[hassaan]

Hi,
I opened a USB and suddenly my PC became slow and the task manager,regedit were not working. There is a process known as scvhost.When I terminate it from process explorer my pc becomes fine and task manger etc works.

LOGFILE OF HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:09 PM, on 5/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\winsys2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hassaan\Desktop\dsfsdf\CryptLoad_1.1.6\RouterClient.exe
C:\Documents and Settings\Hassaan\Desktop\dsfsdf\CryptLoad_1.1.6\CryptLoad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1241963770109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241964081875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7216 bytes

[Fred Flintstone]

Hi hassan..

Run HijackThis
Click on do a system scan only
Place a check next to these lines(if still present)

F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe


Then close all windows and browsers except HijackThis and click Fix Checked

Then..
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to:
  
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Please post back the MBAM log and a fresh HJT log..
Thanks..
Fred..

PS: I am currently using a dodgy dial up connection after recently moving home, so please bear with me and I will be back as often as I can to check the thread.

[hassaan]

Hi,
I found a website regarding this virus ==>http://guideandtips.blogspot.com/2008/03/how-to-remove-scvhostexe-scvhostsexe.html

HijackTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:46 PM, on 5/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1241963770109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241964081875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6800 bytes



MBAM LOG

LOGFILE OF MBAM

Malwarebytes' Anti-Malware 1.37
Database version: 2184
Windows 5.1.2600 Service Pack 3

5/27/2009 1:58:32 PM
mbam-log-2009-05-27 (13-58-32).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 50510
Time elapsed: 20 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
[/u][/i][/b]

This post has been edited by hassaan: 28 May 2009 - 01:03 PM

[Fred Flintstone]

Hi hassaan..

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Also update me on how your computer is running now..

Thanks..
Fred.

[hassaan]

Hi,
My task manager and regedit are working.



LOGFILE OF COMBOFIX

ComboFix 09-05-28.07 - Hassaan 05/29/2009 11:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.990.680 [GMT 5:00]
Running from: c:\documents and settings\Hassaan\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Realtek\InstallShield\Desktop_.ini
c:\windows\system32\autorun.ini
c:\windows\system32\scvhost.exe
c:\windows\system32\setting.ini

