svcipa.exe problem

Computing.Net > Forums > Security and Virus > svcipa.exe problem

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

svcipa.exe problem

Name: waseem
Date: September 3, 2007 at 11:34:14 Pacific
OS: XP pro
CPU/Ram: 2.8Mhz/1G

Comment:

hello guys, please help me out as i'm not good in removing viruses. pc is infected with spcipa.exe and dont know how to remove it. it was detected by AVG av 7.5 but it did not remove it. Prevx 2 did find 3 files and one of them was Trojan.Lozyt and removed it. But i'm still having problems. AVG is detecting system files as virus/spyware too. Uninstalled and re-installed AVG but still same problem. i'll post Hijack this file on request and please let me know whats the problem and how to resolve it. Many thanks

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 3, 2007 at 11:44:08 Pacific

Reply:

Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: waseem
Date: September 3, 2007 at 12:09:25 Pacific

Reply:

Thanks Jabuck for replying, here is a copy of hijackthis as to your per instructions. There is another problem associated to my previous message. AVG is detecting AVAST files as virus/malware and 2ndly my pc does not boot into SAFE MODE no matter how many times i try to go in to safe mode. please help me out.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01:30, on 03/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie...
yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie...
yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)
=
http://us.rd.yahoo.com/customize/ie...
yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Virgin Net Broadband
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [System Updater]
C:\WINDOWS\system32\Sysupd\sysupd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program
Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center]
C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol]
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure]
C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [Regrun2]
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User
'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -
file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program
Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1}
- C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace -
{04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program
Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)
-
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter
Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo
Class) -
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo
Upload Tool) -
http://by128fd.bay128.hotmail.msn.c...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher
Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D}
(HpProductDetection Class) -
http://h20270.www2.hp.com/ediags/gm...
ab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl
Class) -
http://update.microsoft.com/microso...
lient/muweb_site.cab?1182621406843
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX
Control) -
https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.
ocx
O23 - Service: Adobe LM Service - Unknown owner - C:\Program
Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL
Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. -
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o.
- C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program
Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG -
C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:\Program
Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PREVXAgent - Prevx - C:\Program
Files\Prevx2\PXAgent.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common
Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SNDSrvc - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs
Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot
Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 9495 bytes

Response Number 3

Name: jabuck
Date: September 3, 2007 at 12:53:12 Pacific

Reply:

Go to start>run> type notepad > click ok>click format>uncheck "word wrap"> then exit notepad.
Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O4 - HKLM\..\Run: [System Updater] C:\WINDOWS\system32\Sysupd\sysupd.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)-
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo
Class) -
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -
Exit Hijack This
Navigate to and delte this file if found:
C:\WINDOWS\system32\Sysupd\sysupd.exe
Then navigate to and delete this folder if fouund:
C:\WINDOWS\system32\Sysupd\
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces and a new Hijack This log.
Use only the F8 method to boot into safe mode, any other method may put you in a boot loop and you may have to format.

Response Number 4

Name: waseem
Date: September 4, 2007 at 05:09:42 Pacific

Reply:

Hello Jabuck, sorry for the delay, somehow i'm not able to boot in Safe Mode and i dont know why. i press F8 and brings into few options including safe mode, so when i highlight safe mode and click on it it reboot itself and bring me back to same option page. i can only go into "start windows normally" including safe mode does nothing. any advice on this ?

Response Number 5

Name: jabuck
Date: September 4, 2007 at 14:48:06 Pacific

Reply:

Follow the steps in response #3 in normal mode and post the requested logs please.

tridwave.sys 36FC9E60-C465-11CF-8056-444553540000 tvdebug.log	software.log NTLMSSP c0000135
See More

Response Number 6

Name: waseem
Date: September 5, 2007 at 04:34:34 Pacific

Reply:

hello jabuck, please see the required logsas to your per instructions.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:50, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.c...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SNDSrvc - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 7420 bytes

Response Number 7

Name: waseem
Date: September 5, 2007 at 04:36:11 Pacific

Reply:

And this lof is from ComboFix.

ComboFix 07-08-30.3 - "KING" 2007-09-05 12:25:04.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.843 [GMT 1:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\bold.log
C:\Program Files\Common Files\{38AF0~1
C:\Program Files\Common Files\{58AF0~1

((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))

