0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}"= "c:\program files\Orkut_Official\tbOrk0.dll" [2009-01-30 1784856]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2008-08-03 1606680]

[HKEY_CLASSES_ROOT\clsid\{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}]

[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2008-08-03 1606680]
"{0F484B10-5DDB-47D0-A54E-254E78CC3D6F}"= "c:\program files\Orkut_Official\tbOrk0.dll" [2009-01-30 1784856]

[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]

[HKEY_CLASSES_ROOT\clsid\{0f484b10-5ddb-47d0-a54e-254e78cc3d6f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 163840]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1684992]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32768]
"Google Update"="c:\documents and settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-25 133104]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2008-12-23 251264]
"MSGTAG"="c:\program files\MSGTAG\MSGTAG.exe" [2003-09-16 1337344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2003-10-02 176128]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2003-10-02 139264]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2008-07-27 139264]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 77408]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2008-07-27 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-27 176128]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 77824]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 180224]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-09 1601304]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-08 176128]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1077248]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-11 515416]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-03-04 263440]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2006-09-02 100032]
"SkyTel"="SkyTel.EXE" [2008-07-27 c:\windows\SkyTel.EXE]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\sachin\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2008-05-28 37376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 602173]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-09 19:47 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3mcxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\IncrediMail\\BIN\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\BIN\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\BIN\\ImpCnt.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-26 64160]
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2008-08-03 17264]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-14 28544]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-04 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-04 39184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-29 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-04 107272]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-07-27 141312]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-04 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-09 298264]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-04 33040]
S0 ati3mcxx;ati3mcxx;c:\windows\system32\Drivers\ati3mcxx.sys --> c:\windows\system32\Drivers\ati3mcxx.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-19 951632]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S4 HSXB;HSXB;c:\docume~1\sachin\LOCALS~1\Temp\HSXB.exe --> c:\docume~1\sachin\LOCALS~1\Temp\HSXB.exe [?]
S4 MNHQY;MNHQY;c:\docume~1\sachin\LOCALS~1\Temp\MNHQY.exe --> c:\docume~1\sachin\LOCALS~1\Temp\MNHQY.exe [?]
S4 PEIMLOVDV;PEIMLOVDV;c:\docume~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe --> c:\docume~1\sachin\LOCALS~1\Temp\PEIMLOVDV.exe [?]
S4 PHBMDXEVMX;PHBMDXEVMX;c:\docume~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe --> c:\docume~1\sachin\LOCALS~1\Temp\PHBMDXEVMX.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bwelvzfw
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\User_Feed_Synchronization-{3A612A48-CBA6-44F2-9E24-6784DBDB69C6}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

2009-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-813497703-1801674531-1003.job
- c:\documents and settings\sachin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 22:19]

2009-02-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 21:28]
.
- - - - ORPHANS REMOVED - - - -

BHO-{BF041273-AA50-4EAC-AAED-211D4C960BAE} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 218.211.228.244:80
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Crawler Search - tbr:iemenu
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: softmedia.com
TCP: {1C427842-95D7-4BB3-BE3B-A953225C557C} = 218.248.240.208,218.248.240.135
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\INBOXT~1\Inbox.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 20:27:28
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-813497703-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll

- - - - - - - > 'lsass.exe'(868)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(2548)
c:\program files\ThreatFire\TFWAH.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\CYBERLINK\SHARED FILES\RICHVIDEO.EXE
c:\program files\SPYWARE TERMINATOR\SP_RSSER.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\THREATFIRE\TFSERVICE.EXE
c:\program files\AVG\AVG8\AVGNSX.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\AVG\AVG8\AVGEMC.EXE
c:\program files\AVG\AVG8\AVGCSRVX.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\combofix\hidec.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-03-22 20:31:44 - machine was rebooted [sachin]
ComboFix-quarantined-files.txt 2009-03-22 15:00:24

Pre-Run: 7,875,706,880 bytes free
Post-Run: 7,875,248,128 bytes free

284

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:09 PM

Posted 22 March 2009 - 01:12 PM

Hello, sachin naik.
Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 sachin naik

sachin naik
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:39 PM

Posted 23 March 2009 - 01:53 AM

But avg says it can be removed i have read in the following link http://free.avg.com/66558

so where is the removal tool plz tell me, becoz i cant find it

will this virut hack my orkut accounts, if i use, is it still safe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users