Killer.exe Trojan ,the fire wall killer

first off make sure you boot into safe mode when you try to delete the .exe

then check your registry to make sure it's not loading up when you boot
run regedit and check the hkey_local_machine\software\microsoft\windows\currentversion\run folder and see if killer.exe is trying to load from there, if it is delete the key (backup your registry before you make any changes)
also check your startup programs from start button, start - programs - startup

once you've managed to stop it from loading, you can boot up normally, install AV software to fully remove it

also as a tool, you can Install 'Autoruns'  from sysinternals...

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Once in Safe Mode as suggested, Then follow the instructions posted here (specifically the section titled "How to Remove These Infections"   ...

http://www.bleepingcomputer.com/tutorials/tutorial101.html

SDFix will also remove this I believe...

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

 

Please follow the instructions below to run ComboFix.
Download this file -  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log in the thread you are working in.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also try Running ICESWORD and try deleting that file.seems like a Rootkit, if it doesnt delete try in safe mode
http://sheiky.net/tools/icesword.exe

The file is too dangerous. The file killer.exe does not let me open regedit.
As I told you it is firewall killer you know :)

But thanks for posing this thread. you guys gave me new solutions,Now let me try all of these.

I will let you know  , ok??

HijackThis Log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:28 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\killer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\smss.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe
D:\oracle\ora90\bin\agntsrvc.exe
D:\oracle\ora90\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
D:\oracle\ora90\bin\dbsnmp.exe
d:\oracle\ora90\bin\ORACLE.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\JetAudio\JetAudio.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [wsaeclt] C:\WINDOWS\wsaeclt.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [SNM] "C:\Program Files\SpyNoMore\SNM.exe" /startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe"
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: lsass.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{259412EA-5E26-49A5-9ED1-87A3A56BDE8D}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{259412EA-5E26-49A5-9ED1-87A3A56BDE8D}: NameServer = 218.248.240.23 218.248.240.135
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\system32\hsppp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation - D:\oracle\ora90\bin\xsolap.exe
O23 - Service: Oracle OLAP Agent - Unknown owner - D:\oracle\ora90\bin\xsaagent.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation - D:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - D:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90PagingServer - Unknown owner - D:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner - D:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceVEGETA - Oracle Corporation - d:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - D:\oracle\ora90\bin\osagent.exe

--
End of file - 7737 bytes

This is log of combofix

ComboFix 08-01-15.4 - abc 2008-01-15 18:47:07.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\abc\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
[color=purple]The following files were disabled during the run:[/color]
C:\Program Files\NoAdware5.0\nutils.dll
C:\Program Files\NoAdware5.0\nutils.dll


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-15 to 2008-01-15  )))))))))))))))))))))))))))))))
.

