Scanned with NOD32 v2.7, and AVG antispyware v7.5 and fix 2 found trojan horse and were removed. Kindly analyze my pc if it is still there.


Logfile of HijackThis v1.99.1
Scan saved at 7:04:46 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\VM302Snap.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Zaievol\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM302Snap.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Registration Prince of Persia The Two Thrones.LNK = F:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hello marian,

Please uninstall your old version of HijackThis, it is outdated.

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

----------------------------------------------- Step 2

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Hereunder are the reports from Combofix , and hijack this which you required me to run.


ComboFix 08-08-29.02 - Zaievol 2008-08-30 15:50:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1473 [GMT 8:00]
Running from: C:\Documents and Settings\Zaievol\Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk
C:\Documents and Settings\Zaievol\Application Data\FunWebProducts
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\bin.clearspring.com
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\bin.clearspring.com\ws\wan\wanLib.swf\463a656a1ea70875.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\interclick.com
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\interclick.com\ud.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0261\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0267\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0268\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0270\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0272\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0275\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0290\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0293\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0307\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\#SharedObjects\JDF4R7G4\static.youku.com\v1.0.0312\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Zaievol\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Zaievol\Cookies\adilan.vbs
C:\Documents and Settings\Zaievol\Cookies\akysyraso.ban
C:\Documents and Settings\Zaievol\Cookies\dovub.inf
C:\Documents and Settings\Zaievol\Cookies\ebixa.sys
C:\Documents and Settings\Zaievol\Cookies\hasas.exe
C:\Documents and Settings\Zaievol\Cookies\mulehumo.scr
C:\Documents and Settings\Zaievol\Cookies\mytedehery.db
C:\Documents and Settings\Zaievol\Cookies\ujagum.vbs
C:\Documents and Settings\Zaievol\Cookies\xyjo.exe
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\agisen.db
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\fovikevan._dl
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\gacewyseta.com
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\jomo.lib
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\jygow.ban
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\paticop.exe
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\qikywymy._sy
C:\Documents and Settings\Zaievol\Local Settings\Temporary Internet Files\ywib.ban
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\019503D6.urr
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\XPSecurityCenter
C:\Program Files\XPSecurityCenter\comp.dat
C:\Program Files\XPSecurityCenter\data\daily.cvd
C:\Program Files\XPSecurityCenter\htmlayout.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\XPSecurityCenter\pthreadVC2.dll
C:\Program Files\XPSecurityCenter\un.ico
C:\Program Files\XPSecurityCenter\unzip32.dll
C:\Program Files\XPSecurityCenter\wscui.cpl
C:\Program Files\XPSecurityCenter\XP_SecurityCenter.cfg
C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\vsdatant.sys
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_VSDATANT
-------\Service_MyWebSearchService
-------\Service_vsdatant