----- BITS: Possible infected sites -----

hxxp://www.comodo.com
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2009-05-29 04:18 . 2009-05-29 04:18 -------- d-----w c:\documents and settings\Hassaan\Local Settings\Application Data\Scansoft
2009-05-28 13:36 . 2009-05-28 13:36 -------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-05-28 13:35 . 2009-05-29 06:25 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-28 13:34 . 2009-05-28 13:34 -------- d-----w c:\documents and settings\Hassaan\Application Data\Nuance
2009-05-28 13:31 . 2009-05-28 13:31 -------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-05-28 13:31 . 2009-05-28 13:31 -------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2009-05-28 13:31 . 2009-05-28 13:31 -------- d-----w c:\program files\Common Files\Nuance
2009-05-28 13:30 . 2009-05-28 13:30 -------- d-----w c:\program files\Nuance
2009-05-28 13:30 . 2009-05-28 13:30 -------- d-----w c:\documents and settings\All Users\Application Data\Nuance
2009-05-28 13:30 . 2009-05-28 13:35 -------- d-----w c:\windows\speech
2009-05-27 08:33 . 2009-05-27 08:33 -------- d-----w c:\documents and settings\Hassaan\Application Data\Malwarebytes
2009-05-27 08:33 . 2009-05-26 08:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-27 08:33 . 2009-05-27 08:33 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-27 08:33 . 2009-05-26 08:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-27 08:33 . 2009-05-27 08:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-25 14:41 . 2009-05-25 14:41 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-25 14:37 . 2009-05-25 14:37 -------- d-----w c:\program files\Trend Micro
2009-05-25 08:56 . 2009-05-28 13:38 -------- d-----w c:\documents and settings\Hassaan\Application Data\Skype
2009-05-25 08:56 . 2009-05-25 08:56 -------- d-----r c:\program files\Skype
2009-05-25 08:56 . 2009-05-25 08:56 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-05-25 08:49 . 2008-04-13 19:09 5504 -c--a-w c:\windows\system32\dllcache\mstee.sys
2009-05-25 08:49 . 2008-04-13 19:09 5504 ----a-w c:\windows\system32\drivers\MSTEE.sys
2009-05-25 08:49 . 2008-04-13 19:16 10880 -c--a-w c:\windows\system32\dllcache\ndisip.sys
2009-05-25 08:49 . 2008-04-13 19:16 10880 ----a-w c:\windows\system32\drivers\NdisIP.sys
2009-05-25 08:49 . 2008-04-13 19:16 15232 -c--a-w c:\windows\system32\dllcache\streamip.sys
2009-05-25 08:49 . 2008-04-13 19:16 15232 ----a-w c:\windows\system32\drivers\StreamIP.sys
2009-05-25 08:48 . 2008-04-13 19:16 11136 -c--a-w c:\windows\system32\dllcache\slip.sys
2009-05-25 08:48 . 2008-04-13 19:16 11136 ----a-w c:\windows\system32\drivers\SLIP.sys
2009-05-25 08:48 . 2008-04-13 19:16 19200 -c--a-w c:\windows\system32\dllcache\wstcodec.sys
2009-05-25 08:48 . 2008-04-13 19:16 19200 ----a-w c:\windows\system32\drivers\WSTCODEC.SYS
2009-05-25 08:48 . 2008-04-13 19:16 85248 -c--a-w c:\windows\system32\dllcache\nabtsfec.sys
2009-05-25 08:48 . 2008-04-13 19:16 85248 ----a-w c:\windows\system32\drivers\NABTSFEC.sys
2009-05-25 08:48 . 2008-04-13 19:16 17024 -c--a-w c:\windows\system32\dllcache\ccdecode.sys
2009-05-25 08:48 . 2008-04-13 19:16 17024 ----a-w c:\windows\system32\drivers\CCDECODE.sys
2009-05-25 08:48 . 2009-05-25 08:48 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-25 08:48 . 2008-04-14 00:42 53760 -c--a-w c:\windows\system32\dllcache\vfwwdm32.dll
2009-05-25 08:48 . 2008-04-14 00:42 53760 ----a-w c:\windows\system32\vfwwdm32.dll
2009-05-25 08:47 . 2004-08-09 12:43 94208 ----a-w c:\windows\amcap.exe
2009-05-25 08:47 . 2004-07-30 13:50 286720 ----a-w c:\windows\vsnpstd3.exe
2009-05-25 08:47 . 2004-11-25 10:42 419200 ----a-w c:\windows\system32\drivers\snpstd3.sys
2009-05-25 08:47 . 2004-06-15 10:18 53248 ----a-w c:\windows\system32\dsnpstd3.dll
2009-05-25 08:47 . 2004-11-26 05:33 57344 ----a-w c:\windows\system32\rsnpstd3.dll
2009-05-25 08:47 . 2004-11-25 07:59 36864 ----a-w c:\windows\system32\vsnpstd3.dll
2009-05-25 08:47 . 2004-02-16 08:59 61440 ----a-w c:\windows\system32\csnpstd3.dll
2009-05-25 08:47 . 2009-05-25 08:47 -------- d-----w c:\program files\Common Files\snpstd3
2009-05-25 08:47 . 2004-08-06 10:48 20480 ----a-w c:\windows\usnpstd3.exe
2009-05-25 03:34 . 2009-05-25 03:34 -------- d-----w c:\program files\Winwap Technologies
2009-05-23 06:45 . 2009-05-23 06:45 -------- d-----w c:\program files\foxit
2009-05-21 16:08 . 2009-05-21 16:08 -------- d-----w c:\program files\MSECache
2009-05-21 14:19 . 2009-05-21 14:19 -------- d-----w c:\documents and settings\Hassaan\Application Data\Morpheus Software
2009-05-18 09:45 . 2009-05-18 09:45 -------- d-----w c:\program files\Yahoo!
2009-05-16 07:20 . 2009-05-16 07:20 -------- d-----w c:\program files\uTorrent
2009-05-16 07:20 . 2009-05-28 13:29 -------- d-----w c:\documents and settings\Hassaan\Application Data\uTorrent
2009-05-14 16:19 . 2009-05-15 05:14 -------- d-----w c:\documents and settings\Hassaan\Application Data\GrabPro