2008-01-15 18:50 . 2008-01-15 18:50      <DIR>      d--------      C:\log
2008-01-15 18:46 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 17:17 . 2008-01-15 17:17      <DIR>      d--------      C:\WINDOWS\LastGood.Tmp
2008-01-15 17:11 . 2008-01-15 17:14      7,978      --a------      C:\WINDOWS\Ascd_tmp.ini
2008-01-15 17:11 . 2005-04-28 10:00      5,824      --a------      C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 14:33 . 2008-01-15 18:50      144      -rahs----      C:\autorun.inf
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 11:29 . 2007-09-05 23:22      289,144      --a------      C:\WINDOWS\system32\VCCLSID.exe
2008-01-15 11:29 . 2006-04-27 16:49      288,417      --a------      C:\WINDOWS\system32\SrchSTS.exe
2008-01-15 11:29 . 2007-12-20 23:11      81,920      --a------      C:\WINDOWS\system32\IEDFix.exe
2008-01-15 11:29 . 2003-06-05 20:13      53,248      --a------      C:\WINDOWS\system32\Process.exe
2008-01-15 11:29 . 2004-07-31 17:50      51,200      --a------      C:\WINDOWS\system32\dumphive.exe
2008-01-15 11:29 . 2007-10-03 23:36      25,600      --a------      C:\WINDOWS\system32\WS2Fix.exe
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-15 09:52 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-15 09:52 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-14 22:50 . 2008-01-14 22:50      1,152      --a------      C:\WINDOWS\system32\windrv.sys
2008-01-14 21:42 . 2008-01-14 21:42      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\NETGATE
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:19 . 2007-10-01 16:24      163,640      --a------      C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-14 14:19 . 2007-10-01 16:24      23,864      --a------      C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-14 14:19 . 2007-10-01 16:24      21,816      --a------      C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-14 14:19 . 2007-10-01 16:24      20,280      --a------      C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 14:18 . 2007-10-01 16:40      1,526,072      --a------      C:\WINDOWS\WRSetup.dll
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 21:41 . 2008-01-13 21:41      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 14:15 . 2008-01-07 14:29      352      --ah-----      C:\WINDOWS\nod32fixtemdono.reg
2008-01-13 14:11 . 2008-01-13 14:11      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ESET
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:52 . 2006-05-25 14:52      162,304      --a------      C:\WINDOWS\system32\ztvunrar36.dll
2008-01-12 19:52 . 2003-02-02 19:06      153,088      --a------      C:\WINDOWS\system32\UNRAR3.dll
2008-01-12 19:52 . 2005-08-26 00:50      77,312      --a------      C:\WINDOWS\system32\ztvunace26.dll
2008-01-12 19:52 . 2002-03-06 00:00      75,264      --a------      C:\WINDOWS\system32\unacev2.dll
2008-01-12 19:52 . 2006-06-19 12:01      69,632      --a------      C:\WINDOWS\system32\ztvcabinet.dll
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:53 . 2004-05-11 10:56      423,784      --a------      C:\WINDOWS\system32\XceedBkp.dll
2008-01-12 18:53 . 2004-02-05 21:53      389,120      --a------      C:\WINDOWS\system32\ACTSKN43.OCX
2008-01-12 18:53 . 2001-07-28 13:50      265,753      --a------      C:\WINDOWS\system32\AS-Exp2.ocx
2008-01-12 18:53 . 2004-01-09 11:54      188,416      --a------      C:\WINDOWS\system32\actsplash.ocx
2008-01-12 18:53 . 2004-03-09 00:00      131,856      --a------      C:\WINDOWS\system32\MSADODC.ocx
2008-01-12 18:53 . 2000-07-15 06:00      101,888      --a------      C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-12 18:53 . 2001-03-28 23:02      89,088      --a------      C:\WINDOWS\system32\ProgressBar4.ocx
2008-01-12 18:53 . 2001-04-20 02:28      28,672      --a------      C:\WINDOWS\system32\systray.ocx
2008-01-12 18:53 . 1999-01-26 20:36      11,012      --a------      C:\WINDOWS\system32\threadapi.tlb
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 18:17 . 2008-01-12 18:21      16      --a------      C:\WINDOWS\QH32.INI
2008-01-12 18:08 . 2004-08-04 00:56      159,232      --a------      C:\WINDOWS\system32\ptpusd.dll
2008-01-12 18:08 . 2004-08-03 22:58      15,104      --a------      C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-12 18:08 . 2004-08-03 22:58      15,104      --a------      C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-12 18:08 . 2001-08-17 22:36      5,632      --a------      C:\WINDOWS\system32\ptpusb.dll
2008-01-12 13:40 . 2007-12-14 19:26      102,664      --a------      C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-12 12:59 . 2008-01-12 12:59      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-12 11:02 . 2008-01-12 11:03      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-06 17:18 . 2007-10-12 15:14      3,734,536      --a------      C:\WINDOWS\system32\d3dx9_36.dll
2008-01-06 17:18 . 2007-10-12 15:14      1,374,232      --a------      C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-06 17:18 . 2007-07-19 18:14      1,358,192      --a------      C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-06 17:18 . 2007-10-02 09:56      444,776      --a------      C:\WINDOWS\system32\d3dx10_36.dll
2008-01-06 17:18 . 2007-07-19 18:14      444,776      --a------      C:\WINDOWS\system32\d3dx10_35.dll
2008-01-06 17:18 . 2007-10-22 03:39      267,272      --a------      C:\WINDOWS\system32\xactengine2_10.dll
2008-01-06 17:18 . 2007-07-20 00:57      267,112      --a------      C:\WINDOWS\system32\xactengine2_9.dll
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-30 09:53 . 2007-12-30 09:53      552      --a------      C:\WINDOWS\system32\d3d8caps.dat
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:16 . 2007-12-29 17:16      626      --a------      C:\WINDOWS\eReg.dat
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 16:45 . 2008-01-15 17:20      664      --a------      C:\WINDOWS\system32\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 08:07      715,248      ----a-w      C:\WINDOWS\system32\drivers\sptd.sys
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-29 11:50      28,400      ----a-w      C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\JCreator
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-14 14:22      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 15:02      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      499,712      ----a-w      C:\WINDOWS\system32\msvcp71.dll
2007-11-27 17:00      348,160      ----a-w      C:\WINDOWS\system32\msvcr71.dll
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 07:15      315,392      ----a-w      C:\WINDOWS\HideWin.exe
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:09      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-r      C:\WINDOWS\RtlUpd.exe
2007-11-06 05:20      16,855,552      ----a-r      C:\WINDOWS\RTHDCPL.exe
2007-10-21 22:07      17,928      ----a-w      C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-20 00:56      200,704      ----a-w      C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56      1,044,480      ----a-w      C:\WINDOWS\system32\libdivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-01-14 14:18      66912      --a------      C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-14 14:18      267592      --a------      C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2006-07-02 21:59 174163]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-28 11:25 171448]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 17:23 171464]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-28 21:31 497664]
"TridentTVIcon"="" []
"TridentVideoIcon"="" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 12:53 221568]
"SpyEmergency"="C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe" [ ]
"Runonce"="C:\WINDOWS\smss.exe" [2008-01-11 18:24 229621]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-27 22:30 185632]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"wsaeclt"="C:\WINDOWS\wsaeclt.exe" [ ]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 19:17 57344]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-13 20:17 92160]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]
"NWEReboot"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, killer.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\Explore\Command - C:\smss.exe
\Shell\Open\Command - C:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\Autoplay\Command - D:\smss.exe
\Shell\AutoRun\command - D:\smss.exe
\Shell\Explore\Command - D:\smss.exe
\Shell\Open\Command - D:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\Autoplay\Command - E:\smss.exe
\Shell\AutoRun\command - E:\smss.exe
\Shell\Explore\Command - E:\smss.exe
\Shell\Open\Command - E:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\Autoplay\Command - F:\smss.exe
\Shell\AutoRun\command - F:\smss.exe
\Shell\Explore\Command - F:\smss.exe
\Shell\Open\Command - F:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07c0afd4-b5ec-11dc-a6f4-003018ab4469}]
\Shell\AutoRun\command - I:\fooool.exe
\Shell\explore\Command - I:\fooool.exe
\Shell\open\Command - I:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d253d3e-a550-11dc-a6af-003018ab4469}]
\Shell\AutoRun\command - I:\fooool.exe
\Shell\explore\Command - I:\fooool.exe
\Shell\open\Command - I:\fooool.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 16:15:02 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-15 13:21:36 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 18:50:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 18:53:20 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-15 13:23:18
.
2007-11-27 17:04:38      --- E O F ---  