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-30 15:39 . 2008-08-30 15:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 16:51 . 2008-08-27 16:51 <DIR> dr------- C:\Documents and Settings\Zaievol\Application Data\Brother
2008-08-19 00:25 . 2008-08-19 20:43 <DIR> d-------- C:\Documents and Settings\zaiganda28
2008-08-19 00:25 . 2006-01-13 09:24 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-17 21:49 . 2008-08-17 21:50 400 --ah----- C:\IPH.PH
2008-08-17 15:07 . 2008-08-17 15:07 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-08-17 15:07 . 2008-08-17 15:07 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-08-17 15:06 . 2006-01-06 15:53 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-08-17 14:55 . 2008-08-17 14:55 50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-08-17 14:54 . 2007-02-01 13:19 1,520,640 --a------ C:\WINDOWS\system32\BrWia07a.dll
2008-08-17 14:54 . 2007-01-26 16:13 54,784 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-08-17 14:54 . 2007-01-26 14:06 45,568 --a------ C:\WINDOWS\system32\BrUsi07a.dll
2008-08-17 14:54 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-08-17 14:53 . 2008-08-17 14:55 <DIR> d-------- C:\Program Files\Brother
2008-08-17 14:53 . 2006-12-28 13:39 176,128 --------- C:\WINDOWS\system32\BroSNMP.dll
2008-08-17 14:53 . 2007-01-18 13:51 163,840 --------- C:\WINDOWS\system32\NSSearch.dll
2008-08-17 14:53 . 2007-02-15 13:54 131,072 --------- C:\WINDOWS\brunin03.dll
2008-08-17 14:53 . 2007-01-25 17:16 94,208 -r------- C:\WINDOWS\system32\BrDctF2.dll
2008-08-17 14:53 . 2007-01-15 21:54 12,288 -r------- C:\WINDOWS\system32\BrDctF2S.dll
2008-08-17 14:53 . 2007-01-15 16:09 12,288 -r------- C:\WINDOWS\system32\BrDctF2L.dll
2008-08-17 14:53 . 2001-11-15 01:00 6,224 --------- C:\WINDOWS\CVRPAGE.BMP
2008-08-17 14:52 . 2008-08-17 14:52 <DIR> d-------- C:\Program Files\Nuance
2008-08-17 14:49 . 2008-08-17 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-08-17 14:29 . 2008-08-17 14:29 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Grisoft
2008-08-16 20:02 . 2008-08-28 13:32 <DIR> d-------- C:\Program Files\The Lost Crown
2008-08-16 18:09 . 2008-08-30 15:56 61,724,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-16 18:09 . 2008-08-30 15:53 727,520 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-16 18:05 . 2008-08-16 18:05 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-08-16 18:02 . 2008-08-16 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-16 18:02 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-16 18:02 . 2008-08-16 18:10 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-16 18:01 . 2008-08-16 18:01 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-16 17:29 . 2008-08-16 17:29 18,301 --a------ C:\Documents and Settings\All Users\Application Data\ducuq.reg
2008-08-16 17:29 . 2008-08-16 17:29 16,709 --a------ C:\Documents and Settings\All Users\Application Data\lywahinow.bin
2008-08-16 17:29 . 2008-08-16 17:29 16,012 --a------ C:\Program Files\Common Files\oroq.bat
2008-08-16 17:29 . 2008-08-16 17:29 15,480 --a------ C:\WINDOWS\owokarel.sys
2008-08-16 17:29 . 2008-08-16 17:29 14,764 --a------ C:\WINDOWS\koryxej._sy
2008-08-16 17:29 . 2008-08-16 17:29 12,955 --a------ C:\WINDOWS\system32\qocit.inf
2008-08-16 17:13 . 2008-08-16 17:13 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\Grisoft
2008-08-16 17:13 . 2008-08-16 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-16 17:13 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-08-16 00:51 . 2008-05-18 17:51 <DIR> d-------- C:\Documents and Settings\Guest\ff_temp
2008-08-16 00:51 . 2008-08-16 00:51 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-08-16 00:51 . 2008-05-18 17:51 <DIR> d-------- C:\Documents and Settings\Guest\7zS182C.tmp
2008-08-16 00:51 . 2008-08-19 18:54 <DIR> d-------- C:\Documents and Settings\Guest
2008-08-15 20:31 . 2006-01-06 15:53 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys
2008-08-15 20:31 . 2006-01-06 15:53 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2008-08-13 20:16 . 2008-08-13 20:16 19,652 --a------ C:\WINDOWS\icetygowi.db
2008-08-13 20:16 . 2008-08-13 20:16 19,608 --a------ C:\WINDOWS\efecehed.scr
2008-08-13 20:16 . 2008-08-13 20:16 18,767 --a------ C:\WINDOWS\system32\yrawutukef._dl
2008-08-13 20:16 . 2008-08-13 20:16 18,650 --a------ C:\Documents and Settings\Zaievol\Application Data\ukocuki.com
2008-08-13 20:16 . 2008-08-13 20:16 17,807 --a------ C:\WINDOWS\xefatuqa.vbs
2008-08-13 20:16 . 2008-08-13 20:16 17,019 --a------ C:\WINDOWS\gicijuwahe.dll
2008-08-13 20:16 . 2008-08-13 20:16 15,772 --a------ C:\Documents and Settings\Zaievol\Application Data\zesyvad.dat
2008-08-13 20:16 . 2008-08-13 20:16 15,684 --a------ C:\WINDOWS\tukypyvug.vbs
2008-08-13 20:16 . 2008-08-13 20:16 15,421 --a------ C:\Documents and Settings\All Users\Application Data\ligypa.exe
2008-08-13 20:16 . 2008-08-13 20:16 14,695 --a------ C:\Program Files\Common Files\luha.scr
2008-08-13 20:16 . 2008-08-13 20:16 14,178 --a------ C:\WINDOWS\pucocynuti.exe
2008-08-13 20:16 . 2008-08-13 20:16 14,089 --a------ C:\Documents and Settings\Zaievol\Application Data\zyxapelono.reg
2008-08-13 20:16 . 2008-08-13 20:16 13,976 --a------ C:\WINDOWS\rocicikop.inf
2008-08-13 20:16 . 2008-08-13 20:16 13,283 --a------ C:\WINDOWS\system32\okivamy.reg
2008-08-13 20:16 . 2008-08-13 20:16 10,965 --a------ C:\WINDOWS\faqitybow.dat
2008-08-13 20:16 . 2008-08-13 20:16 10,257 --a------ C:\Documents and Settings\Zaievol\Application Data\luvydet.dat
2008-08-13 18:19 . 2008-08-13 18:19 <DIR> d-------- C:\Program Files\Vimicro
2008-08-13 18:19 . 2008-08-13 18:19 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\InstallShield
2008-08-13 18:19 . 2007-08-08 10:59 1,472,896 --a------ C:\WINDOWS\system32\drivers\usbVM302.sys
2008-08-13 18:19 . 2007-03-18 18:06 475,136 --a------ C:\WINDOWS\system32\drivers\vvftav302.sys
2008-08-13 18:19 . 2006-11-08 14:25 122,880 --a------ C:\WINDOWS\rm302.exe
2008-08-13 18:19 . 2007-04-03 15:50 77,824 --a------ C:\WINDOWS\ZC0302Cap.exe
2008-08-13 18:19 . 2004-12-10 14:30 61,440 --a------ C:\WINDOWS\system32\VM302STI.dll
2008-08-13 18:19 . 2007-10-25 14:09 57,344 --a------ C:\WINDOWS\VM302Snap.exe
2008-08-13 18:19 . 2006-07-04 14:16 49,152 --a------ C:\WINDOWS\Domino.exe
2008-08-13 18:19 . 2002-10-16 09:29 49,152 --a------ C:\WINDOWS\amcap.exe
2008-08-13 18:09 . 2008-08-13 18:09 <DIR> d-------- C:\Program Files\Vimicro Corporation
2008-08-13 18:09 . 2008-08-13 18:09 <DIR> d-------- C:\Program Files\Common Files\Vimicro Corporation
2008-08-13 18:09 . 2007-04-30 15:31 32,768 --a------ C:\WINDOWS\merit.exe
2008-08-11 21:02 . 2008-08-26 15:52 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-08-06 14:38 . 2008-08-06 14:38 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-08-06 13:51 . 2008-08-06 13:51 16,202 --a------ C:\WINDOWS\goli.bat