2007-09-05 12:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 18:59 <DIR> d-------- C:\Program Files\Intel
2007-09-03 20:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 17:58 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2007-09-03 17:58 2 -rahs---- C:\WINDOWS\winstart.bat
2007-09-03 17:55 <DIR> d-------- C:\Program Files\Greatis
2007-09-03 17:10 <DIR> d-------- C:\Program Files\emule
2007-09-03 08:50 <DIR> d-------- C:\Program Files\PestPatrol
2007-09-03 00:48 2,560 --a------ C:\WINDOWS\_MSRSTRT.exe
2007-09-03 00:29 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-09-02 23:29 359,040 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys
2007-09-01 23:12 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-09-01 23:12 11,264 --a------ C:\WINDOWS\Ulead iPhoto Express.SCR
2007-09-01 23:12 <DIR> d-------- C:\WINDOWS\ULEAD.DAT
2007-09-01 23:12 <DIR> d-------- C:\Program Files\Ulead iPhoto Express
2007-08-29 22:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-23 21:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-21 20:09 <DIR> d-------- C:\$WIN_NT$.~BT
2007-08-21 17:58 66,591 --a------ C:\WINDOWS\system32\drivers\el90xbc5.sys
2007-08-21 17:58 66,591 --a------ C:\WINDOWS\system32\dllcache\el90xbc5.sys
2007-08-18 21:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2007-08-18 20:29 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-18 19:10 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2007-08-18 19:10 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2007-08-18 19:10 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2007-08-18 19:10 <DIR> d-------- C:\Program Files\VSO
2007-08-18 17:00 87,608 --a------ C:\DOCUME~1\KING\APPLIC~1\inst.exe
2007-08-18 17:00 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-08-18 17:00 47,360 --a------ C:\DOCUME~1\KING\APPLIC~1\pcouffin.sys
2007-08-18 17:00 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Vso
2007-08-18 12:02 <DIR> d-------- C:\Program Files\Smart Projects
2007-08-16 19:02 <DIR> d-------- C:\VProRecovery
2007-08-12 15:08 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Image Zone Express
2007-08-12 10:42 <DIR> d---s---- C:\DOCUME~1\Arooba\UserData

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-02 23:29 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-03 1rogram Files\PowerQuest
2007-08-02 1rogram Files\Common Files\Symantec Shared
2007-08-02 1OCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-02 1rogram Files\MagicISO
2007-08-01 1rogram Files\BitTorrent_DNA
2007-08-01 1rogram Files\BitTorrent
2007-08-01 1OCUME~1\KING\APPLIC~1\BitTorrent DNA
2007-08-01 1OCUME~1\KING\APPLIC~1\BitTorrent
2007-07-29 2rogram Files\Microsoft Works
2007-07-29 2rogram Files\Microsoft.NET
2007-07-29 1rogram Files\SmartSound Software Inc
2007-07-29 1OCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-07-27 0rogram Files\AtomInterSoft
2007-07-26 10:35 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-07-25 1OCUME~1\ALLUSE~1\APPLIC~1\HP
2007-07-25 1OCUME~1\KING\APPLIC~1\HP
2007-07-15 1rogram Files\9Dragons
2007-07-10 1OCUME~1\KING\APPLIC~1\Hewlett-Packard
2007-07-10 1rogram Files\Common Files\Hewlett-Packard
2007-07-06 2rogram Files\Folder Guard Pro
2007-06-13 22:07 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2005-10-13 20:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-05-13 16:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 14:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-10-07 18:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2005-02-28 12:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2005-07-14 11:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2006-04-27 09:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-23 22:16]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2003-12-15 14:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 11:57]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 08:53]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FolderGuard]
C:\Program Files\Folder Guard Pro\FGuard32.dll 2007-07-06 22:30 696320 C:\Program Files\Folder Guard Pro\FGuard32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnk.disabledCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LG SyncManager.lnk]
backup=C:\WINDOWS\pss\LG SyncManager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express Calendar Checker.lnk]
backup=C:\WINDOWS\pss\Ulead Photo Express Calendar Checker.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
C:\Program Files\Evidence Eliminator\ee.exe /m
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
C:\PROGRA~1\Nero\NEROPH~1\data\xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Virgin.net Broadband\Dragdiag.exe" /icon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Updater]
C:\WINDOWS\system32\Sysupd\sysupd.exe -detach
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdService]
C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
R2 FGUARD32;FGUARD32;\??\C:\Program Files\Folder Guard Pro\FGUARD32.SYS
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
R3 wdm_tridwave;PCI288-Q3DII PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys
S2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
S3 RegGuard;RegGuard;\??\C:\WINDOWS\system32\Drivers\regguard.sys
S3 U81xbus;LGE U8XXX driver (WDM);C:\WINDOWS\system32\DRIVERS\U81xbus.sys
S3 U81xmdfl;LGE U8XXX USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\U81xmdfl.sys
S3 U81xmdm;LGE U8XXX USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\U81xmdm.sys
S3 U81xmgmt;LGE U8XXX USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\U81xmgmt.sys
S3 U81xobex;LGE U8XXX USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\U81xobex.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{327a8a60-0e91-11db-ad94-806d6172696f}]
AutoRun\command- E:\install.exe
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-09-04 23:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 00:00:02 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 01:00:02 C:\WINDOWS\Tasks\At3.job
2007-09-03 02:00:02 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 03:00:02 C:\WINDOWS\Tasks\At5.job
2007-09-03 04:00:02 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 05:00:02 C:\WINDOWS\Tasks\At7.job
2007-09-03 06:00:02 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 07:00:02 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 08:00:02 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-05 09:00:02 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 10:00:02 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 11:00:02 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 12:00:02 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 13:00:02 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 14:00:06 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 15:00:02 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 16:00:02 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 17:00:02 C:\WINDOWS\Tasks\At19.job
2007-09-03 18:00:02 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 19:00:02 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 20:00:02 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-03 21:00:02 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 22:00:02 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 23:00:02 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 00:00:02 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 01:00:02 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 02:00:02 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 03:00:02 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 04:00:02 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 05:00:02 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 06:00:02 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 07:00:02 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 08:00:02 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-05 09:00:02 C:\WINDOWS\Tasks\At35.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 10:00:02 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 11:00:02 C:\WINDOWS\Tasks\At37.job
2007-09-04 12:00:02 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-04 13:00:02 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-04 14:00:06 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-04 15:00:02 C:\WINDOWS\Tasks\At41.job
2007-09-04 16:00:02 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 17:00:02 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 18:00:02 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-04 19:00:02 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 20:00:02 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-03 21:00:02 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-04 22:00:02 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-04 23:00:02 C:\WINDOWS\Tasks\At49.job
2007-09-03 00:01:02 C:\WINDOWS\Tasks\At50.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 01:01:06 C:\WINDOWS\Tasks\At51.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 02:01:04 C:\WINDOWS\Tasks\At52.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 03:01:02 C:\WINDOWS\Tasks\At53.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 04:01:02 C:\WINDOWS\Tasks\At54.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 05:01:02 C:\WINDOWS\Tasks\At55.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 06:01:02 C:\WINDOWS\Tasks\At56.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 07:01:02 C:\WINDOWS\Tasks\At57.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 08:01:52 C:\WINDOWS\Tasks\At58.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-05 09:00:02 C:\WINDOWS\Tasks\At59.job
2007-09-03 10:00:04 C:\WINDOWS\Tasks\At60.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 11:00:02 C:\WINDOWS\Tasks\At61.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-04 12:00:02 C:\WINDOWS\Tasks\At62.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-04 13:00:02 C:\WINDOWS\Tasks\At63.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-04 14:00:06 C:\WINDOWS\Tasks\At64.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-04 15:00:02 C:\WINDOWS\Tasks\At65.job
2007-09-04 16:00:02 C:\WINDOWS\Tasks\At66.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 17:00:02 C:\WINDOWS\Tasks\At67.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 18:00:02 C:\WINDOWS\Tasks\At68.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-04 19:00:02 C:\WINDOWS\Tasks\At69.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 20:00:02 C:\WINDOWS\Tasks\At70.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-03 21:00:02 C:\WINDOWS\Tasks\At71.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-04 22:00:02 C:\WINDOWS\Tasks\At72.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 12:26:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-05 12:26:46
C:\ComboFix-quarantined-files.txt ... 2007-09-05 12:26
--- E O F ---

