Tanmoy

I do use the Firefox browser, but the 'Firefox' option on ATF--cleaner was disabled. So I went ahead with everything, except the Firefox-step:

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

I do not use Opera.

Further the program "Switch" was a midi to mp3 converter I installed a trial version of many months ago. I didn't know there was a dialer-threat associated with it !?

The system used to (uncharacteristically) hang, until a few days ago. That hasn't happened for a while now, but it was very infrequent anyway. There are no other bothersome symptoms. Are we there yet?

The final Combofix log follows:


ComboFix 07-12-07.5 - Tanmoy 2007-12-09 22:50:02.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.113 [GMT 5.5:30]
Running from: C:\Documents and Settings\Tanmoy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tanmoy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Ekta\Desktop\DASKTOP\New Folder\clsReg.dll
D:\WINDOWS\Downloaded Program Files\NSupd9x.inf
D:\WINDOWS\Downloaded Program Files\UniDist.inf
D:\WINDOWS\INF\NSUPD9X.INF
F:\New Folder\New Folder\clsReg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ekta\Desktop\DASKTOP\New Folder\clsReg.dll
D:\WINDOWS\Downloaded Program Files\NSupd9x.inf
D:\WINDOWS\Downloaded Program Files\UniDist.inf
D:\WINDOWS\INF\NSUPD9X.INF
F:\New Folder\New Folder\clsReg.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-07 19:15 . 2007-12-07 19:15 <DIR> d-------- C:\Deckard
2007-12-05 22:26 . 2007-12-05 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-05 12:40 . 2007-12-05 12:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-05 12:40 . 2007-12-08 12:45 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-05 12:40 . 2007-12-08 12:45 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-05 12:40 . 2007-12-08 12:45 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 20:24 . 2007-12-04 20:24 <DIR> d-------- C:\Documents and Settings\Tanmoy\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 03:57 6,659 ----a-w C:\WINDOWS\system32\drivers\EMLTDI.SYS
2007-11-06 03:57 30,208 ----a-w C:\WINDOWS\system32\drivers\ONLINENT.SYS
2007-11-06 03:57 12,416 ----a-w C:\WINDOWS\system32\drivers\SCREENNT.SYS
2007-11-06 03:57 --------- d-----w C:\Program Files\Quick Heal
2007-11-06 03:52 943 --sh--w C:\Program Files\folder.htt
2007-10-21 06:51 67,960 ----a-w C:\Documents and Settings\Ekta\Application Data\GDIPFONTCACHEV1.DAT
2007-08-24 12:35 66,784 ----a-w C:\Documents and Settings\Tanmoy\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 11:18 786,432 ---ha-w C:\Documents and Settings\Ekta\NTUSER.old.DAT
2003-12-08 08:34 827,392 ----a-w C:\Program Files\NPSWF32.dll
2001-08-23 06:00 2 --sh--w C:\Program Files\desktop.ini
1998-12-08 18:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 18:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 18:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 18:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 18:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 18:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2007-12-08_11.32.35.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 02:58:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-03-13 05:27:12 163,328 ----a-w C:\WINDOWS\ERDNT\subs\F3M\ERDNT.EXE
+ 2003-08-01 05:30:16 36,864 ----a-w C:\WINDOWS\LastGood\System32\ActiveScan\certdll.dll
- 2007-12-08 05:56:40 266,240 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-12-09 17:19:54 266,240 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 21:29]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 06:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 12:50]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2002-07-30 15:50 C:\WINDOWS\system32\nwiz.exe]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"Email Protection"="C:\PROGRA~1\QUICKH~1\emlproxy.exe" [2007-11-06 09:27]
"On-Line Protection"="C:\PROGRA~1\QUICKH~1\CATEYE.EXE" [2007-11-06 09:27]

C:\Documents and Settings\Ekta\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe [2006-05-23 17:17:00]

C:\Documents and Settings\Tanmoy\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe [2006-05-23 17:17:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2001-08-23 06:00 13312 --a------ C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FX]
C:\WINDOWS\Downloaded Program Files\ieloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveVideo_in]
c:\program files\dialers\livevideo_in\livevideo_in.exe /noconnect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 04:19 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"matlabserver"=2 (0x2)

R0 ScreenNT;ScreenNT;C:\WINDOWS\System32\drivers\ScreenNT.sys
R2 EMLSS;EMLSS;C:\WINDOWS\System32\drivers\emltdi.sys
R2 OnlineNT;OnlineNT;\??\C:\PROGRA~1\QUICKH~1\ONLINENT.SYS
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S2 Office Source Engine Help;OESH;C:\Program Files\NetMeeting\msmsgs
S2 Timesvc;Windows Time Service Management Instrumentation;C:\WINDOWS\system32\svchost.exe -k netsvcs
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Timesvc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 14:30:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Tanmoy.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2007-03-27 17:03:54 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 22:56:17
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 22:57:37 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-08 11:33
.
--- E O F ---