SDFix LOG :


SDFix: Version 1.126

Run by abc on Tue 01/15/2008 at 07:50 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  - Deleted
C:\autorun.inf  - Deleted
C:\WINDOWS\autorun.inf  - Deleted
C:\WINDOWS\smss.exe  - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  - Deleted
C:\autorun.inf  - Deleted
C:\WINDOWS\autorun.inf  - Deleted
C:\WINDOWS\smss.exe  - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  - Deleted
C:\autorun.inf  - Deleted
C:\WINDOWS\autorun.inf  - Deleted
C:\WINDOWS\smss.exe  - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 19:52:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  Found
C:\WINDOWS\smss.exe  Found
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  Found
C:\WINDOWS\smss.exe  Found
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  Found
C:\WINDOWS\smss.exe  Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 11 Jan 2008       229,621 A.SHR --- "C:\smss.exe"
Fri 11 Jan 2008       229,621 A.SHR --- "C:\Funny UST Scandal.avi.exe"
Fri 11 Jan 2008       229,621 A.SHR --- "C:\WINDOWS\killer.exe"
Mon  7 Jan 2008           352 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55a03b0de671f167\BIT6.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\BIT7.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\BIT9.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\BITA.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\BITB.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BITC.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b54528191e99a817679c5ba3ee641572\BITF.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4e28cc4378cd0807778e1b0917bd6312\BIT12.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\BIT15.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\BIT1B.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0f8a5d0d09e527fa35dec9e085d4b802\BIT1C.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT1D.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\512e19b377bd5d52a1e190ecbd7a83eb\BIT20.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94d041c29d0b8d724c97ae0005e71b\BIT22.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT25.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8a10de02595aa748279afc6c628f49a8\BIT26.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3c3c6d9de8be474641d4bbceb22a36f\BIT27.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\BIT29.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\BIT2B.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BIT2D.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT2E.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT2F.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f934b30a3337b488590ef3c1f3bbfd68\BIT30.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c82b6f4f138d5f7e\BIT32.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1717a50ad70787e0b2e37537d202992\BIT37.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT3A.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT3E.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\af772f1b25b38c833ba730dad6e4877d\BIT3F.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\BIT40.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\109fef93c24da62cf8f31668d6ba9060\BIT43.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e7d26e5776f9930c6ad9dff351940707\BIT44.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\BIT45.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT48.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8c1c336efaf0a7b\BIT4B.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\04ca01d3516e62847eb74defda094165\BIT4C.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d820fbd6e1527bc9c51d0c3b240b96fd\BIT4D.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\BIT51.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6f0fd10fc234123bcdf54ebca4b84cbd\BIT52.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT53.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT54.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\BIT55.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\299966e551b4462ae94e39e251e277b6\download\BIT5A.tmp"
Fri 11 Jan 2008       229,621 A.SHR --- "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe"

Finished!

Try running some free online antivirus tools:
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml

sorry they did not work.

I tried many spyware and anti-virus program including XoftSE,spybot S&D,prevx CSI,Spy Sweeper,
Spy Emergency more over this virus does not let me install anti-virus program.

can you report back with what is happening when you follow the recommendations in Safe Mode?

Also, if you haven't done so, you need to disconnect the PC from the network and from the internet.

sorry they did not work.

I tried many spyware and anti-virus program including XoftSE,spybot S&D,prevx CSI,Spy Sweeper,
Spy Emergency more over this virus does not let me install anti-virus program.
please tell me what is the origin of the software.I am ready to delete even windows files.
I just want to get rid of this program.
Check out the logs and tell me what should I remove to get rid of that.?

Sorry Top rung  I did not notice.

I will let you know brother/sister.

No problem... yes.. you have to boot into Safe Mode so that it does not have a chance to load.  Once there, you can attemtp to disable it.

You can clean this up without wiping the machine, but you HAVE to be patient and follow the advice given.

I did what you told me bro but those viruses are stubborn and potential to destroy both my time and
my pc.
They come back right after I disable and/or delete  them.Every single time and I mean every time I do that they come back.

The viruses names are
 C:\windows\smss.exe
C:\windows\killer.exe
c:\smss.exe
C:\windows\Funny Scandal.avi.exe
C:\Funny Scandal.avi.exe
and their instances like autorun.inf and I dont know.
I tried both on safemode and normal but as I told you they come back. :(
now bro/sis tell me how to kill that killers.

How important is the data on the machine?  Have you considered a clean installation of your operating system?  That would be my recommendation.  Leave no room for replication down the road, don't waste your time hunting this further, and move on.

If you really want to try and salvage it, you will have to try to boot to another environment like Bart PE and then manually try cleaning this.  But it is a lenghty process.

vegetasharma

You may want to consider top rungs advice here and format this thing. But I have a question here. How many drives do you have on this thing? And what type are they? If you look at the combo log this thing is loading from everywhere, that's why they keep coming back. All of those drives as I indicated in the codebox are infected too, and will need to be wiped clean or cleaned.

If you would still like to try cleaning this I will give it a shot. Here's what we try (no guarantees here). Let me know what those drives are. Then, run combofix again and post the log. I will post a CFscript file back using CF and see if we can get this. Let me know what you want to do.

Dave

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\Open\Command - C:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\Autoplay\Command - D:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\Autoplay\Command - E:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\Autoplay\Command - F:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07c0afd4-b5ec-11dc-a6f4-003018ab4469}]
\Shell\open\Command - I:\fooool.exe

Select allOpen in new window

Bart PE huh? I already tried it but it does not seem effective sorry to say.It closes Bart PE automatically.
I already did clean install without format my pc , I only wiped windows.But as I told you and you know
they came back.My PC is completely infected.

I want to clean that shit off without  wiping my machine. please help me as soon as possible.

All drives are FAT 32 system.
C:- FAT32
D:- FAT32
E:- FAT32
F:- FAT32

>""I already did clean install without format my pc ""<

That's not a clean install. And even if you cleaned your C drive this thing is all over your PC. We will do our best to help but you are seriously infected here. What's the "I" drive? A flash drive?

Go ahead and run combofix again and I'll put something together with a CFScript to try and clean this. There are no guarantees though. We're trying....

Dave

No need for profanity either.

I am sorry I made you angry.

I really need your help. O.K. I do what you say :)

ComboFix 08-01-16.4 - omi 2008-01-16 19:34:11.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.

2008-01-16 19:33 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-16 19:11 . 2008-01-16 19:11      <DIR>      d--------      C:\WINDOWS\LastGood
2008-01-16 17:51 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10      664      --a------      C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54      940,794      --a------      C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54      146,650      --a------      C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50      16,855,552      --a------      C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14      4,625,408      --a------      C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26      2,808,832      --a------      C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44      2,165,760      --a------      C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09      520,192      --a------      C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28      315,392      --a------      C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25      299,008      --a------      C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43      69,632      --a------      C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45      0      --a------      C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00      176,157      --a------      C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00      103,424      --a------      C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00      85,020      --a------      C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00      66,082      --a------      C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26      8,704      --a------      C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25      8,192      --a------      C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00      1,875,968      --a------      C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00      13,463,552      --a------      C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26      2,134,528      --a------      C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20      <DIR>      d--hs----      C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26      768,512      --a------      C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26      1,352,192      --a------      C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06      <DIR>      dr-------      C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57      1,086,058      -ra------      C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03      1,042,903      -ra------      C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58      13,753      -ra------      C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59      3,072      --a------      C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56      74,240      --a------      C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59      57,472      --a------      C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31      20,992      --a------      C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30      176,157      --a------      C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58      2,012,670      --a------      C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24      261      --a------      C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18      <DIR>      d--------      C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23      <DIR>      d--------      C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\smss.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40      268      --ah-----      C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40      244      --ah-----      C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04      268      --ah-----      C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04      244      --ah-----      C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59      <DIR>      d--------      C:\Perl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-15 14:44      ---------      d-----w      C:\Program Files\Whizlabs Suite
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-w      C:\WINDOWS\RtlUpd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 13:39:48 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 19:35:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 19:35:58
ComboFix-quarantined-files.txt  2008-01-16 14:05:58
.
2008-01-16 12:22:13      --- E O F ---  

I am sorry I made you angry.

I really need your help. O.K. I do what you say :)

ComboFix 08-01-16.4 - omi 2008-01-16 19:34:11.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.

2008-01-16 19:33 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-16 19:11 . 2008-01-16 19:11      <DIR>      d--------      C:\WINDOWS\LastGood
2008-01-16 17:51 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10      664      --a------      C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54      940,794      --a------      C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54      146,650      --a------      C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50      16,855,552      --a------      C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14      4,625,408      --a------      C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26      2,808,832      --a------      C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44      2,165,760      --a------      C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09      520,192      --a------      C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28      315,392      --a------      C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25      299,008      --a------      C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43      69,632      --a------      C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45      0      --a------      C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00      176,157      --a------      C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00      103,424      --a------      C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00      85,020      --a------      C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00      66,082      --a------      C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26      8,704      --a------      C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25      8,192      --a------      C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00      1,875,968      --a------      C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00      13,463,552      --a------      C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26      2,134,528      --a------      C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20      <DIR>      d--hs----      C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26      768,512      --a------      C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26      1,352,192      --a------      C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06      <DIR>      dr-------      C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57      1,086,058      -ra------      C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03      1,042,903      -ra------      C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58      13,753      -ra------      C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59      3,072      --a------      C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56      74,240      --a------      C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59      57,472      --a------      C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31      20,992      --a------      C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30      176,157      --a------      C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58      2,012,670      --a------      C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24      261      --a------      C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18      <DIR>      d--------      C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23      <DIR>      d--------      C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\smss.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40      268      --ah-----      C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40      244      --ah-----      C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04      268      --ah-----      C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04      244      --ah-----      C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59      <DIR>      d--------      C:\Perl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-15 14:44      ---------      d-----w      C:\Program Files\Whizlabs Suite
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-w      C:\WINDOWS\RtlUpd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 13:39:48 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 19:35:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 19:35:58
ComboFix-quarantined-files.txt  2008-01-16 14:05:58
.
2008-01-16 12:22:13      --- E O F ---  

I am sorry I made you angry.

I really need your help. O.K. I do what you say :)

ComboFix 08-01-16.4 - omi 2008-01-16 19:34:11.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.

2008-01-16 19:33 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-16 19:11 . 2008-01-16 19:11      <DIR>      d--------      C:\WINDOWS\LastGood
2008-01-16 17:51 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10      664      --a------      C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54      940,794      --a------      C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54      146,650      --a------      C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50      16,855,552      --a------      C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14      4,625,408      --a------      C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26      2,808,832      --a------      C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44      2,165,760      --a------      C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09      520,192      --a------      C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28      315,392      --a------      C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25      299,008      --a------      C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43      69,632      --a------      C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45      0      --a------      C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00      176,157      --a------      C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00      103,424      --a------      C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00      85,020      --a------      C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00      66,082      --a------      C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26      8,704      --a------      C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25      8,192      --a------      C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00      1,875,968      --a------      C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00      13,463,552      --a------      C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26      2,134,528      --a------      C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20      <DIR>      d--hs----      C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26      768,512      --a------      C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26      1,352,192      --a------      C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06      <DIR>      dr-------      C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57      1,086,058      -ra------      C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03      1,042,903      -ra------      C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58      13,753      -ra------      C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59      3,072      --a------      C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56      74,240      --a------      C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59      57,472      --a------      C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31      20,992      --a------      C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30      176,157      --a------      C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58      2,012,670      --a------      C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24      261      --a------      C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18      <DIR>      d--------      C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23      <DIR>      d--------      C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\smss.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40      268      --ah-----      C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40      244      --ah-----      C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04      268      --ah-----      C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04      244      --ah-----      C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59      <DIR>      d--------      C:\Perl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-15 14:44      ---------      d-----w      C:\Program Files\Whizlabs Suite
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-w      C:\WINDOWS\RtlUpd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 13:39:48 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 19:35:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 19:35:58
ComboFix-quarantined-files.txt  2008-01-16 14:05:58
.
2008-01-16 12:22:13      --- E O F ---  

smss.exe
autorun.inf
smss.exe
Funny UST Scandal.avi.exe
killer.exe

those all are threats and you guys better know how many are they :)

You didn't make me angry, just stating the need for no profanity. We all get frustrated...

So you did re-install Windows? Are the other drives still connected? Can you post a new HJT log please? Please put the logs in a Code Window by selecting the Attach Code Snippet and putting the log text there.

ok sir :)

but you told me you would give me shot with CFScript. Never Mind.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:26 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\killer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paretologic.com/go.aspx?aid=3&vid=31245&pid=1&lid=en&uid=0
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D82B6F-245B-40E6-B778-7B6977AA5EE6}: NameServer = 218.248.240.23 218.248.240.135
 
--
End of file - 1673 bytes

Select allOpen in new window

The other drives are still connected.

Well there doesn't appear to be too much left, but that doesn't mean it won't go easily. Let's give this a shot...

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe
C:\WINDOWS\killer.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"

---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

Please put them in the code snippet window...thanks.

Dave

Yes Sir :)

ComboFix 08-01-16.4 - omi 2008-01-16 21:43:57.3 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.742 [GMT 5.5:30]
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\omi\Desktop\CFScript.txt
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe
 
.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.
 
