Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Taskmanager and Registry disabled


  • This topic is locked This topic is locked
16 replies to this topic

#1 Harin Abhinav

Harin Abhinav

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 23 May 2009 - 03:35 PM

Hey im using Windows XP SP2 operating system.It was working fine until the day my AVG antivirus got disabled by itself and from then on both my taskmanager as well as regedit are disabled and when ever opened the system returns a msg saying "This feature has been disabled by your admin" but me myself m the admin here..tried installing several antiviruses but everything is disabled as soon as it is installed..my system doesnt even work in safemode now...tried the solutions given for similar problems in this forum but those doesnt work..so plz help me!

Here is the HJT log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 1:51:44.21 on 2009-05-24
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.111 [GMT 5.5:30]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winckij.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\w5714f.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page =
uSearch Page =
mSearch Page =
mStart Page =
BHO: {00010d23-0929-4bed-9dad-4f05b0c07d87} - c:\windows\system32\rvzlyvco.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: : {fcc5a0b1-82fb-4e40-bebd-7f53a773f22b} - c:\windows\system32\nhgeqke.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RRT-Auto] c:\documents and settings\administrator\desktop\rrt\RRT.exe auto
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: zznxtdza - nhgeqke.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3mexb67u.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 mjydojnj;mjydojnj;c:\windows\system32\drivers\mjydojnj.sys [2004-8-4 23424]
R2 tzdaubet;Disk Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R3 dac970nt;dac970nt;\??\c:\windows\system32\drivers\kljsgl.sys --> c:\windows\system32\drivers\kljsgl.sys [?]
RUnknown pavboot;pavboot; [x]
S3 PCIDATA;PCIDATA;\??\g:\pcidata.sys --> g:\PCIDATA.sys [?]
S3 RAMNETMP;Tata Indicom Broadband Adapter;c:\windows\system32\drivers\ramnet.sys --> c:\windows\system32\drivers\ramnet.sys [?]

=============== Created Last 30 ================

2009-05-24 01:42 <DIR> --d----- c:\program files\Trend Micro
2009-05-21 10:55 <DIR> --d----- c:\docume~1\admini~1\applic~1\spfdufsv
2009-05-21 08:32 34,576,517 a------- c:\docume~1\admini~1\applic~1\Ad-AwareAE.exe
2009-05-21 01:54 <DIR> --d----- c:\program files\XoftSpySE
2009-05-20 22:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-20 19:51 <DIR> --d----- c:\program files\Panda Security
2009-05-19 23:33 <DIR> --dsh--- C:\found.001
2009-05-19 17:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-05-19 17:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-19 16:50 <DIR> --d----- c:\program files\ESET
2009-05-19 15:32 <DIR> --d----- c:\program files\MSSOAP
2009-05-19 15:31 <DIR> --d----- c:\program files\Webroot
2009-05-18 16:24 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-05-18 16:24 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-05-18 16:24 153,088 a------- c:\windows\system32\unrar3.dll
2009-05-18 16:24 75,264 a------- c:\windows\system32\unacev2.dll
2009-05-18 16:24 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-05-18 16:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-05-18 13:29 1,351,392 a------- c:\windows\system32\Comctl32.ocx
2009-05-18 12:53 <DIR> --d----- c:\windows\system32\URTTEMP
2009-05-13 15:09 <DIR> --d----- C:\32788R22FWJFW.0.tmp
2009-05-12 00:53 131,856 a------- c:\windows\system32\MSADODC.ocx
2009-05-12 00:53 1,435,272 a------- c:\windows\system32\Flash.ocx
2009-05-12 00:53 512,688 a------- c:\windows\system32\XceedCry.dll
2009-05-12 00:53 423,784 a------- c:\windows\system32\XceedBkp.dll
2009-05-12 00:53 28,672 a------- c:\windows\system32\systray.ocx
2009-05-12 00:53 389,120 a------- c:\windows\system32\ACTSKN43.OCX
2009-05-12 00:53 188,416 a------- c:\windows\system32\actsplash.ocx
2009-05-12 00:53 101,888 a------- c:\windows\system32\VB6STKIT.DLL
2009-05-12 00:53 89,088 a------- c:\windows\system32\ProgressBar4.ocx
2009-05-12 00:53 11,012 a------- c:\windows\system32\threadapi.tlb
2009-05-10 23:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-05-10 22:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-05-07 23:49 <DIR> --d----- c:\program files\Kaspersky Lab
2009-05-04 23:35 35,328 a------- c:\windows\system32\ztLib.dll
2009-05-04 23:34 94,208 a------- c:\windows\system32\ScrUnZip.dll
2009-05-04 11:21 <DIR> --d----- C:\AVOneExport
2009-05-04 11:21 303,104 a------- c:\windows\system32\rmparser.dll
2009-05-04 11:21 1,003,520 a------- c:\windows\system32\ltmm_n.dll
2009-04-30 22:43 359,040 a------- c:\windows\system32\drivers\tcpip.sys.flg
2009-04-30 22:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\GetRight
2009-04-29 17:49 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-26 18:34 10,520 -------- c:\windows\system32\avgrsstx.dll.install_backup
2009-04-26 18:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-26 14:16 <DIR> --d----- c:\program files\ATS2