2008-08-02 00:32 . 2008-08-02 00:32 16,770 --a------ C:\WINDOWS\system32\lavig.dat
2008-07-29 11:21 . 2008-07-29 11:21 19,837 --a------ C:\WINDOWS\system32\aturecila._dl
2008-07-29 11:21 . 2008-07-29 11:21 18,598 --a------ C:\Documents and Settings\All Users\Application Data\icyjudeb.exe
2008-07-29 11:21 . 2008-07-29 11:21 18,229 --a------ C:\Program Files\Common Files\yhuv.sys
2008-07-29 11:21 . 2008-07-29 11:21 14,945 --a------ C:\WINDOWS\ubyfus._dl
2008-07-29 11:21 . 2008-07-29 11:21 14,017 --a------ C:\Program Files\Common Files\elesifyrak.sys
2008-07-29 11:21 . 2008-07-29 11:21 13,991 --a------ C:\Documents and Settings\Zaievol\Application Data\voluw.bat
2008-07-29 11:21 . 2008-07-29 11:21 13,909 --a------ C:\WINDOWS\jofifalig.inf
2008-07-29 11:21 . 2008-07-29 11:21 13,636 --a------ C:\WINDOWS\taxapibode._sy
2008-07-29 11:21 . 2008-07-29 11:21 13,419 --a------ C:\WINDOWS\oreg.scr
2008-07-29 11:21 . 2008-07-29 11:21 13,226 --a------ C:\Documents and Settings\All Users\Application Data\ojujiqux.sys
2008-07-29 11:21 . 2008-07-29 11:21 12,426 --a------ C:\Documents and Settings\Zaievol\Application Data\digikexo.com
2008-07-29 11:21 . 2008-07-29 11:21 11,471 --a------ C:\WINDOWS\bawocuxur._sy
2008-07-29 11:21 . 2008-07-29 11:21 11,291 --a------ C:\WINDOWS\system32\ylyx.scr
2008-07-29 11:21 . 2008-07-29 11:21 10,828 --a------ C:\WINDOWS\qowifesyru.vbs
2008-07-29 11:21 . 2008-07-29 11:21 10,310 --a------ C:\WINDOWS\yfyvowen.lib
2008-07-28 17:13 . 2008-07-28 17:13 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-25 22:47 . 2008-07-25 22:47 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\acccore
2008-07-21 05:54 . 2008-07-21 05:54 <DIR> d-------- C:\Logs
2008-07-20 18:58 . 2008-07-20 19:20 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-10 07:35 . 2008-07-10 07:35 <DIR> d-------- C:\Program Files\DivX
2008-07-09 23:44 . 2008-07-09 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\POP3Profiles
2008-07-09 22:05 . 2008-07-09 23:26 <DIR> d-------- C:\Program Files\Buka
2008-07-09 21:59 . 2008-07-09 21:59 165,376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-09 21:59 . 2008-07-09 21:59 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-09 21:58 . 2008-07-09 21:58 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-09 21:58 . 2008-07-09 21:58 <DIR> d-------- C:\WINDOWS\Profiles
2008-07-09 21:58 . 2008-07-09 21:58 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\InterTrust
2008-07-09 21:58 . 1998-10-29 14:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-09 19:05 . 2008-07-09 19:05 <DIR> d-------- C:\Program Files\LimeWire
2008-07-09 19:05 . 2008-08-30 13:00 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\LimeWire
2008-07-09 18:55 . 2008-07-09 18:55 <DIR> d-------- C:\Program Files\SEGA
2008-07-09 18:49 . 2008-07-09 18:49 <DIR> dr-h----- C:\Documents and Settings\Zaievol\Application Data\SecuROM
2008-07-09 18:49 . 2008-07-09 18:49 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-09 18:46 . 2008-07-09 22:28 205 --a------ C:\WINDOWS\disneysy.ini
2008-07-09 18:46 . 2008-07-09 22:40 121 --a------ C:\WINDOWS\disney.ini
2008-07-09 18:40 . 2008-07-09 18:40 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-09 08:16 . 2008-07-09 08:16 126,976 --a------ C:\WINDOWS\War3Unin.exe
2008-07-09 08:16 . 2008-07-09 08:17 14,949 --a------ C:\WINDOWS\War3Unin.dat
2008-07-09 08:16 . 2008-07-09 08:16 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-08 21:05 . 2008-07-08 21:04 286,720 --a------ C:\WINDOWS\iun506.exe
2008-07-08 21:04 . 2008-07-08 21:04 <DIR> d-------- C:\WINDOWS\Prefs
2008-07-08 21:04 . 2008-08-16 01:05 <DIR> d-------- C:\Program Files\Las Vegas Casino
2008-07-05 13:50 . 2008-07-22 18:33 <DIR> d-------- C:\Documents and Settings\Zaievol\Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 03:56 1,909,248 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-08-29 03:56 1,440,768 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-08-29 03:22 --------- d-----w C:\Program Files\MSN Messenger
2008-08-25 05:35 863,232 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-08-25 05:35 1,426,944 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-08-22 16:26 574,464 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-08-22 16:26 1,419,776 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-08-21 03:20 1,418,240 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-08-21 03:19 1,415,680 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-08-20 15:29 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\Skype
2008-08-19 12:39 2,932,736 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-08-19 04:24 1,400,832 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-08-19 04:24 1,037,312 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-18 08:54 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\Nokia Multimedia Player
2008-08-17 07:13 3,022,848 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-08-17 07:13 1,377,280 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-08-17 06:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 17:47 586,240 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-08-16 17:47 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-08-16 17:42 1,369,088 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-08-16 17:41 2,998,784 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-16 16:01 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\skypePM
2008-08-16 09:44 --------- d-----w C:\Program Files\ESET
2008-08-16 09:29 10,139 ----a-w C:\Program Files\Common Files\oguxafowev._sy
2008-08-06 07:25 560 ----a-w C:\Documents and Settings\Zaievol\Application Data\ViewerApp.dat
2008-08-06 06:38 --------- d-----w C:\Program Files\Sony Corporation
2008-07-29 03:21 19,820 ----a-w C:\Program Files\Common Files\axyxe.dl
2008-07-29 03:21 16,848 ----a-w C:\Program Files\Common Files\adytytabu.ban
2008-07-25 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-13 12:25 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\Ahead
2008-07-09 14:47 --------- d-----w C:\Program Files\EA SPORTS
2008-07-09 13:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 01:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-06 09:13 --------- d-----w C:\Program Files\FrostWire
2008-07-06 06:29 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\FrostWire
2008-06-29 10:05 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-06-29 10:05 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-06-29 10:05 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-18 09:51 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe
2008-05-18 03:11 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