Response Number 8

Name: waseem
Date: September 5, 2007 at 04:40:36 Pacific

Reply:

hello jabuck, in search i found this file, is it ok to leave as it is ?
SYSUPD.EXE-02153A98.pf location: C:\WINDOWS\Prefetch

Response Number 9

Name: cnf
Date: September 5, 2007 at 06:55:28 Pacific

Reply:

sysupd.exe is a process process associated with an Dialer application. It tries to disconnect your current internet connection and dial a toll number with high minute rates. This process is a security risk and should be removed from your system.
It is highly recommended to Run a Free Performance Scan:
http://www.liutilities.com/products...

Response Number 10

Name: jabuck
Date: September 5, 2007 at 14:57:22 Pacific

Reply:

Temporarily disable any of the following anti-spyware realtime protection programs that you may have as they are interering with the removal process Disable Realtime Protection
Then run Combofix again and post the new log.

Response Number 11

Name: jabuck
Date: September 5, 2007 at 15:46:20 Pacific

Reply:

Next, open notepad and copy/paste the text between the X's below into it:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\A74pSs8S.exe
C:\WINDOWS\system32\SkOh8wOv.exe
C:\WINDOWS\system32\puv0q5bP.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Next click file> save> in the "filename" box type cfscript and in the "save in" box select "desktop" then click save.
Next right click on the "cfscript" file and drag it on top the Combofix red X and drop it.
Combofix will start and run. After it reboots (sometimes it does) post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Updater]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post a new Hijack This log please.

Response Number 12

Name: jabuck
Date: September 5, 2007 at 18:58:39 Pacific

Reply:

We will get it when we do the final cleanup. You can delete the entire contents of C:\WINDOWS\Prefetch just do not delete the folder itself.

Response Number 13

Name: waseem
Date: September 6, 2007 at 08:25:37 Pacific

Reply:

Hello jabuck, each time i'm experiencing new problem, this time i tried to follow your instructions and when i ran ComboFix suddenly the screen went blue and this message appeared ("STOP: C0000135 unable to locate component. This application failed to start because vct3216.dll not found. Reinstalling the application may fix this problem."
Beginning dump of physical memory
Dumping physical memory to disk: 1)
the above dumping memory to disk goes up 87 and then the windows go thru system start up as when the windows NOT shut down thru normal way. during system file checking process it shows errors about ComboFix files.
i'm sorry to take your so much time and appreciate your help. please see if there is more help you can provide.