==================== Find3M ====================

2009-04-17 20:43 33,280 a------- c:\windows\system32\ConfigureScr.exe
2009-04-17 20:43 19,456 a------- c:\windows\system32\RemoveScr.exe
2009-04-14 15:05 90,112 a------- c:\windows\DUMP432e.tmp
2009-03-15 21:56 90,112 a------- c:\windows\DUMP5e0e.tmp
2009-03-12 02:38 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-12 01:28 81,984 a------- c:\windows\system32\bdod.bin
2009-03-11 23:54 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 1:52:44.10 ===============

Attached Files


Edited by Harin Abhinav, 23 May 2009 - 03:44 PM.


BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:01 AM

Posted 23 May 2009 - 08:06 PM

Hi, Harin Abhinav.:thumbup2:

Welcome.

Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 24 May 2009 - 12:57 AM

Hi,
Thanks a lot for the response!

Here are the logs as u asked:

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22, on 2009-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vagbsf.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Administrator\Desktop\RRT\RRT.exe auto
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6594 bytes


Combofix:

Rootkit activities detected:

c:\windows\system32\drivers\ovfsthqhctsblxcolcvnmcnrpkbjjndrfqnpdy.sys
c:\windows\system32\ovfsthjdaxyvswfrnwqxpvcofufrqiwduspfrl.dat
c:\windows\system32\ovfsthlbspqrdqwhpuylinputimivnmrutdyua.dll
c:\windows\system32\ovfsthlmpobvevnbsbsevjwooxgnniluyfhins.dll
c:\windows\system32\ovfsthxovblybytebpubmigfnkevcmtdfdwjyp.dll
c:\windows\system32\ovfsthxuwktvvcwtkjkggffamgbwwbaewxvsws.dat


Combofix log:

ComboFix 09-05-23.04 - Administrator 2009-05-24 11:00.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.101 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mjydojnj.sys
c:\windows\system32\drivers\ovfsth.sys
c:\windows\system32\drivers\ovfsthqhctsblxcolcvnmcnrpkbjjndrfqnpdy.sys
c:\windows\system32\drivers\xgpvzlck.sys
c:\windows\system32\nhgeqke.dll
c:\windows\system32\ovfsthjdaxyvswfrnwqxpvcofufrqiwduspfrl.dat
c:\windows\system32\ovfsthlbspqrdqwhpuylinputimivnmrutdyua.dll
c:\windows\system32\ovfsthlmpobvevnbsbsevjwooxgnniluyfhins.dll
c:\windows\system32\ovfsthxovblybytebpubmigfnkevcmtdfdwjyp.dll
c:\windows\system32\ovfsthxuwktvvcwtkjkggffamgbwwbaewxvsws.dat
c:\windows\system32\rvzlyvco.dll
c:\windows\system32\tugiqvw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxtmtasfvmfjwbnjdipylqbrsnaeemxre
-------\Legacy_DAC970NT
-------\Legacy_MJYDOJNJ
-------\Legacy_TZDAUBET
-------\Service_dac970nt
-------\Service_mjydojnj
-------\Service_tzdaubet