------- Sigcheck -------

2006-01-13 10:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 C:\WINDOWS\system32\drivers\tcpip.sys

2006-01-13 09:46 1075200 2deaca71a7fd77205f59d48d76b2f565 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-18 13:34 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-07-04 14:01 148776]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 12:49 451872]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 22:14 68856]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 21:58 4269296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-09 01:53 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-09 01:53 81920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-29 18:05 949376]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-07-04 14:20 161064]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 12:36 229376]
"BigDogPath"="C:\WINDOWS\VM302Snap.exe" [2007-10-25 14:09 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Domino"="C:\WINDOWS\Domino.exe" [2006-07-04 14:16 49152]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 14:51 663552]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 15:58 65536]
"nwiz"="nwiz.exe" [2008-01-09 01:53 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="C:\WINDOWS\system32\msnsc.exe" [2006-01-13 09:36 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-01-13 09:25 44544]

C:\Documents and Settings\Zaievol\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-03-27 01:19:43 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-08-06 14:38:29 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-08-06 14:38:27 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-12-14 19:13 7095344 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
--a------ 2008-01-29 11:19 2157096 C:\Program Files\VDOTool\TBPANEL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-08-20 15:38 16384512 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-08-03 13:22 1826816 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 vvftav302;vvftav302;C:\WINDOWS\system32\drivers\vvftav302.sys [2007-03-18 18:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7644f23c-2bcf-11dd-bfe5-001e8c078927}]
\Shell\AutoRun\command - H:\
\Shell\explore\Command - WScript.exe .\azkaban.vbs
\Shell\open\Command - WScript.exe .\azkaban.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-XP SecurityCenter - C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe
HKLM-Run-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Zaievol\Application Data\Mozilla\Firefox\Profiles\rekggvdq.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 15:56:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-30 15:59:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-30 07:59:24

Pre-Run: 10,787,393,536 bytes free
Post-Run: 12,714,205,184 bytes free

379



Hijack this scanned report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:45 PM, on 8/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\VM302Snap.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM302Snap.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Registration Prince of Persia The Two Thrones.LNK = F:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8748 bytes

Hello marian,

Please, please, please, reply sooner than two weeks after I reply in the future. You have no idea how the malware likes to replicate when left to do it's thing for weeks at a time. Your computer is heavily infected, and I can't guarantee it will ever be safe to securely use again. That said, I'll continue on with my fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Sorry for my delayed respond. Hereunder is the report that you required me to submit. Again, please accept my apology.

ComboFix 08-08-29.02 - Zaievol 2008-09-03 18:32:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1663 [GMT 8:00]
Running from: C:\Documents and Settings\Zaievol\Desktop\Combo-Fix.exe.exe
Command switches used :: C:\Documents and Settings\Zaievol\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\ducuq.reg
C:\Documents and Settings\All Users\Application Data\icyjudeb.exe
C:\Documents and Settings\All Users\Application Data\ligypa.exe
C:\Documents and Settings\All Users\Application Data\lywahinow.bin
C:\Documents and Settings\All Users\Application Data\ojujiqux.sys
C:\Documents and Settings\Zaievol\Application Data\digikexo.com
C:\Documents and Settings\Zaievol\Application Data\luvydet.dat
C:\Documents and Settings\Zaievol\Application Data\ukocuki.com
C:\Documents and Settings\Zaievol\Application Data\voluw.bat
C:\Documents and Settings\Zaievol\Application Data\zesyvad.dat
C:\Documents and Settings\Zaievol\Application Data\zyxapelono.reg
C:\Program Files\Common Files\adytytabu.ban
C:\Program Files\Common Files\axyxe.dl
C:\Program Files\Common Files\elesifyrak.sys
C:\Program Files\Common Files\luha.scr
C:\Program Files\Common Files\oguxafowev._sy
C:\Program Files\Common Files\oroq.bat
C:\Program Files\Common Files\yhuv.sys
C:\WINDOWS\bawocuxur._sy
C:\WINDOWS\BRPP2KA.INI
C:\WINDOWS\BRWMARK.INI
C:\WINDOWS\efecehed.scr
C:\WINDOWS\faqitybow.dat
C:\WINDOWS\gicijuwahe.dll
C:\WINDOWS\goli.bat
C:\WINDOWS\icetygowi.db
C:\WINDOWS\jofifalig.inf
C:\WINDOWS\koryxej._sy
C:\WINDOWS\oreg.scr
C:\WINDOWS\owokarel.sys
C:\WINDOWS\pucocynuti.exe
C:\WINDOWS\qowifesyru.vbs
C:\WINDOWS\rocicikop.inf
C:\WINDOWS\system32\aturecila._dl
C:\WINDOWS\system32\lavig.dat
C:\WINDOWS\system32\msnsc.exe
C:\WINDOWS\system32\okivamy.reg
C:\WINDOWS\system32\qocit.inf
C:\WINDOWS\system32\wmpns.dll
C:\WINDOWS\system32\ylyx.scr
C:\WINDOWS\system32\yrawutukef._dl
C:\WINDOWS\taxapibode._sy
C:\WINDOWS\tukypyvug.vbs
C:\WINDOWS\ubyfus._dl
C:\WINDOWS\xefatuqa.vbs
C:\WINDOWS\yfyvowen.lib
.