Response Number 14

Name: waseem
Date: September 6, 2007 at 08:37:51 Pacific

Reply:

posting HijackThis log while i terminated all the security applications/softwares and WITHOUT runing ComboFix as you instructed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37, on 2007-09-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.c...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SNDSrvc - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 6495 bytes

Response Number 15

Name: jabuck
Date: September 6, 2007 at 18:40:56 Pacific

Reply:

The Hijack This log looks clean but there is some clean up to do yet. As for the file vct3216.dll you can get if free from this link Voxware Codec
We have not remove it but may be why this sound file is missing:
O23 - Service: SNDSrvc - Unknown owner - (no file)
Download it to your desktop> left click on the vox.zip file> click extract all> extract it to your desktop>open the vox folder> right click on voxacm.inf> click install. Restart the computer.
Uninstall Comboxfix by dragging it to the recycle bin then redownload it and try to post a new log.

Response Number 16

Name: waseem
Date: September 7, 2007 at 06:11:44 Pacific

Reply:

Hello jabuck, i have installed vct3216.dll as you instructed and it has done a good job. Thanks alot.
could you please explain how do you want me to delete "You can delete the entire contents of C:\WINDOWS\Prefetch just do not delete the folder itself." all i know is to delete the folder and it will delete its contents too.
Uninstalled and reinstalled Combofix and here is the log, but without disabling the security programs.
ComboFix 07-08-30.3 - "KING" 2007-09-07 13:57:22.5 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.789 [GMT 1:00]

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 13:52 <DIR> d-------- C:\WINDOWS\LastGood
2007-09-06 18:54 <DIR> d-------- C:\Program Files\Security Task Manager
2007-09-06 18:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-09-05 16:58 12,219,419 --------- C:\AVG7QT.DAT
2007-09-05 16:58 <DIR> d-------- C:\DOCUME~1\Arooba\APPLIC~1\Uniblue
2007-09-05 16:03 <DIR> d-------- C:\Program Files\Uniblue
2007-09-05 16:03 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Uniblue
2007-09-05 12:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 18:59 <DIR> d-------- C:\Program Files\Intel
2007-09-03 20:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 17:58 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2007-09-03 17:58 2 -rahs---- C:\WINDOWS\winstart.bat
2007-09-03 17:55 <DIR> d-------- C:\Program Files\Greatis
2007-09-03 17:10 <DIR> d-------- C:\Program Files\emule
2007-09-03 08:50 <DIR> d-------- C:\Program Files\PestPatrol
2007-09-03 00:48 2,560 --a------ C:\WINDOWS\_MSRSTRT.exe
2007-09-03 00:29 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-09-02 23:29 359,040 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys
2007-09-01 23:12 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-09-01 23:12 11,264 --a------ C:\WINDOWS\Ulead iPhoto Express.SCR
2007-09-01 23:12 <DIR> d-------- C:\WINDOWS\ULEAD.DAT
2007-09-01 23:12 <DIR> d-------- C:\Program Files\Ulead iPhoto Express
2007-08-29 22:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-23 21:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-21 17:58 66,591 --a------ C:\WINDOWS\system32\drivers\el90xbc5.sys
2007-08-21 17:58 66,591 --a------ C:\WINDOWS\system32\dllcache\el90xbc5.sys
2007-08-18 21:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2007-08-18 20:29 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-18 19:10 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2007-08-18 19:10 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2007-08-18 19:10 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2007-08-18 19:10 <DIR> d-------- C:\Program Files\VSO
2007-08-18 17:00 87,608 --a------ C:\DOCUME~1\KING\APPLIC~1\inst.exe
2007-08-18 17:00 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-08-18 17:00 47,360 --a------ C:\DOCUME~1\KING\APPLIC~1\pcouffin.sys
2007-08-18 17:00 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Vso
2007-08-18 12:02 <DIR> d-------- C:\Program Files\Smart Projects
2007-08-16 19:02 <DIR> d-------- C:\VProRecovery
2007-08-12 15:08 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Image Zone Express
2007-08-12 10:42 <DIR> d---s---- C:\DOCUME~1\Arooba\UserData