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-23 20:12 . 2009-05-23 20:12 -------- d-----w c:\program files\Trend Micro
2009-05-21 05:25 . 2009-05-21 05:25 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\spfdufsv
2009-05-21 05:25 . 2009-05-21 05:25 -------- d-----w c:\documents and settings\Administrator\Application Data\spfdufsv
2009-05-21 03:02 . 2009-05-21 03:12 34576517 ----a-w c:\documents and settings\Administrator\Application Data\Ad-AwareAE.exe
2009-05-20 20:24 . 2009-05-21 02:52 -------- d-----w c:\program files\XoftSpySE
2009-05-20 17:02 . 2009-05-20 17:02 57344 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-11b545d0-n\Decora-SSE.dll
2009-05-20 17:02 . 2009-05-20 17:02 24064 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-688c03aa-n\Decora-D3D.dll
2009-05-20 17:02 . 2009-05-20 17:02 315392 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-496f807f-n\jogl.dll
2009-05-20 17:02 . 2009-05-20 17:02 20480 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-496f807f-n\jogl_awt.dll
2009-05-20 17:02 . 2009-05-20 17:02 114688 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-496f807f-n\jogl_cg.dll
2009-05-20 17:02 . 2009-05-20 17:02 20480 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-62bef40f-n\gluegen-rt.dll
2009-05-20 17:02 . 2009-05-20 17:02 499712 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-57ad7f18-n\msvcp71.dll
2009-05-20 17:02 . 2009-05-20 17:02 499712 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-57ad7f18-n\jmc.dll
2009-05-20 17:02 . 2009-05-20 17:02 348160 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-57ad7f18-n\msvcr71.dll
2009-05-20 16:59 . 2009-05-20 16:58 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-20 16:40 . 2009-05-20 16:40 152576 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-20 14:21 . 2009-05-23 20:18 -------- d-----w c:\program files\Panda Security
2009-05-19 18:03 . 2009-05-19 18:03 -------- d-sh--w C:\found.001
2009-05-19 12:03 . 2009-05-19 12:03 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-19 12:02 . 2009-05-19 12:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 11:20 . 2009-05-19 11:20 -------- d-----w c:\program files\ESET
2009-05-19 11:20 . 2009-05-19 11:20 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-19 10:02 . 2009-05-19 10:02 -------- d-----w c:\program files\MSSOAP
2009-05-19 10:01 . 2009-05-19 10:01 -------- d-----w c:\program files\Webroot
2009-05-18 10:54 . 2005-08-25 20:20 77312 ----a-w c:\windows\system32\ztvunace26.dll
2009-05-18 10:54 . 2006-06-19 07:31 69632 ----a-w c:\windows\system32\ztvcabinet.dll
2009-05-18 10:54 . 2006-05-25 10:22 162304 ----a-w c:\windows\system32\ztvunrar36.dll
2009-05-18 10:54 . 2003-02-02 14:36 153088 ----a-w c:\windows\system32\unrar3.dll
2009-05-18 10:54 . 2002-03-05 19:30 75264 ----a-w c:\windows\system32\unacev2.dll
2009-05-18 10:54 . 2009-05-18 10:54 -------- d-----w c:\documents and settings\All Users\Application Data\Simply Super Software
2009-05-18 07:23 . 2009-05-18 07:23 -------- d-----w c:\windows\system32\URTTEMP
2009-05-13 09:39 . 2009-05-13 09:39 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-11 19:23 . 2004-05-11 04:26 423784 ----a-w c:\windows\system32\XceedBkp.dll
2009-05-11 19:23 . 2003-11-19 08:29 512688 ----a-w c:\windows\system32\XceedCry.dll
2009-05-11 19:23 . 2000-07-14 23:30 101888 ----a-w c:\windows\system32\VB6STKIT.DLL
2009-05-10 18:03 . 2009-05-20 21:06 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-05-10 17:22 . 2009-05-11 20:21 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-05-07 18:19 . 2009-05-17 20:17 -------- d-----w c:\program files\Kaspersky Lab
2009-05-05 17:23 . 2009-05-05 17:23 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-05-05 11:00 . 2009-05-05 11:00 129608 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 9.0.0.372\English\setup.exe
2009-05-04 18:05 . 2009-05-04 18:05 35328 ----a-w c:\windows\system32\ztLib.dll
2009-05-04 18:04 . 2009-05-04 18:04 94208 ----a-w c:\windows\system32\ScrUnZip.dll
2009-05-04 05:51 . 2009-05-04 05:51 -------- d-----w C:\AVOneExport
2009-05-04 05:51 . 2004-01-25 12:19 303104 ----a-w c:\windows\system32\rmparser.dll
2009-05-04 05:51 . 2003-12-13 16:10 1003520 ----a-w c:\windows\system32\ltmm_n.dll
2009-04-30 17:02 . 2009-04-30 17:14 -------- d-----w c:\documents and settings\Administrator\Application Data\GetRight
2009-04-29 12:19 . 2009-04-29 12:30 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-26 13:02 . 2009-04-29 09:04 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-26 10:36 . 2009-05-18 11:06 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-26 08:46 . 2009-04-26 13:16 -------- d-----w c:\program files\ATS2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 05:27 . 2009-03-11 19:34 -------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-05-23 20:19 . 2009-03-11 19:00 68456 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 20:41 . 2009-03-11 19:32 -------- d-----w c:\program files\Minilyrics
2009-05-20 17:22 . 2009-03-11 19:13 -------- d-----w c:\program files\Maxthon
2009-05-20 16:57 . 2009-03-11 19:30 -------- d-----w c:\program files\Java
2009-05-20 14:45 . 2009-03-11 18:39 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-07 18:17 . 2009-03-11 18:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-26 10:39 . 2009-03-24 07:45 -------- d-----w c:\program files\Soulseek
2009-04-26 08:20 . 2009-03-11 19:19 -------- d-----w c:\documents and settings\Administrator\Application Data\Orbit
2009-04-20 17:30 . 2009-04-20 17:30 -------- d-----w c:\program files\Tata Indicom Internet Service
2009-04-20 17:25 . 2009-04-17 19:45 -------- d-----w c:\program files\Getcounted Live
2009-04-18 04:08 . 2009-03-11 21:04 -------- d-----w c:\program files\Common Files\Adobe
2009-04-17 19:03 . 2009-04-17 19:03 -------- d-----w c:\program files\Opera
2009-04-17 15:13 . 2009-04-17 15:13 33280 ----a-w c:\windows\system32\ConfigureScr.exe
2009-04-17 15:13 . 2009-04-17 15:13 19456 ----a-w c:\windows\system32\RemoveScr.exe
2009-04-15 18:03 . 2009-03-24 07:52 -------- d-----w c:\documents and settings\Administrator\Application Data\DC++
2009-04-14 16:58 . 2009-04-14 16:58 0 ----a-w c:\windows\nsreg.dat
2009-04-14 09:35 . 2009-03-28 16:48 90112 ----a-w c:\windows\DUMP432e.tmp
2009-04-12 18:03 . 2009-03-22 04:55 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-03 18:26 . 2009-03-12 15:50 -------- d-----w c:\program files\Google
2009-03-25 18:32 . 2009-03-25 18:32 -------- d-----w c:\program files\Microsoft Works
2009-03-15 16:26 . 2009-03-11 23:35 90112 ----a-w c:\windows\DUMP5e0e.tmp
2009-03-11 21:08 . 2009-03-11 18:27 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-11 19:58 . 2009-03-11 19:07 81984 ----a-w c:\windows\system32\bdod.bin