2009-05-14 16:19 . 2009-05-25 15:43 -------- d-----w c:\documents and settings\Hassaan\Application Data\Orbit
2009-05-14 16:19 . 2009-05-15 06:12 -------- d-----w c:\program files\Orbitdownloader
2009-05-14 12:32 . 2009-05-26 13:48 -------- d-----w C:\Downloads
2009-05-12 12:32 . 2009-05-12 13:49 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-05-12 12:30 . 2009-05-12 12:30 -------- d-----w c:\program files\Electronic Arts
2009-05-12 12:30 . 2009-05-12 12:30 1108 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-05-12 12:30 . 2009-05-12 12:30 -------- d-----w c:\documents and settings\Hassaan\Local Settings\Application Data\Downloaded Installations
2009-05-12 12:29 . 2009-05-12 12:29 -------- d-----w c:\documents and settings\Hassaan\Application Data\Leadertech
2009-05-12 12:12 . 2008-03-05 10:56 3786760 ----a-w c:\windows\system32\D3DX9_37.dll
2009-05-12 12:12 . 2007-07-19 13:14 3727720 ----a-w c:\windows\system32\d3dx9_35.dll
2009-05-12 12:12 . 2007-05-16 11:45 3497832 ----a-w c:\windows\system32\d3dx9_34.dll
2009-05-12 12:12 . 2007-04-04 13:53 81768 ----a-w c:\windows\system32\xinput1_3.dll
2009-05-12 12:12 . 2007-03-12 11:42 3495784 ----a-w c:\windows\system32\d3dx9_33.dll
2009-05-12 12:12 . 2006-11-29 08:06 3426072 ----a-w c:\windows\system32\d3dx9_32.dll
2009-05-12 12:12 . 2006-09-28 11:05 2414360 ----a-w c:\windows\system32\d3dx9_31.dll
2009-05-12 12:11 . 2005-05-26 10:34 2297552 ----a-w c:\windows\system32\d3dx9_26.dll
2009-05-12 12:08 . 2009-05-12 12:08 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-12 12:08 . 2009-05-12 12:08 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-05-12 12:08 . 2009-05-12 12:08 -------- d-----w c:\program files\DAEMON Tools Lite
2009-05-12 11:59 . 2009-05-12 11:59 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-12 11:59 . 2009-05-12 12:09 -------- d-----w c:\documents and settings\Hassaan\Application Data\DAEMON Tools Lite
2009-05-12 11:36 . 2009-05-25 14:22 -------- d-----w c:\windows\system32\oodag
2009-05-12 11:16 . 2009-05-12 11:16 -------- d-----w c:\documents and settings\Hassaan\Local Settings\Application Data\O&O
2009-05-12 05:30 . 2009-05-12 05:30 -------- d-sh--w c:\documents and settings\Hassaan\IECompatCache
2009-05-11 13:14 . 2009-05-11 13:14 -------- d-----w c:\documents and settings\Hassaan\Local Settings\Application Data\ESET
2009-05-11 13:04 . 2009-05-11 13:04 -------- d-sh--w c:\documents and settings\Hassaan\PrivacIE
2009-05-11 13:04 . 2001-08-23 14:00 4224 -c--a-w c:\windows\system32\dllcache\beep.sys
2009-05-11 13:04 . 2001-08-23 14:00 4224 ----a-w c:\windows\system32\drivers\beep.sys
2009-05-11 13:02 . 2009-05-11 13:02 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-05-11 12:59 . 2009-05-11 12:59 -------- d-----w c:\windows\Sun
2009-05-11 12:45 . 2008-04-13 19:15 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-05-11 12:37 . 2009-05-11 12:37 -------- d-sh--w c:\documents and settings\Hassaan\IETldCache
2009-05-11 12:34 . 2009-05-11 12:34 -------- d-----w c:\windows\ie8updates
2009-05-11 12:34 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-11 12:32 . 2009-05-11 12:33 -------- dc-h--w c:\windows\ie8
2009-05-11 11:15 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-11 11:15 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-11 11:15 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-11 11:15 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-11 11:15 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-11 11:15 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-11 11:15 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-05-11 11:15 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-11 11:15 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-11 11:15 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-11 11:15 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-11 11:15 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-11 11:14 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-11 11:14 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-11 11:13 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-05-11 11:11 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-05-11 11:11 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-05-11 11:11 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-05-11 11:08 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-05-11 11:07 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-05-11 11:07 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-05-11 11:07 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-05-11 10:41 . 2009-05-11 10:43 -------- d-----w c:\documents and settings\Hassaan\Local Settings\Application Data\KRX
2009-05-11 09:57 . 2009-05-11 12:34 -------- d--h--w c:\windows\$hf_mig$
2009-05-11 09:43 . 2009-05-11 09:43 -------- d-----w c:\windows\system32\Adobe