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-02 23:29 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-03 1rogram Files\PowerQuest
2007-08-02 1rogram Files\Common Files\Symantec Shared
2007-08-02 1OCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-02 1rogram Files\MagicISO
2007-08-01 1rogram Files\BitTorrent_DNA
2007-08-01 1rogram Files\BitTorrent
2007-08-01 1OCUME~1\KING\APPLIC~1\BitTorrent DNA
2007-08-01 1OCUME~1\KING\APPLIC~1\BitTorrent
2007-07-29 2rogram Files\Microsoft Works
2007-07-29 2rogram Files\Microsoft.NET
2007-07-29 1rogram Files\SmartSound Software Inc
2007-07-29 1OCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-07-27 0rogram Files\AtomInterSoft
2007-07-26 10:35 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-07-25 1OCUME~1\ALLUSE~1\APPLIC~1\HP
2007-07-25 1OCUME~1\KING\APPLIC~1\HP
2007-07-15 1rogram Files\9Dragons
2007-07-10 1OCUME~1\KING\APPLIC~1\Hewlett-Packard
2007-07-10 1rogram Files\Common Files\Hewlett-Packard
2007-06-13 22:07 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2005-10-13 20:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-05-13 16:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 14:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-10-07 18:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2005-02-28 12:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2005-07-14 11:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2006-04-27 09:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 11:57]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 08:53]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2003-12-15 14:57]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-23 22:16]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FolderGuard]
C:\Program Files\Folder Guard Pro\FGuard32.dll 2007-07-06 22:30 696320 C:\Program Files\Folder Guard Pro\FGuard32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
C:\Program Files\Evidence Eliminator\ee.exe /m
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
C:\PROGRA~1\Nero\NEROPH~1\data\xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Virgin.net Broadband\Dragdiag.exe" /icon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Updater]
C:\WINDOWS\system32\Sysupd\sysupd.exe -detach
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdService]
C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
R2 FGUARD32;FGUARD32;\??\C:\Program Files\Folder Guard Pro\FGUARD32.SYS
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
R3 wdm_tridwave;PCI288-Q3DII PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys
S2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
S3 RegGuard;RegGuard;\??\C:\WINDOWS\system32\Drivers\regguard.sys
S3 U81xbus;LGE U8XXX driver (WDM);C:\WINDOWS\system32\DRIVERS\U81xbus.sys
S3 U81xmdfl;LGE U8XXX USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\U81xmdfl.sys
S3 U81xmdm;LGE U8XXX USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\U81xmdm.sys
S3 U81xmgmt;LGE U8XXX USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\U81xmgmt.sys
S3 U81xobex;LGE U8XXX USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\U81xobex.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{327a8a60-0e91-11db-ad94-806d6172696f}]
AutoRun\command- E:\install.exe

Contents of the 'Scheduled Tasks' folder
2007-09-05 23:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 00:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 01:00:00 C:\WINDOWS\Tasks\At3.job
2007-09-06 02:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 03:00:00 C:\WINDOWS\Tasks\At5.job
2007-09-06 04:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 05:00:00 C:\WINDOWS\Tasks\At7.job
2007-09-06 06:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 07:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 08:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 09:00:00 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 10:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 11:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-07 12:00:02 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 13:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-04 14:00:06 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-05 15:00:02 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 16:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 17:00:02 C:\WINDOWS\Tasks\At19.job
2007-09-06 18:00:02 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 19:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 20:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-06 21:00:02 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-05 22:00:02 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\A74pSs8S.exe
2007-09-05 23:00:02 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 00:00:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 01:00:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 02:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 03:00:00 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 04:00:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 05:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 06:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 07:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 08:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 09:00:00 C:\WINDOWS\Tasks\At35.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 10:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 11:00:00 C:\WINDOWS\Tasks\At37.job
2007-09-07 12:00:02 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 13:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-04 14:00:06 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-05 15:00:02 C:\WINDOWS\Tasks\At41.job
2007-09-06 16:00:02 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 17:00:02 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 18:00:02 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 19:00:02 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 20:00:02 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-06 21:00:02 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-05 22:00:02 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\SkOh8wOv.exe
2007-09-05 23:00:02 C:\WINDOWS\Tasks\At49.job
2007-09-06 00:00:00 C:\WINDOWS\Tasks\At50.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 01:00:00 C:\WINDOWS\Tasks\At51.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 02:00:00 C:\WINDOWS\Tasks\At52.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 03:00:00 C:\WINDOWS\Tasks\At53.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 04:00:00 C:\WINDOWS\Tasks\At54.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 05:00:00 C:\WINDOWS\Tasks\At55.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 06:00:02 C:\WINDOWS\Tasks\At56.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 07:00:00 C:\WINDOWS\Tasks\At57.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 08:00:00 C:\WINDOWS\Tasks\At58.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 09:00:00 C:\WINDOWS\Tasks\At59.job
2007-09-06 10:00:00 C:\WINDOWS\Tasks\At60.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 11:00:00 C:\WINDOWS\Tasks\At61.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-07 12:00:02 C:\WINDOWS\Tasks\At62.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 13:00:00 C:\WINDOWS\Tasks\At63.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-04 14:00:06 C:\WINDOWS\Tasks\At64.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-05 15:00:02 C:\WINDOWS\Tasks\At65.job
2007-09-06 16:00:02 C:\WINDOWS\Tasks\At66.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 17:00:02 C:\WINDOWS\Tasks\At67.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 18:00:02 C:\WINDOWS\Tasks\At68.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 19:00:02 C:\WINDOWS\Tasks\At69.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 20:00:02 C:\WINDOWS\Tasks\At70.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-06 21:00:02 C:\WINDOWS\Tasks\At71.job - C:\WINDOWS\system32\puv0q5bP.exe
2007-09-05 22:00:02 C:\WINDOWS\Tasks\At72.job
2007-09-05 15:36:16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-09-05 17:53:46 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-09-05 17:05:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
2007-09-05 18:14:52 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-07 13:58:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0

Response Number 17

Name: jabuck
Date: September 7, 2007 at 19:13:18 Pacific

Reply:

The AT.tmp file did not get deleted, let's try a different method.
Please download “Avenger” by swandog46 to your desktop from this link Avenger
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\WINDOWS\system32\A74pSs8S.exe
C:\WINDOWS\system32\SkOh8wOv.exe
C:\WINDOWS\system32\puv0q5bP.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
Navagate to and delete these files if found:
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
Then post a new combofix log please.

