System Infected... Need help!

Thanks for your reply. Wish you a HAPPY NEW YEAR.

Attached below is the "un-word-wrapped log file"

Logfile of HijackThis v1.99.1
Scan saved at 8:35:36 AM, on 12/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svohost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Windows\xpupdate.exe
C:\winstall.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ramleela\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login...&.done=http://my.yahoo.com/index.html&.src=my
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [17B1E2D8] C:\WINDOWS\System32\pmhaaeu.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\RunServices: [FD84C99D] C:\WINDOWS\System32\pmhaaeu.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\ramleela\LOCALS~1\Temp\B.tmp
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - Startup: svchost.exe
O4 - Startup: dgyrwydy.t
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: fNSXYZETUiRVqZXRt - {8C5CFB61-26F6-51CB-D212-F7928FC48082} - C:\WINDOWS\System32\kdcy.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner - C:\WINDOWS\System32\icf.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

krrajesh,

Thank you for the unwrapped log. It would have been better if it was a current log. The one you posted was dated on Christmas day. Nevertheless, let's work with what's in hand.

First off, I have to inform that your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.


--------------------


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. Read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.



-------------------


1. Download this file - http://download.bleepingcomputer.com/sUBs/zh/combofix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop







2. Go to → Run → paste in the single line command & click OK


3. When finished, it shall produce a log for you. Post that log before proceeding with the rest of the instructions

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download - ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe & save it on desktop. We shall be using it later

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Start HiJackThis & go to Config... → Misc.Tools → Delete an NT service

• In the popup box that appears, copy/paste ICF
• Click on the OK button & answer No if prompted to reboot

Repeat the above steps for these other services :-

• MsaSvc

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [17B1E2D8] C:\WINDOWS\System32\pmhaaeu.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\RunServices: [FD84C99D] C:\WINDOWS\System32\pmhaaeu.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\ramleela\LOCALS~1\Temp\B.tmp
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - Startup: svchost.exe
O4 - Startup: dgyrwydy.t
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: fNSXYZETUiRVqZXRt - {8C5CFB61-26F6-51CB-D212-F7928FC48082} - C:\WINDOWS\System32\kdcy.dll
O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner - C:\WINDOWS\System32\icf.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\WINDOWS\System32\svohost.exe
  C:\WINDOWS\System32\drivers\svchost.exe
  C:\Windows\xpupdate.exe
  C:\winstall.exe
  C:\WINDOWS\System32\pmhaaeu.exe
  C:\WINDOWS\System32\swchost.exe
  C:\WINDOWS\System32\testtestt.exe
  C:\WINDOWS\System32\syspools.exe
  C:\WINDOWS\System32\kdcy.dll
  C:\WINDOWS\System32\icf.exe
  C:\WINDOWS\System32\msasvc.exe
  
  Do a Search for these .....
  
  teekids.exe
  mslaugh.exe

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Perform an online scan using Internet Explorer at http://www.pandasoftware.com/products/activescan.htm

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * *


We shall require another combofix log. Run it by simply doubleclicking on combofix.exe


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

• Fresh Hijackthis log taken just before replying [*] ComboFix [*] Dr.Web
  [*] Online Scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Attached below are the CombiFix log and Hijack This log in that order
************** CombiFix Start**********************
ComboFix 06-12-29W-BetaE2 - Running from: "C:\Documents and Settings\ramleela\desktop"
Command switches used :: /v instcat winsys2f

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ramleela\Application Data\Install.dat
C:\INSTALL.LOG
C:\WINDOWS\emdat.tm
C:\WINDOWS\emdat.tmp
C:\WINDOWS\system32\SVOHOST.exe
C:\WINDOWS\dembat.tm
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-12-02 to 2007-01-02 ))))))))))))))))))))))))))))))))))


2007-01-02 17:28 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-02 17:07 21,088 --a------ C:\WINDOWS\system32\swchost.exe
2007-01-01 15:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2006-12-28 22:26 7,680 --a------ C:\WINDOWS\system32\adorros.dll
2006-12-28 22:26 15,872 --a------ C:\WINDOWS\prntsvr.dll
2006-12-28 22:24 <DIR> d--hs---- C:\FOUND.000
2006-12-25 06:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2006-12-23 15:53 <DIR> d-------- C:\WINDOWS\BBSTORE
2006-12-17 11:48 5,935,148 --a------ C:\WINDOWS\macromix.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-27 08:51 -------- d-------- C:\Program Files\virtools
2006-11-26 13:12 -------- d-------- C:\Program Files\newsaver
2006-11-26 13:09 -------- d-------- C:\Program Files\idtrmaruti
2006-11-17 21:00 -------- d-------- C:\Program Files\directx
2006-11-17 20:59 -------- d-------- C:\Program Files\gamespy arcade


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"system spool"="C:\\WINDOWS\\System32\\syspools.exe"
"Microsoft Windows Update"="C:\\WINDOWS\\system32\\srshost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"PCTVOICE"="pctspk.exe"
"PV92TRAY"="PV92Tray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Microsoft Inet Xp.."="teekids.exe"
"Windows Automation"="mslaugh.exe"
"17B1E2D8"="C:\\WINDOWS\\System32\\pmhaaeu.exe"
"SoundMan"="SOUNDMAN.EXE"
"xor"="C:\\WINDOWS\\System32\\xor\\svchost.exe"
"DVDBitSet"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"DVDTray"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DataLayer"="C:\\Program Files\\Nokia\\Nokia PC Suite 5\\DataLayer.exe"
"Nokia Tray Application"="C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe"
"system spool"="C:\\WINDOWS\\System32\\syspools.exe"
"Microsoft Windows Update"="C:\\WINDOWS\\system32\\srshost.exe"
"load32"="C:\\WINDOWS\\System32\\swchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"FD84C99D"="C:\\WINDOWS\\System32\\pmhaaeu.exe"
"Microsoft Windows Update"="C:\\WINDOWS\\system32\\srshost.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"fNSXYZETUiRVqZXRt"="{8C5CFB61-26F6-51CB-D212-F7928FC48082}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft AUT Update"="MSlti32.exe"
"Microsoft Update"="msconfg.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Microsoft AUT Update"="MSlti32.exe"
"Microsoft Update"="msconfg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000001
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-01-02 17:31:33.18

************** CombiFix End **********************

************** Hijack This Start**********************

Logfile of HijackThis v1.99.1
Scan saved at 5:32:37 PM, on 1/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\System32\swchost.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ramleela\LOCALS~1\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [17B1E2D8] C:\WINDOWS\System32\pmhaaeu.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunServices: [FD84C99D] C:\WINDOWS\System32\pmhaaeu.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] C:\WINDOWS\system32\srshost.exe
O4 - Startup: svchost.exe
O4 - Startup: dgyrwydy.t
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: fNSXYZETUiRVqZXRt - {8C5CFB61-26F6-51CB-D212-F7928FC48082} - C:\WINDOWS\System32\kdcy.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

************** Hijack This End **********************

FYI, after cure it, looks like things are much better! Thanks a lot. I used to have an IE instance open that could not be killed, now I'm able to end the process.

Attached below is the Dr Cure It report. Pls let me know your comments.

A0236957.DLL;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0237083.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.MyBot.based;Deleted.;
A0237084.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Trojan.MulDrop.899;Deleted.;
A0237085.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Trojan.MulDrop.899;Deleted.;
A0237086.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;BackDoor.Dumaru;Deleted.;
A0237087.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.Agobot;Deleted.;
A0237088.dll;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Trojan.Proxy.133;Deleted.;
A0237089.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.Mixer.1;Deleted.;
A0237090.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.Agobot;Deleted.;
A0237091.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;BackDoor.Dumaru;Deleted.;
A0237274.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237275.Exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237276.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237277.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237278.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237279.EXE;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237280.EXE;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237281.EXE;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237282.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237283.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237284.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237285.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237286.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237287.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237288.Exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237289.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237290.exe;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237291.EXE;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237292.EXE;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237293.exe;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237294.exe;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;


Regards,

Rajesh

Sorry for the delays, I'm able to spend only abt an hour a day on the PC.

From tmrw(Friday) I should be able to spend more time at a stretch.

Thanks for all the help.
Here are the logs :
*****************Highjack This Starts**********************
Logfile of HijackThis v1.99.1
Scan saved at 5:14:54 PM, on 1/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ramleela\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] C:\WINDOWS\system32\srshost.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C718019-23C1-407E-AECA-C68F26A2E3C9}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: fNSXYZETUiRVqZXRt - {8C5CFB61-26F6-51CB-D212-F7928FC48082} - C:\WINDOWS\System32\kdcy.dll (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

*****************Highjack This END**********************

*****************Combifix Starts **********************
ComboFix 06-12-29W-BetaE2 - Running from: "C:\Documents and Settings\ramleela\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))


2007-01-03 17:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-03 17:46 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-02 18:09 <DIR> d-------- C:\DOCUME~1\ramleela\DoctorWeb
2007-01-02 17:28 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-01 15:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2006-12-28 22:24 <DIR> d--hs---- C:\FOUND.000
2006-12-25 06:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2006-12-23 15:53 <DIR> d-------- C:\WINDOWS\BBSTORE
2006-12-17 11:48 5,935,148 --a------ C:\WINDOWS\macromix.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-27 08:51 -------- d-------- C:\Program Files\virtools
2006-11-26 13:12 -------- d-------- C:\Program Files\newsaver
2006-11-26 13:09 -------- d-------- C:\Program Files\idtrmaruti
2006-11-17 21:00 -------- d-------- C:\Program Files\directx
2006-11-17 20:59 -------- d-------- C:\Program Files\gamespy arcade


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DVDBitSet"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"DVDTray"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DataLayer"="C:\\Program Files\\Nokia\\Nokia PC Suite 5\\DataLayer.exe"
"Nokia Tray Application"="C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe"
"system spool"="C:\\WINDOWS\\System32\\syspools.exe"
"Microsoft Windows Update"="C:\\WINDOWS\\system32\\srshost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"fNSXYZETUiRVqZXRt"="{8C5CFB61-26F6-51CB-D212-F7928FC48082}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft AUT Update"="MSlti32.exe"
"Microsoft Update"="msconfg.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Microsoft AUT Update"="MSlti32.exe"
"Microsoft Update"="msconfg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000001
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-01-04 1:06:06.95
C:\ComboFix2.txt ... 07-01-02 17:31
*****************Combifix END**********************

*****************Active Scan Starts**********************
Incident Status Location

Virus:bck/dumador.o Disinfected Operating system
Virus:trj/dumaru.q Disinfected Operating system
Virus:bck/dumador.da Disinfected Operating system
Virus:trj/qhost.gen Disinfected Operating system
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ramleela\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ramleela\Cookies\[email protected][2].txt
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070101-153751.backup
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\a
Spyware:Cookie/Bridgetrack Not disinfected C:\FOUND.016\FILE0001.CHK
Spyware:Cookie/Serving-sys Not disinfected D:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected D:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected D:\WINDOWS\Cookies\[email protected][2].txt
Hacktool:Exploit/iFrame Not disinfected Local Folders\Sent Items\Old Sent items\strange message from mail server - URGENT

*****************Active Scan END**********************
A0236957.DLL;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0237083.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.MyBot.based;Deleted.;
A0237084.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Trojan.MulDrop.899;Deleted.;
A0237085.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Trojan.MulDrop.899;Deleted.;
A0237086.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;BackDoor.Dumaru;Deleted.;
A0237087.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.Agobot;Deleted.;
A0237088.dll;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Trojan.Proxy.133;Deleted.;
A0237089.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.Mixer.1;Deleted.;
A0237090.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.HLLW.Agobot;Deleted.;
A0237091.exe;C:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;BackDoor.Dumaru;Deleted.;
A0237274.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237275.Exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237276.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237277.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237278.exe;D:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237279.EXE;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237280.EXE;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237281.EXE;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237282.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237283.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237284.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237285.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237286.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237287.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237288.Exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237289.exe;E:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237290.exe;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237291.EXE;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237292.EXE;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237293.exe;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;
A0237294.exe;F:\System Volume Information\_restore{56645FE7-6EF3-43CE-8B9F-EB34CA7BCDF5}\RP474;Win32.Dref;Cured.;

*****************Cure It Starts**********************


*****************Cure It END**********************

Reboot to Safe Mode & delete the following files, if present:

C:\WINDOWS\System32\syspools.exe
C:\WINDOWS\system32\srshost.exe
C:\WINDOWS\System32\kdcy.dll
C:\WINDOWS\System32\MSlti32.exe
C:\WINDOWS\System32\msconfg.exe

Make sure that you're able to view Hidden files
From Windows Explorer, go to Tools → Folder Options → View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

-------------------


After you have done that, reboot back to Normal mode

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"system spool"=-
"Microsoft Windows Update"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"fNSXYZETUiRVqZXRt"=-

[-HKEY_CLASSES_ROOT\CLSID\{8C5CFB61-26F6-51CB-D212-F7928FC48082}]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft AUT Update"=-
"Microsoft Update"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Microsoft AUT Update"=-
"Microsoft Update"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=-

Click to expand...

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry


-------------------


This next bit should be performed after you have updated your OS to Service Pack 1A
Please assist me in helping you.
You may download SP1 directly from here → http://download.microsoft.com/download/5/4/f/54f8bcf8-bb4d-4613-8ee7-db69d01735ed/xpsp1a_en_x86.exe


When that's accomplished, reboot the machine before giving combofix another go. I shall require the log that it produces.

Note: I have not been able to install Servicepack 1a. The system complains license is an issue. I will get it checked with the vendor and install Service pack.

Attached below is combifix log after all the steps mentioned were carried out.

Thank you for all the help till now.


ComboFix 06-12-29W-BetaE2 - Running from: "C:\Documents and Settings\ramleela\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))


2007-01-03 17:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-02 18:09 <DIR> d-------- C:\DOCUME~1\ramleela\DoctorWeb
2007-01-02 17:28 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-01 15:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2006-12-28 22:24 <DIR> d--hs---- C:\FOUND.000
2006-12-25 06:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2006-12-23 15:53 <DIR> d-------- C:\WINDOWS\BBSTORE
2006-12-17 11:48 5,935,148 --a------ C:\WINDOWS\macromix.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-27 08:51 -------- d-------- C:\Program Files\virtools
2006-11-26 13:12 -------- d-------- C:\Program Files\newsaver
2006-11-26 13:09 -------- d-------- C:\Program Files\idtrmaruti
2006-11-17 21:00 -------- d-------- C:\Program Files\directx
2006-11-17 20:59 -------- d-------- C:\Program Files\gamespy arcade


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DVDBitSet"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"DVDTray"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DataLayer"="C:\\Program Files\\Nokia\\Nokia PC Suite 5\\DataLayer.exe"
"Nokia Tray Application"="C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-01-07 11:57:39.45
C:\ComboFix3.txt ... 07-01-02 17:31
C:\ComboFix2.txt ... 07-01-04 01:06