2009-05-11 05:23 . 2009-05-11 05:25 1915520 ----a-w c:\documents and settings\Hassaan\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-10 14:02 . 2008-10-16 09:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-10 13:58 . 2008-10-16 09:09 43544 ----a-w c:\windows\system32\wups2.dll
2009-05-10 13:55 . 2009-05-10 13:55 -------- d-sh--w c:\documents and settings\Hassaan\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 06:25 . 2009-05-28 13:55 1074 ----a-w c:\documents and settings\Hassaan\Application Data\SAS7_000.DAT
2009-05-28 13:31 . 2009-05-10 06:36 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-25 08:47 . 2009-05-10 06:45 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-22 13:34 . 2009-05-10 08:13 22520 ----a-w c:\documents and settings\Hassaan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 11:22 . 2009-05-10 06:24 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-10 11:02 . 2009-05-10 11:02 -------- d-----w c:\program files\Common Files\Adobe
2009-05-10 07:55 . 2009-05-10 07:55 -------- d-----w c:\documents and settings\Hassaan\Application Data\ESET
2009-05-10 07:54 . 2009-05-10 07:54 -------- d-----w c:\program files\ESET
2009-05-10 07:54 . 2009-05-10 07:54 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-05-10 07:10 . 2009-05-10 07:10 -------- d-----w c:\program files\Microsoft ActiveSync
2009-05-10 07:03 . 2009-05-10 07:03 -------- d-----w c:\documents and settings\Hassaan\Application Data\Thinstall
2009-05-10 07:00 . 2009-05-10 06:59 -------- d-----w c:\documents and settings\All Users\Application Data\RoboForm
2009-05-10 06:59 . 2009-05-10 06:59 -------- d-----w c:\program files\Siber Systems
2009-05-10 06:52 . 2009-05-10 06:52 24064 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-526012ce-n\Decora-D3D.dll
2009-05-10 06:51 . 2009-05-10 06:51 315392 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4c78e227-n\jogl.dll
2009-05-10 06:51 . 2009-05-10 06:51 20480 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4c78e227-n\jogl_awt.dll
2009-05-10 06:51 . 2009-05-10 06:51 114688 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4c78e227-n\jogl_cg.dll
2009-05-10 06:51 . 2009-05-10 06:51 20480 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-70471e8f-n\gluegen-rt.dll
2009-05-10 06:51 . 2009-05-10 06:51 499712 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-27c75cb9-n\msvcp71.dll
2009-05-10 06:51 . 2009-05-10 06:51 499712 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-27c75cb9-n\jmc.dll
2009-05-10 06:51 . 2009-05-10 06:51 348160 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-27c75cb9-n\msvcr71.dll
2009-05-10 06:51 . 2009-05-10 06:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-10 06:51 . 2009-05-10 06:51 -------- d-----w c:\program files\Java
2009-05-10 06:51 . 2009-05-10 06:51 152576 ----a-w c:\documents and settings\Hassaan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-10 06:46 . 2009-05-10 06:46 0 ----a-w c:\windows\nsreg.dat
2009-05-10 06:45 . 2009-05-10 06:45 -------- d-----w c:\program files\Realtek
2009-05-10 06:25 . 2009-05-10 06:25 -------- d-----w c:\program files\microsoft frontpage
2009-05-10 06:22 . 2009-05-10 06:22 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-28 09:47 . 2009-04-28 09:47 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-04-09 10:21 . 2009-04-09 10:21 55768 ----a-w c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 10:21 . 2009-04-09 10:21 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys
2009-04-09 10:21 . 2009-04-09 10:21 133000 ----a-w c:\windows\system32\drivers\epfw.sys
2009-04-09 10:18 . 2009-04-09 10:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 10:10 . 2009-04-09 10:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-03-27 03:14 . 2009-05-10 06:36 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-07 23:34 . 2004-08-04 00:56 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 23:34 . 2004-08-04 00:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 23:33 . 2004-08-04 00:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 23:33 . 2004-08-04 00:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 23:32 . 2004-08-04 00:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 23:32 . 2004-08-04 00:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 23:31 . 2004-08-04 00:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 23:31 . 2004-08-04 00:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 23:31 . 2004-08-04 00:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 23:22 . 2001-08-23 14:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 00:56 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"SW20"="c:\windows\system32\sw20.exe" [2006-09-07 208896]
"SW24"="c:\windows\system32\sw24.exe" [2006-09-07 69632]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"snpstd3"="c:\windows\vsnpstd3.exe" [2004-07-30 286720]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-10-15 14864384]