Response Number 18

Name: waseem
Date: September 8, 2007 at 13:15:27 Pacific

Reply:

Hello jabuck, i have donr as you asked,and i have deleted mentioned files from C:Windows-tasks folder. posting avenger log file.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sxpmbcng
*******************
Script file located at: \??\C:\Program Files\bwirstqv.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\A74pSs8S.exe not found!
Deletion of file C:\WINDOWS\system32\A74pSs8S.exe failed!
Could not process line:
C:\WINDOWS\system32\A74pSs8S.exe
Status: 0xc0000034
File C:\WINDOWS\system32\SkOh8wOv.exe not found!
Deletion of file C:\WINDOWS\system32\SkOh8wOv.exe failed!
Could not process line:
C:\WINDOWS\system32\SkOh8wOv.exe
Status: 0xc0000034

ComboFix 07-08-30.3 - "KING" 2007-09-08 21:10:46.7 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.820 [GMT 1:00]

((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))

2007-09-07 17:33 <DIR> d-------- C:\Program Files\BitComet
2007-09-07 16:55 <DIR> d-------- C:\Downloads
2007-09-06 18:54 <DIR> d-------- C:\Program Files\Security Task Manager
2007-09-06 18:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-09-05 16:58 12,219,419 --------- C:\AVG7QT.DAT
2007-09-05 16:58 <DIR> d-------- C:\DOCUME~1\Arooba\APPLIC~1\Uniblue
2007-09-05 16:03 <DIR> d-------- C:\Program Files\Uniblue
2007-09-05 16:03 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Uniblue
2007-09-05 12:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 18:59 <DIR> d-------- C:\Program Files\Intel
2007-09-03 20:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 17:58 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2007-09-03 17:58 2 -rahs---- C:\WINDOWS\winstart.bat
2007-09-03 17:55 <DIR> d-------- C:\Program Files\Greatis
2007-09-03 17:10 <DIR> d-------- C:\Program Files\emule
2007-09-03 08:50 <DIR> d-------- C:\Program Files\PestPatrol
2007-09-03 00:48 2,560 --a------ C:\WINDOWS\_MSRSTRT.exe
2007-09-03 00:29 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-09-02 23:29 359,040 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys
2007-09-01 23:12 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-09-01 23:12 11,264 --a------ C:\WINDOWS\Ulead iPhoto Express.SCR
2007-09-01 23:12 <DIR> d-------- C:\WINDOWS\ULEAD.DAT
2007-09-01 23:12 <DIR> d-------- C:\Program Files\Ulead iPhoto Express
2007-08-29 22:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-23 21:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-21 17:58 66,591 --a------ C:\WINDOWS\system32\drivers\el90xbc5.sys
2007-08-21 17:58 66,591 --a------ C:\WINDOWS\system32\dllcache\el90xbc5.sys
2007-08-18 21:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2007-08-18 20:29 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-18 19:10 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2007-08-18 19:10 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2007-08-18 19:10 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2007-08-18 19:10 <DIR> d-------- C:\Program Files\VSO
2007-08-18 17:00 87,608 --a------ C:\DOCUME~1\KING\APPLIC~1\inst.exe
2007-08-18 17:00 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-08-18 17:00 47,360 --a------ C:\DOCUME~1\KING\APPLIC~1\pcouffin.sys
2007-08-18 17:00 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Vso
2007-08-18 12:02 <DIR> d-------- C:\Program Files\Smart Projects
2007-08-16 19:02 <DIR> d-------- C:\VProRecovery
2007-08-12 15:08 <DIR> d-------- C:\DOCUME~1\KING\APPLIC~1\Image Zone Express
2007-08-12 10:42 <DIR> d---s---- C:\DOCUME~1\Arooba\UserData