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-08-30 15:39 . 2008-08-30 15:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 16:51 . 2008-08-27 16:51 <DIR> dr------- C:\Documents and Settings\Zaievol\Application Data\Brother
2008-08-19 00:25 . 2008-08-19 20:43 <DIR> d-------- C:\Documents and Settings\zaiganda28
2008-08-17 21:49 . 2008-08-17 21:50 400 --ah----- C:\IPH.PH
2008-08-17 15:06 . 2006-01-06 15:53 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-08-17 14:55 . 2008-08-17 14:55 50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-08-17 14:54 . 2007-02-01 13:19 1,520,640 --a------ C:\WINDOWS\system32\BrWia07a.dll
2008-08-17 14:54 . 2007-01-26 16:13 54,784 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-08-17 14:54 . 2007-01-26 14:06 45,568 --a------ C:\WINDOWS\system32\BrUsi07a.dll
2008-08-17 14:54 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-08-17 14:53 . 2008-08-17 14:55 <DIR> d-------- C:\Program Files\Brother
2008-08-17 14:53 . 2006-12-28 13:39 176,128 --------- C:\WINDOWS\system32\BroSNMP.dll
2008-08-17 14:53 . 2007-01-18 13:51 163,840 --------- C:\WINDOWS\system32\NSSearch.dll
2008-08-17 14:53 . 2007-02-15 13:54 131,072 --------- C:\WINDOWS\brunin03.dll
2008-08-17 14:53 . 2007-01-25 17:16 94,208 -r------- C:\WINDOWS\system32\BrDctF2.dll
2008-08-17 14:53 . 2007-01-15 21:54 12,288 -r------- C:\WINDOWS\system32\BrDctF2S.dll
2008-08-17 14:53 . 2007-01-15 16:09 12,288 -r------- C:\WINDOWS\system32\BrDctF2L.dll
2008-08-17 14:53 . 2001-11-15 01:00 6,224 --------- C:\WINDOWS\CVRPAGE.BMP
2008-08-17 14:52 . 2008-08-17 14:52 <DIR> d-------- C:\Program Files\Nuance
2008-08-17 14:49 . 2008-08-17 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-08-17 14:29 . 2008-08-17 14:29 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Grisoft
2008-08-16 20:02 . 2008-09-03 16:51 <DIR> d-------- C:\Program Files\The Lost Crown
2008-08-16 18:09 . 2008-09-03 18:34 73,381,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-16 18:09 . 2008-09-03 18:34 862,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-16 18:05 . 2008-08-16 18:05 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-08-16 18:02 . 2008-08-16 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-16 18:02 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-16 18:02 . 2008-08-16 18:10 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-16 18:01 . 2008-08-16 18:01 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-16 17:13 . 2008-08-16 17:13 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\Grisoft
2008-08-16 17:13 . 2008-08-16 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-16 17:13 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-08-16 00:51 . 2008-05-18 17:51 <DIR> d-------- C:\Documents and Settings\Guest\ff_temp
2008-08-16 00:51 . 2008-08-16 00:51 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-08-16 00:51 . 2008-05-18 17:51 <DIR> d-------- C:\Documents and Settings\Guest\7zS182C.tmp
2008-08-16 00:51 . 2008-08-19 18:54 <DIR> d-------- C:\Documents and Settings\Guest
2008-08-15 20:31 . 2006-01-06 15:53 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys
2008-08-15 20:31 . 2006-01-06 15:53 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2008-08-13 18:19 . 2008-08-13 18:19 <DIR> d-------- C:\Program Files\Vimicro
2008-08-13 18:19 . 2008-08-13 18:19 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\InstallShield
2008-08-13 18:19 . 2007-08-08 10:59 1,472,896 --a------ C:\WINDOWS\system32\drivers\usbVM302.sys
2008-08-13 18:19 . 2007-03-18 18:06 475,136 --a------ C:\WINDOWS\system32\drivers\vvftav302.sys
2008-08-13 18:19 . 2006-11-08 14:25 122,880 --a------ C:\WINDOWS\rm302.exe
2008-08-13 18:19 . 2007-04-03 15:50 77,824 --a------ C:\WINDOWS\ZC0302Cap.exe
2008-08-13 18:19 . 2004-12-10 14:30 61,440 --a------ C:\WINDOWS\system32\VM302STI.dll
2008-08-13 18:19 . 2007-10-25 14:09 57,344 --a------ C:\WINDOWS\VM302Snap.exe
2008-08-13 18:19 . 2006-07-04 14:16 49,152 --a------ C:\WINDOWS\Domino.exe
2008-08-13 18:19 . 2002-10-16 09:29 49,152 --a------ C:\WINDOWS\amcap.exe
2008-08-13 18:09 . 2008-08-13 18:09 <DIR> d-------- C:\Program Files\Vimicro Corporation
2008-08-13 18:09 . 2008-08-13 18:09 <DIR> d-------- C:\Program Files\Common Files\Vimicro Corporation
2008-08-13 18:09 . 2007-04-30 15:31 32,768 --a------ C:\WINDOWS\merit.exe
2008-08-11 21:02 . 2008-08-26 15:52 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-08-06 14:38 . 2008-08-06 14:38 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 10:03 3,896,883 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-29 03:56 1,909,248 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-08-29 03:56 1,440,768 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-08-29 03:22 --------- d-----w C:\Program Files\MSN Messenger
2008-08-25 05:35 863,232 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-08-25 05:35 1,426,944 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-08-22 16:26 574,464 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-08-22 16:26 1,419,776 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-08-21 03:20 1,418,240 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-08-21 03:19 1,415,680 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-08-20 15:29 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\Skype
2008-08-19 12:39 2,932,736 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-08-19 04:24 1,400,832 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-08-19 04:24 1,037,312 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-18 08:54 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\Nokia Multimedia Player
2008-08-17 07:13 3,022,848 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-08-17 07:13 1,377,280 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-08-17 06:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 17:47 586,240 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-08-16 17:47 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-08-16 17:42 1,369,088 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-08-16 17:41 2,998,784 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-16 16:01 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\skypePM
2008-08-16 09:44 --------- d-----w C:\Program Files\ESET
2008-08-15 17:05 --------- d-----w C:\Program Files\Las Vegas Casino
2008-08-06 07:25 560 ----a-w C:\Documents and Settings\Zaievol\Application Data\ViewerApp.dat
2008-08-06 06:38 --------- d-----w C:\Program Files\Sony Corporation
2008-07-28 09:13 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-25 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-25 14:47 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\acccore
2008-07-20 11:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-07-13 12:25 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\Ahead
2008-07-09 23:35 --------- d-----w C:\Program Files\DivX
2008-07-09 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\POP3Profiles
2008-07-09 15:26 --------- d-----w C:\Program Files\Buka
2008-07-09 14:47 --------- d-----w C:\Program Files\EA SPORTS
2008-07-09 13:59 18,048 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-09 13:59 165,376 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-09 13:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 13:58 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\InterTrust
2008-07-09 10:55 --------- d-----w C:\Program Files\SEGA
2008-07-09 10:49 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-09 10:49 --------- d--h--r C:\Documents and Settings\Zaievol\Application Data\SecuROM
2008-07-09 01:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-09 00:16 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-07-09 00:16 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-07-08 13:04 286,720 ----a-w C:\WINDOWS\iun506.exe
2008-07-06 06:29 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\FrostWire
2008-06-29 10:05 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\zaiganda28 ----