[HKLM\~\startupfolder\C:^Documents and Settings^Hassaan^Start Menu^Programs^Startup^FIFA 09 Registration.lnk]
path=c:\documents and settings\Hassaan\Start Menu\Programs\Startup\FIFA 09 Registration.lnk
backup=c:\windows\pss\FIFA 09 Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\vga\G71-VN31020 (G)\NTGLM7X.sys --> e:\vga\G71-VN31020 (G)\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Hassaan\Application Data\Mozilla\Firefox\Profiles\60yekmw5.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 11:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="D8673D571931D9C3796490C1DC5D7846EAE5435D66B287493273FB713C94E69060BA091BED2
6C441F76844A29432EBF79D19C9DEB41F61FA12D879285CF9CEEB0A304E58A307BF194CC1FD5EF26A
ACD41F7AF6E21B61DC608DCF19F53B860C66758FD3D8FE27EA06E63983C7A02C69EDD772AB63480F5
704A0037921ADE04923FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC7
4CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A6171C11EC38DE3
DFEBC9E127BECC74CFC0A540A2BBE9C7CED3657D39E0F62FD2B1E216A24540F7740CBF55498954094
285608A54CCF3763CA5BF96C29FE468ACA1536362DB80D1BABF18F22314A08E33B48360404F8685FD
79101935040422F003AFCB3D42C8DA22F81D141F0BFE9D493637978F86B43D68A9B44E4DE12B868F1
34A8662DA0DD444A9F6EBE4EB6C1F726EB20BBA4D7D0D06A7F4DE2F337FCD75E67A137188A3F598D3
54A0D90F4DD7DF8EDAA6755F40D78938A5A6F0278D9C2168203F44E6368DFA1EF7E02D44381BDA8B6
4EFAAB7FE61EB74A5ED3D020891080F59BD05BA584F93E41D4590C70E2B3E258745C9E33C23699118
0BD797FC04E94F3EEDF1F54AF6D33DC50B0F94EAEFEEBA93C4F77D4F95812F81ABB6C6821AE617636
9BCCF2FDA3623EA40BB9B103E01B44F582542A57BF8D5ABAC36B34C58486395BE06C8AF3AB4220BAC
D36F472C1DB86A60327FE1BCC8B56A42C0D3DBA4A3ABBFEF1DAA60BB7DC052D44B074052B2D1289C5
3520F903A24E4E34BD65819BC441747346D8B29BD0B24F9D3E93354D224D8AA118E01B0CF76AE17AB
90D0EBA8555C17034374C53CFB025E947B6F17AE1E3CBD0BD989B31C995BD82161E4B0CEB4024D3FA
D62EFAA0CCE5A008C81FA928412274E7228964687FF5B6B8041697FD158AEF465822D59D187E9D12B
691F44498198F2DDA6A38B71A50625C2D3D8BD4A598FB17D966C834E88F9C4B71189C19E0EB89F526
36E5AE9DC5B60F0F08B69D8CA58E40002D5F68566EC26AEE6D829E548E2D816AD8485B850747B5A02
E119924BD27E9F49B464EBFA214FBAAC7AEDEEF24AA6013B2DF5D10F48C05DC5E321E0C9FA51064CB
4F91C468FC631F4CCAF9F68794F80D964F69C0276488C2B6D595AABE5181FE4DEFF04BB1CAD251182
6236E45E3054DCD60C75EE70D1F58CF5E7AA64452E2F9A0433CFA21AE5444373522A120F1914992FD
D4F4B5AB7A24AF4F616C09B5AB0D3D075DC212C14482AE0CD19E8CFE027B98B7FE52C348A3B055D2E
D2C20ED28F50C9C4B530EFC541A7667A0B6B42F8AE27F43CC0B7651738FB03658D9494EF7F4EA8A96
A157BE881DF6269300F588B50262F555F4EA1599D3A668EF2EFE130E4EABF960E6E1C9B89F124AC05
562F7615FCB4DC52CEEC898149180"
.
Completion time: 2009-05-29 11:56
ComboFix-quarantined-files.txt 2009-05-29 06:56