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-02 23:29 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-03 1rogram Files\PowerQuest
2007-08-02 1rogram Files\Common Files\Symantec Shared
2007-08-02 1OCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-02 1rogram Files\MagicISO
2007-08-01 1OCUME~1\KING\APPLIC~1\BitTorrent DNA
2007-07-29 2rogram Files\Microsoft Works
2007-07-29 2rogram Files\Microsoft.NET
2007-07-29 1rogram Files\SmartSound Software Inc
2007-07-29 1OCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-07-27 0rogram Files\AtomInterSoft
2007-07-26 10:35 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-07-25 1OCUME~1\ALLUSE~1\APPLIC~1\HP
2007-07-25 1OCUME~1\KING\APPLIC~1\HP
2007-07-15 1rogram Files\9Dragons
2007-07-10 1OCUME~1\KING\APPLIC~1\Hewlett-Packard
2007-07-10 1rogram Files\Common Files\Hewlett-Packard
2007-06-13 22:07 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2005-10-13 20:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-05-13 16:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 14:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-10-07 18:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2005-02-28 12:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2005-07-14 11:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2006-04-27 09:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 11:57]
"CookiePatrol"="c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 09:35]
"PestPatrol Control Center"="c:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"PPMemCheck"="c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 08:53]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2003-12-15 14:57]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-23 22:16]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FolderGuard]
C:\Program Files\Folder Guard Pro\FGuard32.dll 2007-07-06 22:30 696320 C:\Program Files\Folder Guard Pro\FGuard32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
C:\Program Files\Evidence Eliminator\ee.exe /m
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
C:\PROGRA~1\Nero\NEROPH~1\data\xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Virgin.net Broadband\Dragdiag.exe" /icon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Updater]
C:\WINDOWS\system32\Sysupd\sysupd.exe -detach
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdService]
C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
R2 FGUARD32;FGUARD32;\??\C:\Program Files\Folder Guard Pro\FGUARD32.SYS
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
R3 wdm_tridwave;PCI288-Q3DII PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys
S2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
S3 RegGuard;RegGuard;\??\C:\WINDOWS\system32\Drivers\regguard.sys
S3 U81xbus;LGE U8XXX driver (WDM);C:\WINDOWS\system32\DRIVERS\U81xbus.sys
S3 U81xmdfl;LGE U8XXX USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\U81xmdfl.sys
S3 U81xmdm;LGE U8XXX USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\U81xmdm.sys
S3 U81xmgmt;LGE U8XXX USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\U81xmgmt.sys
S3 U81xobex;LGE U8XXX USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\U81xobex.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{327a8a60-0e91-11db-ad94-806d6172696f}]
AutoRun\command- E:\install.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{873b8618-5e35-11dc-ba8e-00110a97f864}]
AutoRun\command- F:\setupSNK.exe

Contents of the 'Scheduled Tasks' folder
2007-09-05 15:36:16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-09-05 17:53:46 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-09-05 17:05:24 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
2007-09-05 18:14:52 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 21:12:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-08 21:12:42
C:\ComboFix-quarantined-files.txt ... 2007-09-08 21:12
C:\ComboFix3.txt ... 2007-09-07 13:59
C:\ComboFix2.txt ... 2007-09-07 14:14
--- E O F ---

Response Number 19

Name: jabuck
Date: September 8, 2007 at 13:22:54 Pacific

Reply:

Much Beter.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Reboot to normal and post the avg log please.

Response Number 20

Name: waseem
Date: September 8, 2007 at 13:58:10 Pacific

Reply:

Hello Jabuck,I'm DELIGHTED to see "Much Better". but i'm not able to re-boot in Safe Mode and i dont know why. on re-booting i press F8 and brings into few options including safe mode, start windows in normally etc etc so when i hit on safe mode it goes thru cycle (multi0 rdisk0 etc etc) it stops for few seconds and it re-boots again and bring me back to same option page. the only option works is "start windows normally" in other words no other option works and i tried over 100 times since last few days to go into safe mode. any other expert advice you can think of going to safe mode? the other way i tried to do it thru msconfig where i changed the boot.ini and checked /safeboot, this way caused me a big problem because on re-boot pc went into loop. i had to get another HD connect to my pc and my HD as slave to bring back things to normal.

Response Number 21

Name: waseem
Date: September 8, 2007 at 14:02:20 Pacific

Reply:

one thing i would like to mention is my HD is 200GB and i converted the whole drive as fat32 with no partition. OS is XP prof. could this safe mode problem due to this whole HD in fat32 ? as XP does not allow FAT32 format if HD is more than 32Gb.

Response Number 22

Name: jabuck
Date: September 8, 2007 at 14:24:09 Pacific

Reply:

Fix SafeBoot Reg key:
Download and run AVZ from rhis link Repair SafeBoot

Unzip it to a folder on your desktop. (must be unzipped to see the options)
Double click on AVZ.exe
Click on the file tab and then click on System recovery
Put a checkmark next to Restore SafeBoot registry keys
Click on Execute selected operations
Reboot the computer and try to boot into safe mode.

Response Number 23

Name: waseem
Date: September 8, 2007 at 14:36:58 Pacific

Reply:

Twice i tried with the way you mentioned, but there is NO LUCK.its still doing the same as before. posting log file.
Windows ver = 5.1
Windows build = 2600
Restore SafeBoot registry keys for XP
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
[microprogram of healing]> registry key created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
[microprogram of healing]> parameter changed of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

Response Number 24

Name: jabuck
Date: September 8, 2007 at 16:04:50 Pacific

Reply:

Please run the two programs in response # 19 in normal mode and post the AVG report.

Response Number 25

Name: waseem
Date: September 9, 2007 at 07:57:00 Pacific

Reply:

I ran both programs as you said and this is AVG report.

AVG Anti-Spyware - Scan Report

+ Created at: 14:10:20 09/09/2007
+ Scan result:
Nothing found.

::Report end

Response Number 26

Name: jabuck
Date: September 9, 2007 at 15:19:03 Pacific

Reply:

By any change are you using a USB keyboard?

