# Error message on start up



## niits (Jun 27, 2008)

Hi , i ran a scan through zone alarm and found a number of trojans etc. I quarantined some and deleted some as instructed but now on startup i get the following error measssages:
Error loading c:\windows\MPKrnl.dll
Error loading c:\windows\MKMrnl.dll
The specified module could not be found.

Please help.
Thanks in advance.


----------



## WhitPhil (Oct 4, 2000)

Start > Run > MSCONFIG > Startup tab
If these are shown there, UNselect them.

Regardless, Post back a HJT log for review.


----------



## Mumbodog (Oct 3, 2007)

If they don't show up in msconfig, use this software to locate and delete the registry entries related to those 2 Dll's

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx


----------



## niits (Jun 27, 2008)

Thanks whitphil for your help...
I went into msconfig-startup but i could only see c:\windows\MPKrnl.dll, so i unchecked it and now it does not come up on start up but the second error message is still there...here is the Hjt log for your reference:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:29 PM, on 11/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\ZONELABS\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HBService32] System.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [MPMKrnl] rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\google picasa\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\google picasa\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - F:\installation setup\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - F:\installation setup\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179693418390
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F55BF9-16BE-4FE6-A2FC-E89381185423}: NameServer = 202.144.115.4,202.144.66.6
O20 - AppInit_DLLs: 01AFE3DC.dll,HBmhly.dll,HBZHUXIAN.dll
O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll (file missing)
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)
O21 - SSODL: Upnp - {DE01DA19-A6A8-EB80-4D47-248DEB2A9399} - C:\WINDOWS\system32\upnpsrv.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8478 bytes


----------



## dvk01 (Dec 14, 2002)

Download ComboFix from *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns


----------



## niits (Jun 27, 2008)

Thanks for your help here is the combo fix log:

ComboFix 08-11-14.01 - abc 2008-11-17 3:15:14.10 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.210 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\abc\Local Settings\SysPr.prx
C:\u.exe
c:\windows\system32\01AFE3DC.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\122B901E.cfg
c:\windows\system32\16AF66EB.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\43ACDCC5.cfg
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\58FF3024.cfg
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\755D0ED0.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9F684DE8.cfg
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B3721C07.dll
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\C8FFD223.dll
c:\windows\system32\D7C79813.cfg
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\DFEC5CB7.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\E0D39066.cfg
c:\windows\system32\E3367679.cfg
c:\windows\system32\E4814792.cfg
c:\windows\system32\F65BDEC7.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_C39E8DB
-------\Service_c39e8db
-------\Service_ca99d57
-------\Service_d7b49fa
-------\Service_HBKernel32

((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-16 16:32 . 2008-11-16 16:32 d-------- c:\documents and settings\abc\Application Data\uTorrent
2008-11-16 03:13 . 2008-11-16 03:13 d-------- c:\documents and settings\abc\Application Data\SiteAdvisor
2008-11-14 00:02 . 2008-11-16 21:46 959 --a------ C:\rollback.ini
2008-11-13 22:46 . 2008-11-13 22:46 5,504 --a------ c:\windows\system32\f35ee9e.sys
2008-11-13 22:44 . 2008-11-13 22:44 13,085 --a------ c:\windows\system32\DA63E650.dll.vzr
2008-11-13 22:42 . 2008-11-13 22:42 296 --ahs---- c:\windows\system32\16AF66EB.cfg
2008-11-13 22:08 . 2008-11-13 22:08 d-------- c:\documents and settings\abc\Application Data\MailFrontier
2008-11-13 21:57 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-13 21:34 . 2008-11-13 21:34 217,077 --a------ c:\windows\system32\2EF0D734.dll.vzr
2008-11-13 21:33 . 2008-11-13 21:33 12,617 --a------ c:\windows\system32\08223B03.dll.vzr
2008-11-13 21:32 . 2008-11-13 21:32 12,717 --a------ c:\windows\system32\5934EA2B.dll.vzr
2008-11-13 21:32 . 2008-11-13 21:32 204 --ahs---- c:\windows\system32\5934EA2B.cfg
2008-11-13 20:51 . 2008-11-13 20:51 204 --ahs---- c:\windows\system32\C8FFD223.cfg
2008-11-13 19:12 . 2008-11-13 19:12 11,958 --a------ c:\windows\system32\D7C79813.dll.vzr
2008-11-12 19:02 . 2008-11-12 19:02 184 --ahs---- c:\windows\system32\93DEE065.cfg
2008-11-12 18:58 . 2008-11-13 23:27 24,576 --a------ c:\windows\system32\HBZHUXIAN.dll.vzr
2008-11-12 18:42 . 2008-11-12 18:42 152 --ahs---- c:\windows\system32\01AFE3DC.cfg
2008-11-12 18:39 . 2008-11-13 22:46 468 --ahs---- c:\windows\system32\70B0129E.cfg
2008-11-12 18:39 . 2008-11-12 18:39 220 --ahs---- c:\windows\system32\F8E07BB2.cfg
2008-11-12 18:38 . 2008-11-12 18:38 244 --ahs---- c:\windows\system32\755D0ED0.cfg
2008-11-12 18:37 . 2008-11-12 18:37 217,351 --a------ c:\windows\system32\4FBFD5A4.dll.vzr
2008-11-12 18:37 . 2008-11-12 18:37 212 --ahs---- c:\windows\system32\4FBFD5A4.cfg
2008-11-12 18:36 . 2008-11-13 22:45 19,968 --a------ c:\windows\system32\HBmhly.dll.vzr
2008-11-12 18:34 . 2008-11-12 18:35 12,942 --a------ c:\windows\system32\58FF3024.dll.vzr
2008-11-12 18:33 . 2008-11-12 18:33 216,338 --a------ c:\windows\system32\3F21AA0C.dll.vzr
2008-11-12 18:33 . 2008-11-12 18:33 312 --ahs---- c:\windows\system32\3F21AA0C.cfg
2008-11-12 17:51 . 2008-11-12 17:51 d-------- c:\documents and settings\abc\Application Data\InstallShield
2008-11-08 13:12 . 2008-11-08 13:12 d-------- c:\documents and settings\abc\Application Data\Media Player Classic
2008-11-07 22:59 . 2008-11-07 22:59 d-------- c:\program files\K-Lite Codec Pack
2008-11-07 22:40 . 2008-11-17 03:17 670,240 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-07 22:40 . 2008-11-17 03:17 10,052 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-07 22:37 . 2008-10-09 14:25 73,104 --a------ c:\windows\zllsputility.exe
2008-11-07 22:36 . 2008-11-07 22:36 d-------- c:\windows\system32\ZoneLabs
2008-11-07 22:36 . 2008-11-07 22:36 d-------- c:\program files\Zone Labs
2008-11-07 22:36 . 2008-11-17 03:18 349,222 --a------ c:\windows\system32\vsconfig.xml
2008-11-05 22:09 . 2008-11-05 22:09 d-------- C:\New Folder
2008-11-05 22:09 . 2008-11-05 22:09 d-------- c:\documents and settings\New Folder (6)
2008-10-31 02:05 . 2008-10-31 02:05 d-------- c:\program files\MSXML 4.0
2008-10-27 01:53 . 2008-11-07 22:10 26,356 --a------ C:\logfile
2008-10-27 01:50 . 2008-10-27 01:50 d-------- c:\windows\system32\DRVSTORE
2008-10-27 01:49 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-10-27 01:49 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-10-27 01:49 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-10-27 01:49 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-27 01:45 . 2008-10-27 01:45 d-------- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 21:47 93,142 ------w c:\windows\Internet Logs\vsmon_2nd_2008_11_17_03_13_14_small.dmp.zip
2008-11-16 21:47 89,378 ------w c:\windows\Internet Logs\vsmon_2nd_2008_11_17_03_13_01_small.dmp.zip
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-06 13:36 10,752 ----a-w c:\windows\DCEBoot.exe
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 11:13 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-21 09:52 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2007-05-23 11:36 1,506 ----a-w c:\program files\Mozilla Firefox.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 185896]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-03 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="f:\google picasa\Picasa2\PicasaMediaDetector.exe" [2007-10-24 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 22:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
-ra------ 2005-11-22 18:12 1060864 c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMax]
--a------ 2005-09-07 15:35 716800 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2005-05-19 17:11 925696 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-09 01:46 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-27 17:14 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2004-10-27 15:21 61952 c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2005-03-07 11:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\Games\\Test Drive 3 Car Game\\Game Files\\TDOR3.exe"=
"f:\\Games\\Age Of Empire-II\\empires2.exe"=
"f:\\Games\\jeet\\Age Of Empire-II\\empires2.exe"=
"f:\\Games\\m madness\\midtown.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"f:\\installation setup\\torrent\\uTorrent.exe"=

R3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys [2007-03-19 792576]
S3 de8296f;de8296f;\??\c:\windows\system32\de8296f.sys []
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
.
Contents of the 'Scheduled Tasks' folder

2008-05-17 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
HKLM-Explorer_Run-MPMKrnl - c:\windows\MKMKrnl.dll
ShellExecuteHooks-<NO NAME> - (no file)
ShellExecuteHooks-{3F21AA0C-2A9E-4BE9-9083-9E58AB41BA01} - 3F21AA0C.dll
ShellExecuteHooks-{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96} - 4FBFD5A4.dll
ShellExecuteHooks-{755D0ED0-3996-4ADB-9B1F-AD8F0E9E4738} - 755D0ED0.dll
ShellExecuteHooks-{F8E07BB2-7A19-4057-80F1-E14646E630B4} - F8E07BB2.dll
ShellExecuteHooks-{70B0129E-726E-4789-A7C0-5DDC33241E94} - 70B0129E.dll
ShellExecuteHooks-{01AFE3DC-2242-436E-9B44-6DD1C664E828} - 01AFE3DC.dll
ShellExecuteHooks-{93DEE065-EC9B-4505-ADD3-19880AD3C38F} - 93DEE065.dll
ShellExecuteHooks-{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9} - C8FFD223.dll
ShellExecuteHooks-{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40} - 5934EA2B.dll
ShellExecuteHooks-{16AF66EB-93C8-49F9-BB09-B4F87CEDCE46} - 16AF66EB.dll
SSODL-Upnp-{DE01DA19-A6A8-EB80-4D47-248DEB2A9399} - c:\windows\system32\upnpsrv.dll
MSConfigStartUp-MPKrnl - c:\windows\MPKrnl.dll
MSConfigStartUp-OfficeScanNT Monitor - c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe
MSConfigStartUp-SpywareTerminator - c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe
MSConfigStartUp-Uninstall_CToolbar - c:\docume~1\abc\LOCALS~1\Temp\CUninst.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\abc\Application Data\Mozilla\Firefox\Profiles\rul33g0j.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - f:\installation setup\quick time\Plugins\npqtplugin.dll
FF -: plugin - f:\installation setup\quick time\Plugins\npqtplugin2.dll
FF -: plugin - f:\installation setup\quick time\Plugins\npqtplugin3.dll
FF -: plugin - f:\installation setup\quick time\Plugins\npqtplugin4.dll
FF -: plugin - f:\installation setup\quick time\Plugins\npqtplugin5.dll
FF -: plugin - f:\program\plugins\npdsplay.dll
FF -: plugin - f:\program\plugins\NPOFFICE.DLL
FF -: plugin - f:\program\plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 03:19:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
c:\windows\SYSTEM32\ZONELABS\AVSYS\SCANNINGPROCESS.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WgaTray.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-11-17 3:20:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 21:50:38

Pre-Run: 19,944,521,728 bytes free
Post-Run: 19,915,980,800 bytes free

257 --- E O F --- 2008-11-16 09:22:24

HIjack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:53 AM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MPKrnl] rundll32 "C:\WINDOWS\MPKrnl.dll",KrnlMsgProc
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [Uninstall_CToolbar] "C:\DOCUME~1\abc\LOCALS~1\Temp\CUninst.exe" "/remove"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\google picasa\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\google picasa\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - F:\installation setup\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - F:\installation setup\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179693418390
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F55BF9-16BE-4FE6-A2FC-E89381185423}: NameServer = 202.144.115.4,202.144.66.6
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8685 bytes


----------



## dvk01 (Dec 14, 2002)

download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]


----------



## dvk01 (Dec 14, 2002)

post teh combofix log & tell us how it is now please


----------



## niits (Jun 27, 2008)

Hey thanks for helping me out,
I submitted the file as instructed by the pop up on screen .
one thing i'd like to inform is that when combofix started , i got a message stating that it had expired and will continue in reduced functionality mode, i went ahead with that.

Here's the combo fix log:
ComboFix 08-11-14.01 - abc 2008-11-25 14:55:33.11 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt
* Created a new restore point
*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\01AFE3DC.cfg
c:\windows\system32\16AF66EB.cfg
c:\windows\system32\2EF0D734.dll.vzr
c:\windows\system32\3F21AA0C.cfg
c:\windows\system32\3F21AA0C.dll.vzr
c:\windows\system32\4FBFD5A4.cfg
c:\windows\system32\4FBFD5A4.dll.vzr
c:\windows\system32\58FF3024.dll.vzr
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll.vzr
c:\windows\system32\70B0129E.cfg
c:\windows\system32\755D0ED0.cfg
c:\windows\system32\93DEE065.cfg
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\D7C79813.dll.vzr
c:\windows\system32\DA63E650.dll.vzr
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\HBmhly.dll.vzr
c:\windows\system32\HBZHUXIAN.dll.vzr
.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.
2008-11-16 16:32 . 2008-11-16 16:32 d-------- c:\documents and settings\abc\Application Data\uTorrent
2008-11-16 03:13 . 2008-11-16 03:13 d-------- c:\documents and settings\abc\Application Data\SiteAdvisor
2008-11-14 00:02 . 2008-11-25 13:14 2,867 --a------ C:\rollback.ini
2008-11-13 22:08 . 2008-11-13 22:08 d-------- c:\documents and settings\abc\Application Data\MailFrontier
2008-11-13 21:57 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-12 17:51 . 2008-11-12 17:51 d-------- c:\documents and settings\abc\Application Data\InstallShield
2008-11-08 13:12 . 2008-11-08 13:12 d-------- c:\documents and settings\abc\Application Data\Media Player Classic
2008-11-07 22:59 . 2008-11-07 22:59 d-------- c:\program files\K-Lite Codec Pack
2008-11-07 22:40 . 2008-11-24 23:09 1,146,912 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-07 22:40 . 2008-11-24 23:09 16,340 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-07 22:37 . 2008-10-09 14:25 73,104 --a------ c:\windows\zllsputility.exe
2008-11-07 22:36 . 2008-11-07 22:36 d-------- c:\windows\system32\ZoneLabs
2008-11-07 22:36 . 2008-11-07 22:36 d-------- c:\program files\Zone Labs
2008-11-07 22:36 . 2008-11-25 13:05 349,222 --a------ c:\windows\system32\vsconfig.xml
2008-11-05 22:09 . 2008-11-05 22:09 d-------- C:\New Folder
2008-11-05 22:09 . 2008-11-05 22:09 d-------- c:\documents and settings\New Folder (6)
2008-10-31 02:05 . 2008-10-31 02:05 d-------- c:\program files\MSXML 4.0
2008-10-27 01:53 . 2008-11-07 22:10 26,356 --a------ C:\logfile
2008-10-27 01:50 . 2008-10-27 01:50 d-------- c:\windows\system32\DRVSTORE
2008-10-27 01:49 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-10-27 01:49 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-10-27 01:49 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-10-27 01:49 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-27 01:45 . 2008-10-27 01:45 d-------- c:\documents and settings\All Users\Application Data\Kodak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 16:59 2,764,800 ------w c:\windows\Internet Logs\xDB1.tmp
2008-11-18 22:29 92,290 ------w c:\windows\Internet Logs\vsmon_2nd_2008_11_19_03_58_52_small.dmp.zip
2008-11-18 22:29 88,654 ------w c:\windows\Internet Logs\vsmon_2nd_2008_11_19_03_58_45_small.dmp.zip
2008-11-16 21:47 93,142 ------w c:\windows\Internet Logs\vsmon_2nd_2008_11_17_03_13_14_small.dmp.zip
2008-11-16 21:47 89,378 ------w c:\windows\Internet Logs\vsmon_2nd_2008_11_17_03_13_01_small.dmp.zip
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-06 13:36 10,752 ----a-w c:\windows\DCEBoot.exe
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 11:13 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2007-05-23 11:36 1,506 ----a-w c:\program files\Mozilla Firefox.lnk
.
((((((((((((((((((((((((((((( [email protected]_ 3.19.56.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-16 21:48:02 282,076 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-11-25 09:23:34 291,260 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-11-13 18:57:16 10,272,310 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2008-11-21 16:21:58 10,346,117 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
- 2008-11-16 16:12:44 2,697,728 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-11-25 07:54:24 2,748,416 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-09 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 185896]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-11-22 1060864]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"VTTimer"="VTTimer.exe" [2005-03-07 c:\windows\system32\VTTimer.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="f:\google picasa\Picasa2\PicasaMediaDetector.exe" [2007-10-24 443968]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\Games\\Test Drive 3 Car Game\\Game Files\\TDOR3.exe"=
"f:\\Games\\Age Of Empire-II\\empires2.exe"=
"f:\\Games\\jeet\\Age Of Empire-II\\empires2.exe"=
"f:\\Games\\m madness\\midtown.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"f:\\installation setup\\torrent\\uTorrent.exe"=
R3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys [2007-03-19 792576]
S3 de8296f;de8296f;\??\c:\windows\system32\de8296f.sys []
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-05-17 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uninstall_CToolbar - c:\docume~1\abc\LOCALS~1\Temp\CUninst.exe
HKLM-Run-SpywareTerminator - c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe
HKLM-Run-OfficeScanNT Monitor - c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe
HKLM-Run-MPKrnl - c:\windows\MPKrnl.dll
ShellExecuteHooks-<NO NAME> - (no file)

**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 14:55:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-25 14:56:22
ComboFix-quarantined-files.txt 2008-11-25 09:26:20
ComboFix2.txt 2008-11-16 21:50:48
Pre-Run: 20,092,043,264 bytes free
Post-Run: 20,098,891,776 bytes free
167 --- E O F --- 2008-11-16 09:22:24


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop

Download ComboFix from *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

then

download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]

Note: There might NOT be a zip file this time so don't worry if there isn't one


----------



## dvk01 (Dec 14, 2002)

At least one of those files is password stealer that steals your email address & passwords as well as game & other passwords & log ons

Once we are sure it is clean 

You had multiple keyloggers on there and they are designed to steal your private information. That includes all passwords, log ins to forums and your email details & other websites and most of all your Bank, Credit card or Paypal details.
It is vital that after you have been cleaned up you change all your passwords and it is necessary to get in touch with your Bank or other financial body to inform them that your details may ( probably have ) been stolen
They are also able to read all your emails so anything you have emailed to anybody is no longer confidential


----------