Pre-Run: 7,899,598,848 bytes free
Post-Run: 7,886,147,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

269

[hassaan]

I also want to ask you a question:-
The combofix has installed windows recovery console.Due to it every time I boot my pc I get a black screen either to choose windows xp or windows recovery console.Is there any way that my windows xp boots automatically without showing this screen???

[Fred Flintstone]

Hi hassaan...
Glad to hear thing are running ok now..well done!

Regarding the timeout issue on boot, you can adjust that to a lower setting so that windows boots to the default OS (XP) after a specified number of seconds.
(Mine is set to only 3 seconds but I need to be quick if I want to select the console)!!

I can't post the actual instructions here as there are pictures in it and it would take a month to upload on this rubbish dial up connection I am using!!

HERE is the link to the information you need to adjust the settings.

Are you experiencing any further issues??

Fred..

[hassaan]

Hi,
I really appreciate your support.Everything's fine on my side.So after checking the logs you are confirmed thats I dont have malware now?
Secondly,Please tell me how to remove combofix.Only tell the instructions no need of posting pics.

[hassaan]

One more question
Which antivirus or internet security program is best in ur opinion?
Which do u use ?

[Fred Flintstone]

Deleted duplicate post.

This post has been edited by Fred Flintstone: 31 May 2009 - 12:47 AM

[Fred Flintstone]

Hi hassaan..
Looking ok to me!..

Please go to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u It needs to be there.

The above procedure will delete the following:

• ComboFix and its associated files and folders.
  
• VundoFix backups, if present
  
• The C:\Deckard folder, if present
  
• The C:_OtMoveIt folder, if present
  
• Reset the clock settings.
  
• Hide file extensions, if required.
  
• Hide System/Hidden files, if required.
  
• Set a new, clean Restore Point.

To your question:
Personally I am currently using the "paid" versions of Sunbelt's Kerio firewall and Vipre.
Seems to work well enough, though I have to say I used the free version of the firewall for years without any problems.
I use Vipre because I got a license for free in a competition

I also use Winpatrol

Here are some FREE AntiVirus programs,

• AVG
  
• AntiVir

It's all a matter of personal preference really, but my recommendation would be something like:

• Kerio firewall
  
• Antivir for the antivirus
  
• and MalwareBytes (MBAM) for the antimalware

There are others available for free, and a multitude of paid programs, but MBAM is the best around at present the free version you have already used, the paid version includes "real time" protection as well!.

Some further info & suggestions:

Congratulations your machine appears to be clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:


Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/...p2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com


Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!

Regards,

Fred...

[hassaan]

Hi,
I Really thank you for your quick support all the time.This topic may be closed now and said as RESOLVED.Again thank you for your support.

[Fred Flintstone]

You are most welcome hassaan glad to have been of help!

Good luck.

[Fred Flintstone]

Since this issue appears to be resolved, this Topic is now closed. Should you need this thread reopened, please PM me or another Staff member, including the address of this thread and we will reopen it for you.