------- Sigcheck -------

2006-01-13 10:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 C:\WINDOWS\system32\drivers\tcpip.sys

2006-01-13 09:46 1075200 2deaca71a7fd77205f59d48d76b2f565 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-18 13:34 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-07-04 14:01 148776]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 12:49 451872]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 22:14 68856]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 21:58 4269296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-09 01:53 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-09 01:53 81920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-29 18:05 949376]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-07-04 14:20 161064]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 12:36 229376]
"BigDogPath"="C:\WINDOWS\VM302Snap.exe" [2007-10-25 14:09 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Domino"="C:\WINDOWS\Domino.exe" [2006-07-04 14:16 49152]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 14:51 663552]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 15:58 65536]
"nwiz"="nwiz.exe" [2008-01-09 01:53 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-01-13 09:25 44544]

C:\Documents and Settings\Zaievol\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\QooBox\Quarantine\C\Program Files\LimeWire\LimeWire.exe.vir [2008-03-27 01:19:43 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-08-06 14:38:29 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-08-06 14:38:27 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-12-14 19:13 7095344 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
--a------ 2008-01-29 11:19 2157096 C:\Program Files\VDOTool\TBPANEL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-08-20 15:38 16384512 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-08-03 13:22 1826816 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 vvftav302;vvftav302;C:\WINDOWS\system32\drivers\vvftav302.sys [2007-03-18 18:06]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 18:35:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-03 18:38:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 10:38:27
ComboFix2.txt 2008-09-03 10:26:11
ComboFix3.txt 2008-08-30 07:59:29

Pre-Run: 12,673,527,808 bytes free
Post-Run: 12,664,758,272 bytes free

273

Hello marian,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Hereunder is the result of the scan of Malwarebytes' Antimalware. As per instructed I reboot my computer so as to delete upon reboot the said items found.

Malwarebytes' Anti-Malware 1.27
Database version: 1131
Windows 5.1.2600 Service Pack 2

9/9/2008 6:37:11 PM
mbam-log-2008-09-09 (18-37-11).txt

Scan type: Quick Scan
Objects scanned: 45857
Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 101
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.

Hello marian,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

Sir, i had downloaded DrWeb and followed the instruction as you had told me to do. And nothing or no infection was found. However i could not post the said scan report which you told me to name as DrWeb.csv. Hoping this would give you an idea for what i would have to do next. Thank you very much for assisting and helping me.

Hello marian,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Hereunder are the reports on Combo-fix and Hijack this.

ComboFix 08-08-29.02 - Zaievol 2008-09-15 20:48:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1519 [GMT 8:00]
Running from: C:\Documents and Settings\Zaievol\Desktop\Combo-Fix.exe.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.

2008-09-15 20:02 . 2008-09-15 20:02 <DIR> d-------- C:\WINDOWS\The Quest For Aladdin's Treasure
2008-09-15 20:02 . 2008-09-15 20:02 <DIR> d-------- C:\Program Files\Liquid Games
2008-09-13 18:30 . 2008-09-13 18:30 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-09-13 18:30 . 2003-07-20 17:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-09-13 18:30 . 2005-01-04 08:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-09-13 18:06 . 2008-09-13 18:06 <DIR> d-------- C:\Program Files\e-Games
2008-09-13 16:27 . 2008-09-13 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-09-13 14:51 . 2008-09-13 14:51 <DIR> d-------- C:\Program Files\Nokia
2008-09-13 14:51 . 2008-09-13 14:51 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-09-13 14:51 . 2008-09-13 14:51 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-09-13 14:27 . 2008-09-13 14:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-09-11 18:38 . 2008-09-11 18:38 <DIR> d-------- C:\Documents and Settings\Zaievol\DoctorWeb
2008-09-09 18:32 . 2008-09-09 18:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 18:32 . 2008-09-09 18:32 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\Malwarebytes
2008-09-09 18:32 . 2008-09-09 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 18:32 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 18:32 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-30 15:39 . 2008-08-30 15:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 16:51 . 2008-08-27 16:51 <DIR> dr------- C:\Documents and Settings\Zaievol\Application Data\Brother
2008-08-19 00:25 . 2008-08-19 20:43 <DIR> d-------- C:\Documents and Settings\zaiganda28
2008-08-17 21:49 . 2008-08-17 21:50 400 --ah----- C:\IPH.PH
2008-08-17 15:06 . 2006-01-06 15:53 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-08-17 14:55 . 2008-08-17 14:55 50 --a------ C:\WINDOWS\system32\bridf07a.dat
2008-08-17 14:54 . 2007-02-01 13:19 1,520,640 --a------ C:\WINDOWS\system32\BrWia07a.dll
2008-08-17 14:54 . 2007-01-26 16:13 54,784 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-08-17 14:54 . 2007-01-26 14:06 45,568 --a------ C:\WINDOWS\system32\BrUsi07a.dll
2008-08-17 14:54 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-08-17 14:53 . 2008-08-17 14:55 <DIR> d-------- C:\Program Files\Brother
2008-08-17 14:53 . 2006-12-28 13:39 176,128 --------- C:\WINDOWS\system32\BroSNMP.dll
2008-08-17 14:53 . 2007-01-18 13:51 163,840 --------- C:\WINDOWS\system32\NSSearch.dll
2008-08-17 14:53 . 2007-02-15 13:54 131,072 --------- C:\WINDOWS\brunin03.dll
2008-08-17 14:53 . 2007-01-25 17:16 94,208 -r------- C:\WINDOWS\system32\BrDctF2.dll
2008-08-17 14:53 . 2007-01-15 21:54 12,288 -r------- C:\WINDOWS\system32\BrDctF2S.dll
2008-08-17 14:53 . 2007-01-15 16:09 12,288 -r------- C:\WINDOWS\system32\BrDctF2L.dll
2008-08-17 14:53 . 2001-11-15 01:00 6,224 --------- C:\WINDOWS\CVRPAGE.BMP
2008-08-17 14:52 . 2008-08-17 14:52 <DIR> d-------- C:\Program Files\Nuance
2008-08-17 14:49 . 2008-08-17 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-08-17 14:29 . 2008-08-17 14:29 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Grisoft
2008-08-16 20:02 . 2008-09-06 09:38 <DIR> d-------- C:\Program Files\The Lost Crown
2008-08-16 18:09 . 2008-09-15 20:49 100,182,048 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-16 18:09 . 2008-09-15 20:35 1,177,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-16 18:05 . 2008-08-16 18:05 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-08-16 18:02 . 2008-08-16 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-16 18:02 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-16 18:02 . 2008-08-16 18:10 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-16 18:01 . 2008-08-16 18:01 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-16 17:13 . 2008-08-16 17:13 <DIR> d-------- C:\Documents and Settings\Zaievol\Application Data\Grisoft
2008-08-16 17:13 . 2008-08-16 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-16 17:13 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-08-16 00:51 . 2008-05-18 17:51 <DIR> d-------- C:\Documents and Settings\Guest\ff_temp
2008-08-16 00:51 . 2008-08-16 00:51 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-08-16 00:51 . 2008-05-18 17:51 <DIR> d-------- C:\Documents and Settings\Guest\7zS182C.tmp
2008-08-16 00:51 . 2008-09-15 20:35 <DIR> d-------- C:\Documents and Settings\Guest
2008-08-15 20:31 . 2006-01-06 15:53 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys
2008-08-15 20:31 . 2006-01-06 15:53 20,992 --a------ C:\WINDOWS\system32\dshowext.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 12:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-15 11:53 21,896,546 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-09-15 09:26 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\Skype
2008-09-15 08:00 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\skypePM
2008-09-13 08:49 --------- d-----w C:\Program Files\Buka
2008-09-13 06:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-09-13 06:36 --------- d-----w C:\Program Files\VDOTool
2008-08-29 03:56 1,909,248 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-08-29 03:56 1,440,768 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-08-29 03:22 --------- d-----w C:\Program Files\MSN Messenger
2008-08-25 05:35 863,232 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-08-25 05:35 1,426,944 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-08-22 16:26 574,464 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-08-22 16:26 1,419,776 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-08-21 03:20 1,418,240 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-08-21 03:19 1,415,680 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-08-19 12:39 2,932,736 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-08-19 04:24 1,400,832 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-08-19 04:24 1,037,312 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-17 07:13 3,022,848 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-08-17 07:13 1,377,280 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-08-16 17:47 586,240 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-08-16 17:47 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-08-16 17:42 1,369,088 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-08-16 17:41 2,998,784 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-16 09:44 --------- d-----w C:\Program Files\ESET
2008-08-15 17:05 --------- d-----w C:\Program Files\Las Vegas Casino
2008-08-13 10:19 --------- d-----w C:\Program Files\Vimicro
2008-08-13 10:19 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\InstallShield
2008-08-13 10:09 --------- d-----w C:\Program Files\Vimicro Corporation
2008-08-13 10:09 --------- d-----w C:\Program Files\Common Files\Vimicro Corporation
2008-08-06 07:25 560 ----a-w C:\Documents and Settings\Zaievol\Application Data\ViewerApp.dat
2008-08-06 06:38 --------- d-----w C:\Program Files\Sony Corporation
2008-08-06 06:38 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-07-28 09:13 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-25 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-25 14:47 --------- d-----w C:\Documents and Settings\Zaievol\Application Data\acccore
2008-07-09 10:49 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-09 01:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-08 13:04 286,720 ----a-w C:\WINDOWS\iun506.exe
2008-06-29 10:05 298,104 ----a-w C:\WINDOWS\system32\imon.dll
.