Response Number 27

Name: waseem
Date: September 10, 2007 at 14:04:44 Pacific

Reply:

dear jabuck, yes its a wireless USB Logitech keyboard + mouse (combo) model: Y-RK49 P/N for keyboard: 867318-0403 . when the problem in pc occured
AVG antiVirus found few infections including Logitech. i deleted all the files found by AVG. I dont know how to get AVG AV log file so i have
hand written from AVG virus vault. Keyboard has been problematic since all this happened, many of the symbol keys dont work, or if work then
unwanted symbols appear. eg ¬
< = backslash

4/9/07 Virus found Win32/PEPatch C:<Program Files<Logitech<iTouch<iTouch.exe
6/9/07 Virus found Win32/PEPatch C:<Windows<System32<igfxpers.exe
6/9/07 Virus found Win32/PEPatch C:<Windows<System32<hkcmd.exe
7/9/07 Virus found Win32/PEPatch C:<Windows<System32<igfxtray.exe
7/9/07 Virus identified Worm/Generic.DHT C:<Program Files<Trend micro<HijackThis<Hijack This.exe
7/9/07 Virus found Win32/PEPatch C:<System Volume Information<_restore{33737076-c9c4-41c0-9f66-c9fae48bcc1f}<rp2<a0005092.exe
7/9/07 Virus found Win32/PEPatch C:<System Volume Information<_restore{33737076-c9c4-41c0-9f66-c9fae48bcc1f}<rp2<a0005093.exe
8/9/07 Virus found Win32/PEPatch C:<System Volume Information<_restore{33737076-c9c4-41c0-9f66-c9fae48bcc1f}<rp2<a0008452.exe
8/9/07 Virus found Win32/PEPatch C:<System Volume Information<_restore{33737076-c9c4-41c0-9f66-c9fae48bcc1f}<rp2<a0008453.exe
8/9/07 Virus found Win32/PEPatch C:<System Volume Information<_restore{33737076-c9c4-41c0-9f66-c9fae48bcc1f}<rp2<a0008454.exe

Response Number 28

Name: jabuck
Date: September 10, 2007 at 16:02:50 Pacific

Reply:

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Run AFT Cleaner again.
Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

Response Number 29

Name: jabuck
Date: September 10, 2007 at 16:08:18 Pacific

Reply:

You should have AFT Cleaner on your desktop but if not you can download it from response #19. Run it in normal mode.

Response Number 30

Name: waseem
Date: September 11, 2007 at 06:48:18 Pacific

Reply:

Hello jabuck, here is Kaspersky log.
---------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 11, 2007 2:38:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 11/09/2007
Kaspersky Anti-Virus database records: 413032
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 134627
Number of viruses found: 5
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:27:36
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\ZLT07c3f.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SIMBA.ldb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\KING\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\KING\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\KING\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\KING\Local Settings\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\KING\Local Settings\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\KING\Local Settings\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\KING\Local Settings\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\KING\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KING\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KING\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\KING\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\history.dat Object is locked skipped
C:\Documents and Settings\KING\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\parent.lock Object is locked skipped
C:\Documents and Settings\KING\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\cert8.db Object is locked skipped
C:\Documents and Settings\KING\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\key3.db Object is locked skipped
C:\Documents and Settings\KING\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\search.sqlite Object is locked skipped
C:\Documents and Settings\KING\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\KING\Application Data\Mozilla\Firefox\Profiles\4vzaoylb.default\flashgot.log Object is locked skipped
C:\Documents and Settings\KING\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{33737076-C9C4-41C0-9F66-C9FAE48BCC1F}\RP8\change.log Object is locked skipped

Scan process completed.

Response Number 31

Name: waseem
Date: September 11, 2007 at 07:05:29 Pacific

Reply:

Dear jabuck, there is a small but very annoying pop up. whenever i try to open MS word 2007 (installed on my pc) two small windows appear.
1st window is "Windows Installer" inside box it says 'preparing to install' and then 2nd small window appear "Setup" inside box it says 'This MSI must be launched through setup'. Unless i click OK 6 times on 2nd window it will not open MS word. same happens for few other programs which i dont remember right now, so would you please assist me on this. i need to get rid of these windows appearing.

Response Number 32

Name: jabuck
Date: September 11, 2007 at 19:57:49 Pacific

Reply:

I think ms word 2007 has a repair option.
Go to start>control panel>add/remove programs> right click on "microsoft word 2007"> choose the repair option.
If it does not exist just exit add/remove programs.

Sponsored Link

Ads by Google

Icons missing on desktop

mwinlodt adaware

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: svcipa.exe problem

smss.exe problem

Summary

www.computing.net/answers/security/smssexe-problem/10832.html

rundll32.exe problem

Summary

www.computing.net/answers/security/rundll32exe-problem/13961.html

svchost.exe problem

Summary

www.computing.net/answers/security/svchostexe-problem/21881.html

From the Geek Dictionary
graphics - The level of detail that something supplies in the images that it may show,...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Version Soluting

Sims Double Deluxe?!

can not reformat because Flash10C.OCX

automatic shut down

excel formulas

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE