Please help me identify this annoying virus..

First, I beg your pardon for not begin with those 3 logs.. i was intend to, but since my condition is getting worse, i decide to post my symtomps right ahead.

It all begin yesterday.. from two pdf document [both size exactly 511KB] - when i opened one of them, nothing happened. I screamed and cursing myself when I noticed that their extension are .exe and that it's impossible to have two different documents with exact size. I deleted them immediately and run my task manager - oops, now it said "task manager has been disabled by administrator" - no problem, i ran my processviewer and found a suspicious process:

c:\windows\system32\soundtmpshl.exe

I killed it, remove it from startups, and delete.

When all seems clear.. it didn't. Today I figured my mouse scroll didn't work. It must be a virus. But this time nothing suspicious in the processviewer. I searched for hidden files and found strange named html - delete it immediately. Then I stumbled here - short story, all 3 programs downloaded and ready to scan - but I decide to to do it tomorrow. And.. duh, my curiosity made everything worse. Accidentally opened one html file - and nothing happened again. It was too late when I figured its extension is .exe.. and now it's getting worse.

run processviewer routine - and now found one more suspicious program, plus the one deleted yesterday is now restored:

c:\windows\system32\soundtmpshl.exe
c:\windows\setrun.exe

delete 'em all, kill 'em all, and now this happens:

- desktop is now hidden when I run a program [no icons etc] - but fortunately I still can click "show desktop" in toolbar
- mousescroll is still locked
- task manager is still locked

So far, I can describe the suspicious programs as: they has microsoft word 2007 icon, their size 544KB, may restore itself, and started from .exe that mimics pdf & htm [firefox document]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

you will have to post the 3 logs from above an expert will want to see them

Please post logs.

Here are the 3 logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/23/2009 at 02:56 AM

Application Version : 4.30.1004

Core Rules Database Version : 4303
Trace Rules Database Version: 2170

Scan type       : Complete Scan
Total Scan Time : 00:29:58

Memory items scanned      : 364
Memory threats detected   : 0
Registry items scanned    : 5711
Registry threats detected : 0
File items scanned        : 44989
File threats detected     : 4

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ak[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

23/11/2009 21:54:36
mbam-log-2009-11-23 (21-54-36).txt

Scan type: Quick Scan
Objects scanned: 88491
Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:50:07, on 23/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3793 bytes

As for desktop icons missing, everything is back to normal after i restarts..

[Malware Removal Specialist]

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

I can't find attach.txt, only the following files created in my desktop after running DDS:
active_setup.dat
DDS.txt
dbpath
dds02
temp01
files00
svclist.dat
temp00
xp.mac

DDS log:

DDS (Ver_09-11-23.01) - NTFSx86 
Run by Administrator at  0:11:52,40 on 24/11/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.616 [GMT 7:00]

AV: avast! antivirus 4.8.1356 [VPS 091123-1] *On-access scanning enabled* (Updated)   {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\BLUE CUBE Connection Manager\MODEM Mobile Connection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

[Malware Removal Specialist]

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

* Double click on RSIT.exe to run.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open.
* log.txt <will be maximized and info.txt <will be minimized
* Please post the contents of both logs in the next reply.

info.txt:

info.txt logfile of random's system information tool 1.06 2009-11-24 00:27:39

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent-->"C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
ACDSee Pro-->MsiExec.exe /I{F99F74B4-972B-4B06-B893-6B3B0DB0128B}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Alkitab 2.70-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Alkitab 2.70\ST5UNST.LOG" 
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus-->C:\Program Files\Avast4\aswRunDll.exe "C:\Program Files\Avast4\Setup\setiface.dll",RunSetup
AVIVO Codecs-->MsiExec.exe /X{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}
BLUE CUBE Connection Manager-->"C:\Program Files\InstallShield Installation Information\{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}\setup.exe" -runfromtemp -l0x0009 -removeonly
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
CorelDRAW Graphics Suite X3-->C:\Program Files\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CGSX3.log
CorelDRAW Graphics Suite X3-->MsiExec.exe /I{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}
EN-->MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FontNav-->MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
Heroes of Might and Magic V-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{20071984-5EB1-4881-8EDB-082532ACEC6D}\Setup.exe" -l0x9
HijackThis 2.0.2-->"C:\Program Files\Trend Micro HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
ImTOO DVD Ripper-->C:\Program Files\ImTOODVD Ripper 4\Uninstall.exe
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
K-Lite Mega Codec Pack 4.9.5-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Premium-->MsiExec.exe /I{11439F51-B8D2-4736-9CDF-8889FEBE1033}
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvunrm.exe UninstallGUI
Orbit Downloader-->"C:\Program Files\Orbitdownloader\unins000.exe"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe"  -uninstall
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9  -removeonly
Star Wars Empire at War-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99AE7207-8612-4DBA-A8F8-BAE5C633390D}\Setup.exe" -l0x9  -removeonly
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update Manager-->MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
Webshots Desktop-->"C:\Program Files\Webshots\unins000.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: avast! antivirus 4.8.1356 [VPS 091123-1]

======System event log======

Computer Name: J
Event Code: 11
Message: The driver detected a controller error on \Device\CdRom0.

Record Number: 939
Source Name: Cdrom
Time Written: 20091117202535.000000+420
Event Type: error
User:

Computer Name: J
Event Code: 11
Message: The driver detected a controller error on \Device\CdRom0.

Record Number: 938
Source Name: Cdrom
Time Written: 20091117202528.000000+420
Event Type: error
User:

Computer Name: J
Event Code: 11
Message: The driver detected a controller error on \Device\CdRom0.

Record Number: 937
Source Name: Cdrom
Time Written: 20091117202521.000000+420
Event Type: error
User:

Computer Name: J
Event Code: 11
Message: The driver detected a controller error on \Device\CdRom0.

Record Number: 936
Source Name: Cdrom
Time Written: 20091117202515.000000+420
Event Type: error
User:

Computer Name: J
Event Code: 11
Message: The driver detected a controller error on \Device\CdRom0.

Record Number: 935
Source Name: Cdrom
Time Written: 20091117202508.000000+420
Event Type: error
User:

=====Application event log=====

Computer Name: J
Event Code: 1517
Message: Windows saved user J\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 72
Source Name: Userenv
Time Written: 20091123025819.000000+420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: J
Event Code: 1517
Message: Windows saved user J\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 67
Source Name: Userenv
Time Written: 20091122203903.000000+420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: J
Event Code: 1517
Message: Windows saved user J\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 57
Source Name: Userenv
Time Written: 20091122051446.000000+420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: J
Event Code: 1517
Message: Windows saved user J\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 47
Source Name: Userenv
Time Written: 20091117233308.000000+420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: J
Event Code: 1517
Message: Windows saved user J\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 21
Source Name: Userenv
Time Written: 20091104224738.000000+420
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-11-24 00:27:37
Microsoft Windows XP Professional Service Pack 2
System drive C: has 44 GB (58%) free of 76 GB
Total RAM: 1023 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:27:38, on 24/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BLUE CUBE Connection Manager\MODEM Mobile Connection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ProcessViewer5215\PrcView.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{64FE78AC-CC70-4895-A192-085A37739E7F}: NameServer = 202.155.0.10 202.155.0.15
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4179 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2009-10-14 179472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java6\bin\jp2ssv.dll [2009-11-23 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\Avast4\ashDisp.exe [2009-09-15 81000]
"NWEReboot"= []
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=C:\Program Files\Java6\bin\jusched.exe [2009-11-23 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-16 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-11-22 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"runingtest"=136
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutorun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00f94e2d-70f7-11dc-b94e-001a4d0d2186}]
shell\Auto\command - AdobeR.exe e
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a45ed5a-b890-11de-bdf2-001a4d0d2186}]
shell\AutoRun\command - G:\ETS_Setup.exe


======List of files/folders created in the last 1 months======

2009-11-24 00:27:37 ----D---- C:\rsit
2009-11-23 23:44:42 ----D---- C:\WINDOWS\Sun
2009-11-23 23:39:06 ----A---- C:\WINDOWS\system32\javaws.exe
2009-11-23 23:39:06 ----A---- C:\WINDOWS\system32\javaw.exe
2009-11-23 23:39:05 ----A---- C:\WINDOWS\system32\java.exe
2009-11-23 23:38:49 ----D---- C:\Program Files\Java6
2009-11-23 22:44:14 ----D---- C:\Program Files\Java Ra
2009-11-23 22:04:30 ----D---- C:\Program Files\CCleaner
2009-11-23 21:44:59 ----D---- C:\Program Files\Trend Micro HijackThis
2009-11-23 21:25:44 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-11-23 21:25:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-23 21:25:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-23 19:16:54 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-11-23 19:16:54 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-11-23 00:51:24 ----D---- C:\Pazera_Free_Audio_Extractor
2009-11-23 00:38:47 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-23 00:38:34 ----D---- C:\Program Files\SUPERAntiSpyware
2009-11-23 00:38:34 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-11-22 23:19:32 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-22 21:17:43 ----D---- C:\Documents and Settings\Administrator\Application Data\Corel
2009-11-22 20:32:08 ----D---- C:\Documents and Settings\All Users\Application Data\InstallShield
2009-11-22 20:31:07 ----D---- C:\Program Files\CorelDRAW Graphics Suite 13
2009-11-22 20:31:07 ----D---- C:\Program Files\Common Files\Corel
2009-11-22 20:31:07 ----D---- C:\Documents and Settings\All Users\Application Data\Corel
2009-11-10 22:37:35 ----D---- C:\Program Files\BLUE CUBE Connection Manager
2009-11-09 02:20:12 ----D---- C:\Program Files\Common Files\Power Registry Cleaner
2009-11-04 14:36:51 ----A---- C:\WINDOWS\MugE.ini
2009-11-04 14:36:07 ----A---- C:\WINDOWS\system32\wingde.dll
2009-11-04 14:36:07 ----A---- C:\WINDOWS\system32\wing32.dll
2009-11-04 14:36:07 ----A---- C:\WINDOWS\system32\wing.dll
2009-11-03 01:28:30 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-28 03:31:39 ----A---- C:\WINDOWS\system32\chtbrkr.dll
2009-10-28 03:31:39 ----A---- C:\WINDOWS\system32\chsbrkr.dll
2009-10-28 03:31:38 ----A---- C:\WINDOWS\system32\msir3jp.dll
2009-10-28 03:31:38 ----A---- C:\WINDOWS\system32\korwbrkr.dll
2009-10-28 03:31:23 ----A---- C:\WINDOWS\system32\c_g18030.dll
2009-10-28 03:31:22 ----A---- C:\WINDOWS\system32\kbd101a.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbdnecNT.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbdnecAT.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbdnec95.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbdlk41j.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbdlk41a.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbdibm02.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbdax2.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbd106n.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\kbd101.dll
2009-10-28 03:31:12 ----A---- C:\WINDOWS\system32\f3ahvoas.dll
2009-10-28 03:30:51 ----A---- C:\WINDOWS\system32\c_is2022.dll
2009-10-28 03:30:48 ----A---- C:\WINDOWS\system32\uniime.dll
2009-10-28 03:30:42 ----A---- C:\WINDOWS\system32\imjp81k.dll
2009-10-27 19:14:58 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-10-27 19:14:56 ----D---- C:\Program Files\Avast4
2009-10-25 00:14:30 ----D---- C:\Program Files\uTorrent
2009-10-25 00:09:58 ----D---- C:\Documents and Settings\Administrator\Application Data\uTorrent

======List of files/folders modified in the last 1 months======

2009-11-24 00:25:59 ----D---- C:\WINDOWS\pss
2009-11-24 00:25:45 ----RD---- C:\Installer
2009-11-24 00:25:45 ----D---- C:\Downloads
2009-11-23 23:54:15 ----D---- C:\Program Files\Mozilla Firefox
2009-11-23 23:54:03 ----A---- C:\WINDOWS\ModemLog_HSPADataCard Proprietary USB Modem.txt
2009-11-23 23:44:42 ----D---- C:\WINDOWS
2009-11-23 23:43:09 ----D---- C:\WINDOWS\Temp
2009-11-23 23:39:28 ----SHD---- C:\WINDOWS\Installer
2009-11-23 23:39:06 ----D---- C:\WINDOWS\system32
2009-11-23 23:38:49 ----RD---- C:\Program Files
2009-11-23 23:37:59 ----D---- C:\Documents and Settings\Administrator\Application Data\Orbit
2009-11-23 22:06:40 ----D---- C:\WINDOWS\Minidump
2009-11-23 22:06:40 ----D---- C:\WINDOWS\Debug
2009-11-23 21:54:55 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-23 21:44:28 ----D---- C:\Naruto Shippudden
2009-11-23 21:25:40 ----D---- C:\WINDOWS\system32\drivers
2009-11-23 19:16:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-23 03:33:14 ----D---- C:\DOSgames
2009-11-22 23:19:32 ----D---- C:\Program Files\Common Files
2009-11-22 20:32:07 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-22 20:32:07 ----D---- C:\Program Files\Common Files\InstallShield
2009-11-22 20:31:38 ----D---- C:\WINDOWS\WinSxS
2009-11-22 20:31:28 ----RSD---- C:\WINDOWS\Fonts
2009-11-19 21:44:03 ----D---- C:\Bleach
2009-11-15 14:38:09 ----D---- C:\WINDOWS\Cursors
2009-11-10 22:40:33 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-10 22:40:03 ----A---- C:\WINDOWS\NeroDigital.ini
2009-11-10 22:39:07 ----HD---- C:\WINDOWS\inf
2009-11-10 22:39:07 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-11-10 22:37:48 ----D---- C:\WINDOWS\system32\SupportAppXL
2009-11-10 22:37:34 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-09 02:24:51 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-11-08 20:40:13 ----D---- C:\Smallville season 6
2009-11-08 03:24:25 ----D---- C:\DOSBox-0.72
2009-11-06 18:56:25 ----D---- C:\Program Files\SPSS16
2009-11-06 16:36:35 ----D---- C:\OpenTTD
2009-11-05 22:15:18 ----D---- C:\WINDOWS\system
2009-11-04 19:34:23 ----D---- C:\WebshotsCollection
2009-10-30 01:31:48 ----A---- C:\WINDOWS\system.ini
2009-10-28 03:31:38 ----D---- C:\WINDOWS\Help
2009-10-28 02:13:37 ----D---- C:\WINDOWS\system32\config
2009-10-27 19:08:14 ----D---- C:\Program Files\McAfee

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-09-15 27408]
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-09-15 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-09-15 52368]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2001-08-23 12160]
R1 prcmondrv;prcmondrv; \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2005-11-21 16512]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-09-15 94160]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-03-31 3960896]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-11-22 2829824]
R3 dtscsi;dtscsi; C:\WINDOWS\System32\Drivers\dtscsi.sys [2008-10-13 223128]
R3 HSPADataCardusbmdm;HSPADataCard Proprietary USB Driver; C:\WINDOWS\system32\DRIVERS\HSPADataCardusbmdm.sys [2008-07-24 105088]
R3 HSPADataCardusbnmea;HSPADataCard NMEA Port; C:\WINDOWS\system32\DRIVERS\HSPADataCardusbnmea.sys [2008-07-24 105088]
R3 HSPADataCardusbser6k;HSPADataCard Diagnostic Port; C:\WINDOWS\system32\DRIVERS\HSPADataCardusbser6k.sys [2008-07-24 105088]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-09-30 13056]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2008-06-05 10368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-09-15 23152]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\hmemdm.sys [2008-09-28 88960]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-09-30 34048]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 sermouse;Serial Mouse Driver; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-08-23 17664]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Avast4\aswUpdSv.exe [2009-09-15 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-11-22 430080]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Avast4\ashServ.exe [2009-09-15 138680]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-11-22 520192]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-07-02 68096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Avast4\ashMaiSv.exe [2009-09-15 254040]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Avast4\ashWebSv.exe [2009-09-15 352920]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

[Malware Removal Specialist]

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
• O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] \"C:\Program Files\Malwarebytes\' Anti-Malware\mbam.exe\" /runcleanupscript

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Forgot to close my connection manager before running combofix.. hope it's ok.

ComboFix 09-11-22.08 - Administrator 24/11/2009  0:50.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.594 [GMT 7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091123-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Administrator\My Documents\REG-Backup.reg
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll

.
(((((((((((((((((((((((((   Files Created from 2009-10-23 to 2009-11-23  )))))))))))))))))))))))))))))))
.

2009-11-23 17:27 . 2009-11-23 17:27   --------   d-----w-   C:\rsit
2009-11-23 16:44 . 2009-11-23 16:44   --------   d-----w-   c:\windows\Sun
2009-11-23 16:38 . 2009-11-23 16:39   --------   d-----w-   c:\program files\Java6
2009-11-23 16:38 . 2009-11-23 16:38   152576   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-23 15:44 . 2009-11-23 15:45   --------   d-----w-   c:\program files\Java Ra
2009-11-23 15:04 . 2009-11-23 15:04   --------   d-----w-   c:\program files\CCleaner
2009-11-23 14:44 . 2009-11-23 17:46   --------   d-----w-   c:\program files\Trend Micro HijackThis
2009-11-23 14:25 . 2009-11-23 14:25   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-23 14:25 . 2009-09-10 07:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 14:25 . 2009-11-23 14:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-11-23 14:25 . 2009-11-23 14:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 14:25 . 2009-09-10 07:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-23 12:16 . 2004-08-03 17:56   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2009-11-23 12:16 . 2001-08-17 15:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2009-11-23 12:16 . 2004-08-03 15:58   15104   -c--a-w-   c:\windows\system32\dllcache\usbscan.sys
2009-11-23 12:16 . 2004-08-03 15:58   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2009-11-22 17:51 . 2009-11-22 18:06   --------   d-----w-   C:\Pazera_Free_Audio_Extractor
2009-11-22 17:38 . 2009-11-22 19:09   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-22 17:38 . 2009-11-22 17:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-22 17:38 . 2009-11-22 17:38   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-11-22 17:38 . 2009-11-22 17:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-11-22 16:19 . 2009-11-22 16:19   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-11-22 14:17 . 2009-11-22 14:17   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Corel
2009-11-22 13:32 . 2009-11-22 13:32   65536   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2009-11-22 13:32 . 2009-11-22 13:32   10134   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
2009-11-22 13:32 . 2009-11-22 13:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\InstallShield
2009-11-22 13:31 . 2009-11-22 13:32   --------   d-----w-   c:\program files\CorelDRAW Graphics Suite 13
2009-11-22 13:31 . 2009-11-22 13:31   --------   d-----w-   c:\program files\Common Files\Corel
2009-11-22 13:31 . 2009-11-22 13:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Corel
2009-11-10 15:37 . 2008-07-24 07:40   105088   ----a-w-   c:\windows\system32\drivers\HSPADataCardusbser6k.sys
2009-11-10 15:37 . 2008-07-24 07:40   105088   ----a-w-   c:\windows\system32\drivers\HSPADataCardusbnmea.sys
2009-11-10 15:37 . 2008-07-24 07:40   105088   ----a-w-   c:\windows\system32\drivers\HSPADataCardusbmdm.sys
2009-11-10 15:37 . 2009-11-23 16:53   --------   d-----w-   c:\program files\BLUE CUBE Connection Manager
2009-11-10 15:33 . 2009-11-10 15:33   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\VAS_(http___www.vas-soft
2009-11-10 15:12 . 2009-11-10 15:12   --------   d-s---w-   c:\documents and settings\Administrator\UserData
2009-11-08 19:20 . 2009-11-08 19:20   --------   d-----w-   c:\program files\Common Files\Power Registry Cleaner
2009-11-06 08:08 . 2009-11-06 08:08   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Cooliris
2009-11-06 08:08 . 2009-11-06 08:08   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Radical Software Ltd
2009-11-05 15:15 . 1994-09-21 05:00   92208   ----a-w-   c:\windows\system\wing.dll
2009-11-05 15:15 . 1994-09-21 05:00   12800   ----a-w-   c:\windows\system\wing32.dll
2009-11-04 07:36 . 1994-09-21 05:00   92208   ----a-w-   c:\windows\system32\wing.dll
2009-11-04 07:36 . 1994-09-21 05:00   6736   ----a-w-   c:\windows\system32\wingdib.drv
2009-11-04 07:36 . 1994-09-21 05:00   12800   ----a-w-   c:\windows\system32\wing32.dll
2009-11-04 07:36 . 1994-08-24 05:00   188960   ----a-w-   c:\windows\system32\wingde.dll
2009-11-02 18:28 . 2009-11-23 16:38   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-10-27 20:30 . 2001-08-23 11:00   57398   -c--a-w-   c:\windows\system32\dllcache\imjpdadm.exe
2009-10-27 12:15 . 2009-09-15 10:54   23152   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-10-27 12:15 . 2009-09-15 10:54   52368   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-10-27 12:15 . 2009-09-15 10:53   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-10-27 12:15 . 2009-09-15 10:56   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-10-27 12:15 . 2009-09-15 10:56   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-10-27 12:15 . 2009-09-15 10:55   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-10-27 12:15 . 2009-09-15 10:55   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-10-27 12:15 . 2009-09-15 10:53   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-10-27 12:14 . 2009-09-15 10:59   1279968   ----a-w-   c:\windows\system32\aswBoot.exe
2009-10-27 12:14 . 2009-11-06 09:30   --------   d-----w-   c:\program files\Avast4

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 16:37 . 2009-10-20 04:42   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Orbit
2009-11-22 13:46 . 2007-07-18 16:29   51480   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-22 13:32 . 2007-07-21 08:24   --------   d-----w-   c:\program files\Common Files\InstallShield
2009-11-20 17:16 . 2009-10-24 17:09   --------   d-----w-   c:\documents and settings\Administrator\Application Data\uTorrent
2009-11-10 15:37 . 2007-07-21 08:25   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-11-06 11:56 . 2009-03-17 14:40   --------   d-----w-   c:\program files\SPSS16
2009-10-27 12:08 . 2007-07-26 12:04   --------   d-----w-   c:\program files\McAfee
2009-10-24 17:14 . 2009-10-24 17:14   --------   d-----w-   c:\program files\uTorrent
2009-10-23 17:37 . 2009-10-23 17:36   --------   d-----w-   c:\program files\K-Lite Codec Pack
2009-10-22 08:06 . 2009-10-22 08:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\agi
2009-10-21 09:31 . 2009-10-21 07:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-10-21 07:26 . 2009-10-21 07:24   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-20 14:37 . 2009-10-20 14:37   --------   d-----w-   c:\program files\Orbitdownloader
2009-10-20 04:44 . 2009-10-20 04:44   --------   d-----w-   c:\documents and settings\Administrator\Application Data\GrabPro
2009-10-18 13:50 . 2009-10-14 07:09   6444   ----a-w-   c:\windows\E220AutoRunLog.tmp
2009-10-16 14:43 . 2009-10-16 14:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-16 14:38 . 2009-10-16 14:38   --------   d-----w-   c:\program files\Yahoo!
2009-10-06 01:32 . 2009-10-06 01:32   3484   ----a-w-   c:\windows\system32\ealregsnapshot1.reg
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"SunJavaUpdateSched"="c:\program files\Java6\bin\jusched.exe" [2009-11-23 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [27/10/2009 19:15 114768]
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [23/07/2007 19:21 18432]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/10/2009 19:15 20560]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13/10/2008 0:11 642560]
S3 HSPADataCardusbmdm;HSPADataCard Proprietary USB Driver;c:\windows\system32\drivers\HSPADataCardusbmdm.sys [10/11/2009 22:37 105088]
S3 HSPADataCardusbnmea;HSPADataCard NMEA Port;c:\windows\system32\drivers\HSPADataCardusbnmea.sys [10/11/2009 22:37 105088]
S3 HSPADataCardusbser6k;HSPADataCard Diagnostic Port;c:\windows\system32\drivers\HSPADataCardusbser6k.sys [10/11/2009 22:37 105088]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmemdm.sys [14/10/2009 14:09 88960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 7408]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ujy2gyr3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\Java6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
AddRemove-HijackThis - c:\program files\Trend Micro HijackThis\HijackThis.exe
AddRemove-_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} - c:\program files\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}



**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-515967899-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD7A69B9-F4B6-0942-3772-9583745C1907}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabiilinlibbdailpk"=hex:6b,61,67,64,62,65,6a,6a,6a,62,6a,6e,66,6d,6f,64,66,69,
   61,70,6a,66,00,00
"hadhckgkkbcbkeac"=hex:6b,61,67,64,6b,64,67,6a,6a,6f,67,69,68,70,70,6c,6b,6a,
   63,63,6d,65,00,00
"hanogfcldmnhpmfa"=hex:61,61,00,77
"hanogfclgngglbll"=hex:61,61,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-24 00:55
ComboFix-quarantined-files.txt  2009-11-23 17:54

Pre-Run: 47.061.393.408 bytes free
Post-Run: 47.106.138.112 bytes free

- - End Of File - - 36827F71584CCD653AFAF8E801BBE98B

Task manager is now accessible, but avast fail to start because skin doesn't load properly..

[Malware Removal Specialist]

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

  a terrible error occured.. I mistyped combofix / uninstall - so it ran and warn me to disable avast - while I can't find avast icon anywhere, can't kill its process, and when i tried to open avast it failed..

afraid of making bigger mistakes, i just restart windows manually - and now after combofix has been uninstalled, a dos cmd window keeps opening in every win startup notifying that combofix has been uninstalled.. 

[Malware Removal Specialist]

Run a new HijackThis scan and post the log please.

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:23, on 24/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Java6\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BLUE CUBE Connection Manager\MODEM Mobile Connection.exe
C:\Program Files\Trend Micro HijackThis\sniper.exe
C:\Program Files\Java6\bin\javaws.exe
C:\Program Files\Java6\bin\javaw.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java6\bin\jusched.exe"
O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF15143.cfxxe" /c "C:\ComboFix\C.bat"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{64FE78AC-CC70-4895-A192-085A37739E7F}: NameServer = 202.155.0.10 202.155.0.15
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4298 bytes

about ESET, it found no threats.. and no 'export to text file' option 

[Malware Removal Specialist]

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [combofix] \"C:\ComboFix\CF15143.cfxxe\" /c \"C:\ComboFix\C.bat\"

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\ComboFix

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

OTM asked to reboot directly after processing.. hence, this log came from notepad that popped up afterwards, not from results window:

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\ComboFix\N_ folder moved successfully.
C:\ComboFix folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 5287 bytes
->Temporary Internet Files folder emptied: 1257709 bytes
->Java cache emptied: 13696300 bytes
->FireFox cache emptied: 22048708 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 81920 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 2672312 bytes
 
Total Files Cleaned = 37,95 mb
 
 
OTM by OldTimer - Version 3.1.2.0 log created on 11242009_230447

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_494.dat moved successfully.

Registry entries deleted on Reboot...

[Malware Removal Specialist]

You should be good to go now.

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

I still need to confirm a few things - about multiple programs that has been installed so far, is it safe to delete/uninstall 'em?

here is the list:

- TFC
- HJT
- CCleaner
- malwarebytes
- superantispyware

coz isn't it better to have just one anti spyware/malware to avoid slowdown? which one do you recommend so far: malwarebytes, superantispyware, spywareblaster, spybot - that I should use?

I ran Secunia:
Detection Statistics:
0 Programs Detected in Total
0 Insecure Versions Detected
0 Updated Versions Detected

and installed WOT

and got TuneUp utilities from my friend. {it should be sufficient to have all-in-one maintenance tool}

[Malware Removal Specialist]

coz isn't it better to have just one anti spyware/malware to avoid slowdown?

Update and run both SAS and MBAM now and then. The free versions don't run in real time so they won't interfere with anything. You can uninstall HJT. TFC is very good for cleaning out temp files. Use CCleaner daily (or so) and use TFC once a week or every other week.