combofix log:
ComboFix 08-07-15.4 - michael stevic 2008-07-17 14:20:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.99 [GMT 10:00]
Running from: C:\Documents and Settings\michael stevic\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\a.bat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Program Files\AntiMalwareGuard
C:\Program Files\System Doctor Free
C:\Program Files\System Doctor Free\st.dat
C:\WINDOWS\braviax.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\s32.txt
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\2search.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\dlha\mstask32.com
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\ws386.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASPIMGR
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.
2008-07-17 11:59 . 2008-07-17 11:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-17 11:09 . 2008-07-17 11:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 10:14 . 2008-07-17 10:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-17 09:58 . 2008-07-17 09:58 <DIR> d-------- C:\Program Files\CCleaner
2008-07-10 17:30 . 2008-07-10 17:30 15,676 --a------ C:\Program Files\Common Files\jinoro.bin
2008-07-03 13:21 . 2008-07-03 13:21 17,229 --a------ C:\Documents and Settings\michael stevic\Application Data\temexu.sys
2008-06-23 11:08 . 2008-06-23 11:08 19,177 --a------ C:\WINDOWS\ojuji.vbs
2008-06-23 11:08 . 2008-06-23 11:08 18,692 --a------ C:\Program Files\Common Files\jerifilebu.scr
2008-06-23 11:08 . 2008-06-23 11:08 17,839 --a------ C:\WINDOWS\hikonov.ban
2008-06-23 11:08 . 2008-06-23 11:08 17,262 --a------ C:\WINDOWS\SYSTEM32\iwic.bin
2008-06-23 11:08 . 2008-06-23 11:08 16,241 --a------ C:\WINDOWS\SYSTEM32\yhofyvi.pif
2008-06-23 11:08 . 2008-06-23 11:08 15,558 --a------ C:\WINDOWS\lijavara.com
2008-06-23 11:08 . 2008-06-23 11:08 14,475 --a------ C:\Documents and Settings\All Users\Application Data\xywusyzu.scr
2008-06-23 11:08 . 2008-06-23 11:08 14,342 --a------ C:\WINDOWS\iqiw.exe
2008-06-23 11:08 . 2008-06-23 11:08 13,904 --a------ C:\Program Files\Common Files\nakac.reg
2008-06-23 11:08 . 2008-06-23 11:08 12,312 --a------ C:\WINDOWS\jepetahebu.inf
2008-06-23 11:08 . 2008-06-23 11:08 10,692 --a------ C:\WINDOWS\obelaw.dl
2008-06-23 11:08 . 2008-06-23 11:08 10,581 --a------ C:\Documents and Settings\michael stevic\Application Data\aqylufa.bat
2008-06-23 11:08 . 2008-06-23 11:08 10,137 --a------ C:\WINDOWS\terohulun.exe
2008-06-23 11:07 . 2008-06-23 11:07 19,061 --a------ C:\WINDOWS\zyte.db
2008-06-23 11:07 . 2008-06-23 11:07 16,687 --a------ C:\WINDOWS\sigiky.bin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 02:48 --------- d-----w C:\Program Files\WebSiteViewer
2008-07-17 02:41 --------- d-----w C:\Program Files\2search.old
2008-06-24 03:56 --------- d-----w C:\Program Files\LimeWire
2008-06-24 03:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-05-23 08:05 --------- d-----w C:\Program Files\AOL 7.0a
2006-11-07 06:32 35,072 ----a-w C:\Documents and Settings\michael stevic\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
2003-07-17 06:47 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\SYSTEM32\svchost.exe
2003-07-17 06:47 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2003-07-17 06:49 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\SYSTEM32\user32.dll
2003-07-17 06:49 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2003-07-17 06:53 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\SYSTEM32\ws2_32.dll
2003-07-17 06:53 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\SYSTEM32\DLLCACHE\ws2_32.dll
2003-07-17 06:51 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\SYSTEM32\wininet.dll
2003-07-17 06:51 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2003-07-17 06:47 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2003-07-17 06:47 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
2003-07-17 06:51 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\SYSTEM32\winlogon.exe
2003-07-17 06:51 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe
2003-03-06 10:30 162432 09b38768036508b51564201afb000950 C:\WINDOWS\Driver Cache\i386\ndis.sys
2003-03-06 10:30 162432 09b38768036508b51564201afb000950 C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2003-03-06 10:30 162432 09b38768036508b51564201afb000950 C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys
2003-07-17 06:46 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2003-07-17 06:39 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2003-07-17 06:28 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\explorer.exe
2003-07-17 06:28 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
2003-07-17 06:44 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\SYSTEM32\services.exe
2003-07-17 06:44 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\SYSTEM32\DLLCACHE\services.exe
2003-07-17 06:32 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\SYSTEM32\lsass.exe
2003-07-17 06:32 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\SYSTEM32\DLLCACHE\lsass.exe
2003-07-17 06:26 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\SYSTEM32\ctfmon.exe
2003-07-17 06:26 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2003-07-17 06:46 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\SYSTEM32\spoolsv.exe
2003-07-17 06:46 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\SYSTEM32\DLLCACHE\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48 32881]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-04 14:18 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-25 10:38 155648]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-17 06:23 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-07-17 06:23 455168]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-07-17 06:22 59392]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2002-08-29 07:00 208953]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 13:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 13:51 118784]
"{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}"="C:\program files\Telstra\Signup\tbpt.exe" [2000-10-20 23:06 81920]
"XCSyncML"="C:\WINDOWS\System32\XCSyncML.exe" [2005-07-14 10:07 135168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03 278528]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 21:32 53248]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-02-01 12:52 366400]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2003-07-17 06:37 51200 C:\WINDOWS\SYSTEM32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AOL 7.0 Tray Icon.lnk - C:\Program Files\AOL 7.0a\aoltray.exe [2004-08-04 14:17:44 32839]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lLh$vùõš/‚²ÆßfÏNbC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lLh$vùõš/‚²ÆßfÏNbC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lLh$vùõš/‚²ÆßfÏNbC:\Program Files\ISTsvc
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\NEC\\NEC Mobile Suite\\CommsService.exe"=
"<NO NAME>"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-05-16 09:20]
S3 flatbus;NEC WMC USB_BK1 Composite Device driver (WDM);C:\WINDOWS\System32\DRIVERS\flatbus.sys [2005-07-07 14:39]
S3 flatmdfl;NEC WMC USB_BK1 Modem Filter;C:\WINDOWS\System32\DRIVERS\flatmdfl.sys [2005-07-07 14:39]
S3 flatmdm;NEC WMC USB_BK1 Modem Drivers;C:\WINDOWS\System32\DRIVERS\flatmdm.sys [2005-07-07 14:39]
S3 flatobex;NEC WMC USB_BK1 OBEX Interface Drivers (WDM);C:\WINDOWS\System32\DRIVERS\flatobex.sys [2005-07-07 14:39]
S3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\System32\DRIVERS\HSFHWCD2.sys [2002-03-14 20:47]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Webcam Enhance V2.1]
C:\WINDOWS\runtfs32.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 10:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Task Scheduler - C:\WINDOWS\System32\dlha\mstask32.com
HKLM-Run-Microsoft Task Scheduler - C:\WINDOWS\System32\dlha\mstask32.com
MSConfigStartUp-istsvc - C:\WINDOWS\joigj.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-07-17 14:25:01
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-07-17 14:30:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-17 04:30:22
Pre-Run: 27,165,372,416 bytes free
Post-Run: 27,149,295,616 bytes free
169
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:50 PM, on 17/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\WINDOWS\System32\XCSyncML.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 7.0a\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [XCSyncML] C:\WINDOWS\System32\XCSyncML.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.telstra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5347 bytes
Can I also delete virus vault for avast??? There are over 500 threats in there from the scan.