2009-03-11 18:24 . 2009-03-11 18:24 21640 ----a-w c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-05-18_11.28.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 10:02 . 2009-05-19 10:02 82432 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2009-05-24 05:38 . 2009-05-24 05:38 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 47360 c:\windows\system32\pydznjld.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 36608 c:\windows\system32\pivjbbwe.dat
+ 2004-08-04 12:00 . 2009-05-19 06:23 63334 c:\windows\system32\perfc009.dat
+ 2003-04-18 10:59 . 2003-04-18 10:59 82432 c:\windows\system32\msxml4r.dll
- 2009-05-07 18:26 . 2009-05-07 18:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-07 18:26 . 2009-05-22 19:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-07 18:26 . 2009-05-22 19:52 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-05-07 18:26 . 2009-05-07 18:25 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-05-07 18:26 . 2009-05-22 19:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-05-07 18:26 . 2009-05-07 18:25 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 45824 c:\windows\system32\axudgyur.dat
+ 2009-05-19 10:02 . 2009-05-19 10:02 10134 c:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 633600 c:\windows\system32\ykwuarxk.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 218880 c:\windows\system32\vvaaauif.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 143872 c:\windows\system32\uuglybec.dll
+ 2004-08-04 12:00 . 2009-05-19 06:23 403858 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 196608 c:\windows\system32\libssl32.dll
+ 2004-08-04 12:00 . 2004-08-04 12:00 175360 c:\windows\system32\kqdpgaax.dat
+ 2009-05-20 16:59 . 2009-05-20 16:58 148888 c:\windows\system32\javaws.exe
+ 2009-05-20 16:59 . 2009-05-20 16:58 144792 c:\windows\system32\javaw.exe
+ 2009-05-20 16:59 . 2009-05-20 16:58 144792 c:\windows\system32\java.exe
+ 2009-03-11 18:58 . 2004-02-10 05:25 229376 c:\windows\system32\igfxtray.exe
+ 2009-03-11 18:58 . 2004-02-10 05:21 192512 c:\windows\system32\hkcmd.exe
+ 2009-03-11 23:43 . 2009-05-18 12:38 263024 c:\windows\system32\FNTCACHE.DAT
- 2009-03-11 23:43 . 2009-05-05 07:38 263024 c:\windows\system32\FNTCACHE.DAT
+ 2005-07-29 14:37 . 2005-07-29 14:37 143360 c:\windows\system32\asuninst.exe
+ 2009-05-19 10:02 . 2009-05-19 10:02 1233920 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2003-04-18 11:16 . 2003-04-18 11:16 1233920 c:\windows\system32\msxml4.dll
+ 2004-08-04 12:00 . 2004-08-04 12:00 6566656 c:\windows\system32\ltwiarbd.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 1015808 c:\windows\system32\libeay32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-11 238416]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 229376]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 192512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-20 148888]
"RRT-Auto"="c:\documents and settings\Administrator\Desktop\RRT\RRT.exe" [BU]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 172360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"RRT-Auto"=c:\documents and settings\Administrator\Desktop\RRT.exe auto
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Gamez\\CS Non Steam Working\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\Program Files\\Java\\jre1.6.0_06\\bin\\jucheck.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Updater6\\Adobe_Updater.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\vagbsf.exe"=