------- Sigcheck -------

2006-01-13 10:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 C:\WINDOWS\system32\drivers\tcpip.sys

2006-01-13 09:46 1075200 2deaca71a7fd77205f59d48d76b2f565 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-30_15.59.06.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-09-15 08:24:50 61,440 ----a-w C:\WINDOWS\Downloaded Program Files\EGamesPlugin.dll
- 2008-05-18 04:03:51 10,134 ----a-r C:\WINDOWS\Installer\{0D80391C-0A72-43BB-9BC2-143F63CC111D}\ARPPRODUCTICON.exe
+ 2008-09-13 06:51:19 10,134 ----a-r C:\WINDOWS\Installer\{0D80391C-0A72-43BB-9BC2-143F63CC111D}\ARPPRODUCTICON.exe
- 2008-05-18 04:04:09 3,262 ----a-r C:\WINDOWS\Installer\{9BD3BC83-C14A-4C54-A5FB-F43D93D5E4EF}\ARPPRODUCTICON.exe
+ 2008-09-13 06:51:45 3,262 ----a-r C:\WINDOWS\Installer\{9BD3BC83-C14A-4C54-A5FB-F43D93D5E4EF}\ARPPRODUCTICON.exe
- 2008-08-18 08:53:05 15,086 ----a-r C:\WINDOWS\Installer\{E1B34BF3-6333-47DC-AD85-D89A95829478}\ARPPRODUCTICON.exe
+ 2008-09-13 06:52:12 15,086 ----a-r C:\WINDOWS\Installer\{E1B34BF3-6333-47DC-AD85-D89A95829478}\ARPPRODUCTICON.exe
+ 2008-09-15 12:33:29 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-09-15 12:35:35 12,820 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-09-15 12:02:30 471,552 ----a-w C:\WINDOWS\The Quest For Aladdin's Treasure\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-18 13:34 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-18 13:34 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-07-04 14:01 148776]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 12:49 451872]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 22:14 68856]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 21:58 4269296]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-29 18:05 949376]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-07-04 14:20 161064]
"BigDogPath"="C:\WINDOWS\VM302Snap.exe" [2007-10-25 14:09 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Domino"="C:\WINDOWS\Domino.exe" [2006-07-04 14:16 49152]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 14:51 663552]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 15:58 65536]
"TBPanel"="C:\Program Files\VDOTool\TBPanel.exe" [2008-01-29 11:19 2157096]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-09 01:53 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-09 01:53 81920]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 12:36 229376]
"nwiz"="nwiz.exe" [2008-01-09 01:53 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-01-13 09:25 44544]

C:\Documents and Settings\Zaievol\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\QooBox\Quarantine\C\Program Files\LimeWire\LimeWire.exe.vir [2008-03-27 01:19:43 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-08-06 14:38:29 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-08-06 14:38:27 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-12-14 19:13 7095344 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
--a------ 2008-01-29 11:19 2157096 C:\Program Files\VDOTool\TBPANEL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-08-20 15:38 16384512 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-08-03 13:22 1826816 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 vvftav302;vvftav302;C:\WINDOWS\system32\drivers\vvftav302.sys [2007-03-18 18:06]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Zaievol\Application Data\Mozilla\Firefox\Profiles\rekggvdq.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 20:49:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
Completion time: 2008-09-15 20:50:28
ComboFix-quarantined-files.txt 2008-09-15 12:50:24
ComboFix2.txt 2008-09-03 10:38:33
ComboFix3.txt 2008-09-03 10:26:11
ComboFix4.txt 2008-08-30 07:59:29

Pre-Run: 10,449,850,368 bytes free
Post-Run: 11,029,602,304 bytes free

228



Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:04 PM, on 9/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\VM302Snap.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM302Snap.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [TBPanel] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\QooBox\Quarantine\C\Program Files\LimeWire\LimeWire.exe.vir
O4 - Startup: Registration Prince of Persia The Two Thrones.LNK = F:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8500 bytes

Hello marian,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\QooBox\Quarantine\C\Program Files\LimeWire\LimeWire.exe.vir

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  • C:\System32\syssetub.dll
  
  
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Using Windows Explorer delete the following file (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\WINDOWS\system32\msnsc.exe

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.