S3 PCIDATA;PCIDATA;\??\g:\pcidata.sys --> g:\PCIDATA.sys [?]
S3 RAMNETMP;Tata Indicom Broadband Adapter;c:\windows\system32\DRIVERS\ramnet.sys --> c:\windows\system32\DRIVERS\ramnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y8PBC5C0-4FCB-11CF-AAX5-81CX1C635612}]
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{00010D23-0929-4BED-9DAD-4F05B0C07D87} - c:\windows\system32\rvzlyvco.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3mexb67u.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 11:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(520)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\msi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\docume~1\ADMINI~1\LOCALS~1\temp\vagbsf.exe
.
**************************************************************************
.
Completion time: 2009-05-24 11:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 05:48
ComboFix2.txt 2009-05-18 11:36
ComboFix3.txt 2009-05-17 21:12
ComboFix4.txt 2009-05-11 19:11
ComboFix5.txt 2009-05-24 05:18

Pre-Run: 26,375,847,936 bytes free
Post-Run: 26,347,773,952 bytes free

275

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:01 AM

Posted 24 May 2009 - 07:06 PM

Hi, Harin Abhinav :thumbup2:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

http://www.bleepingcomputer.com/forums/ind...22&t=228933

File::
c:\docume~1\ADMINI~1\LOCALS~1\temp\vagbsf.exe

Collect::[4]
c:\windows\system32\ykwuarxk.dat
c:\windows\system32\vvaaauif.dat
c:\windows\system32\uuglybec.dll
c:\windows\system32\kqdpgaax.dat
c:\windows\system32\libssl32.dll
c:\windows\system32\pydznjld.dat
c:\windows\system32\pivjbbwe.dat

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"d:\\Gamez\\CS Non Steam Working\\hl.exe"=-
"c:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\vagbsf.exe"=-


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Edited by JSntgRvr, 24 May 2009 - 07:11 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 01 June 2009 - 01:41 PM

Hey..Really sorry for the delay but i think the virus ad failed my OS..had to re-install windows xp again.
The problem is even after formatting my root drive the virus aint gone..my taskmanager as well as registry all still disabled n over that even all the antiviruses r being disabled.
Am i supposed to run the above script in this condition too? I mean even after formatting or is ther some other procedure to follow? Enlighten me please!

#6 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 01 June 2009 - 02:19 PM

Here are the latest logs of my system.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:28 AM, on 6/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WINMINE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

--
End of file - 1559 bytes


Combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:28 AM, on 6/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WINMINE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

--
End of file - 1559 bytes

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:01 AM

Posted 01 June 2009 - 02:22 PM

No.

Download OTS.exe by OldTimer to your Desktop.
  • Close any open browsers.
  • Double-click on OTS.exe to start the program.
  • Leave all settings as they appear as default, except for the following:
    • Under Drivers, select "All".
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 02 June 2009 - 01:36 AM

Here is the OTS log u asked for attached.

Attached Files

  • Attached File  OTS.Txt   398.61KB   2 downloads


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:01 AM

Posted 02 June 2009 - 11:03 AM

Was the reinstall a repair or did you reformat the drive?

Start OTS. Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Kill Explorer]
[Registry - Safe List]
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
[Empty Temp Folders]
[Start Explorer]
[Reboot]



The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Edited by JSntgRvr, 02 June 2009 - 11:05 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 03 June 2009 - 02:35 AM

Well it was reformat of my root drive.
Just ran the fix in OTS..here is the log:Attached File  06032009_120829.log   4.02KB   9 downloads

Couldnt find much of difference even after running the fix.

#11 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 03 June 2009 - 02:46 AM

Cant upload the latest log since the size of the log is much bigger than the available space!
Thanks a lot for the effort yer puttin to help me man!
:thumbup2:

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:01 AM

Posted 03 June 2009 - 11:01 AM

Cant upload the latest log since the size of the log is much bigger than the available space!
Thanks a lot for the effort yer puttin to help me man!
:thumbup2:

Are Regedit and the task manager still disabled?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 04 June 2009 - 01:08 AM

Sorry to say but yeah they r still disabled n even the antivirus is. :thumbup2:

Edited by Harin Abhinav, 04 June 2009 - 01:08 AM.


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:01 AM

Posted 04 June 2009 - 08:26 AM

Hi, Harin Abhinav :thumbup2:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Harin Abhinav

Harin Abhinav
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 05 June 2009 - 01:05 PM

Here are the latest combofix and hijackthis logs:

Combofix: Attached File  ComboFix.txt   7.29KB   13 downloads

Hijackthis: Attached File  hijackthis.log   1.6KB   9 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users