2008-01-16 20:12 . 2008-01-16 21:40	144	-rahs----	C:\autorun.inf
2008-01-16 19:33 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-16 17:51 . 2008-01-11 18:24	229,621	--a------	C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10	664	--a------	C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54	940,794	--a------	C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54	146,650	--a------	C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50	16,855,552	--a------	C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14	4,625,408	--a------	C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26	2,808,832	--a------	C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44	2,165,760	--a------	C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09	520,192	--a------	C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28	315,392	--a------	C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25	299,008	--a------	C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43	69,632	--a------	C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22	<DIR>	d--------	C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22	<DIR>	d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45	0	--a------	C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16	<DIR>	d--------	C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24	229,621	-rahs----	C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00	176,157	--a------	C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00	103,424	--a------	C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00	85,020	--a------	C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00	66,082	--a------	C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26	8,704	--a------	C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25	8,192	--a------	C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26	2,134,528	--a------	C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20	<DIR>	d--hs----	C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20	488	-rah-----	C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20	488	-rah-----	C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26	768,512	--a------	C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26	1,352,192	--a------	C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06	<DIR>	dr-------	C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57	1,086,058	-ra------	C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03	1,042,903	-ra------	C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58	13,753	-ra------	C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59	3,072	--a------	C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56	74,240	--a------	C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59	57,472	--a------	C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31	20,992	--a------	C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30	176,157	--a------	C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58	2,012,670	--a------	C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24	261	--a------	C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24	229,621	-rahs----	C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18	<DIR>	d--------	C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23	<DIR>	d--------	C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22	<DIR>	d--------	C:\Program Files\NoAdware5.0
2008-01-15 14:56 . 2008-01-15 14:56	<DIR>	d--------	C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33	<DIR>	d--hs----	C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23	<DIR>	d--------	C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48	<DIR>	d--hs----	C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14	<DIR>	d--hs----	C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58	<DIR>	d--hs----	C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18	<DIR>	d--------	C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18	<DIR>	d--------	C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48	<DIR>	d--------	C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06	<DIR>	d--------	C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45	<DIR>	d--------	C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51	<DIR>	d--------	C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41	<DIR>	d--------	C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09	<DIR>	d--------	C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09	<DIR>	d--------	C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52	<DIR>	d--------	C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48	<DIR>	d--------	C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07	<DIR>	d--hs----	C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26	<DIR>	d--------	C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24	<DIR>	d--------	C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20	<DIR>	d--------	C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58	<DIR>	d--------	C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40	<DIR>	d--------	C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54	<DIR>	d--------	C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17	268	--ah-----	C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17	244	--ah-----	C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34	268	--ah-----	C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34	244	--ah-----	C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43	268	--ah-----	C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43	244	--ah-----	C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17	<DIR>	d--------	C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08	<DIR>	d--------	C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40	268	--ah-----	C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40	244	--ah-----	C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04	268	--ah-----	C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04	244	--ah-----	C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59	<DIR>	d--------	C:\Perl
2007-12-29 12:59 . 2007-12-29 12:59	<DIR>	d--------	C:\Program Files\DzSoft
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48	45	----a-w	C:\Program Files\InstErr.log
2007-12-15 14:44	---------	d-----w	C:\Program Files\Whizlabs Suite
2007-12-14 14:23	---------	d-----w	C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22	---------	d-----w	C:\Program Files\Xinox Software
2007-12-13 13:14	---------	d-----w	C:\Program Files\Apache Software Foundation
2007-12-12 15:33	---------	d-----w	C:\Program Files\Sun
2007-12-11 17:08	---------	d-----w	C:\Program Files\IBM HTTP Server
2007-12-11 16:58	---------	d-----w	C:\Program Files\IBM
2007-12-11 08:22	---------	d-----w	C:\Program Files\pass4sure
2007-12-11 08:04	---------	d-----w	C:\Program Files\ActualtestsEngine
2007-12-10 13:27	---------	d-----w	C:\Program Files\VideoLAN
2007-12-10 13:27	---------	d-----w	C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50	---------	d-----w	C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56	---------	d-----w	C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42	---------	d-----w	C:\Program Files\DAEMON Tools
2007-11-28 06:44	---------	d-----w	C:\Program Files\DivX
2007-11-27 17:00	---------	d-----w	C:\Program Files\Real
2007-11-27 17:00	---------	d-----w	C:\Program Files\Common Files\xing shared
2007-11-27 17:00	---------	d-----w	C:\Program Files\Common Files\Real
2007-11-27 15:02	---------	d-----w	C:\Program Files\Oracle
2007-11-27 07:55	---------	d-----w	C:\Program Files\Runtime Software
2007-11-27 07:44	---------	d-----w	C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16	---------	d-----w	C:\Program Files\Realtek
2007-11-27 06:23	---------	d-----w	C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36	---------	d-----w	C:\Program Files\Google
2007-11-26 16:23	---------	d-----w	C:\Program Files\Java
2007-11-26 16:23	---------	d-----w	C:\Program Files\Common Files\Java
2007-11-26 16:11	---------	d-----w	C:\Program Files\uTorrent
2007-11-26 15:39	---------	d-----w	C:\Program Files\MCE
2007-11-26 15:18	---------	d-----w	C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15	---------	d-----w	C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09	---------	d-----w	C:\Program Files\CyberLink
2007-11-26 14:08	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-11-26 14:06	---------	d-----w	C:\Program Files\Winamp
2007-11-26 14:04	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-11-26 14:04	---------	d-----w	C:\Program Files\Ahead
2007-11-26 14:00	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-26 14:00	---------	d-----w	C:\Program Files\JetAudio
2007-11-26 14:00	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-26 13:41	---------	d-----w	C:\Program Files\microsoft frontpage
2007-11-07 12:01	1,191,936	----a-w	C:\WINDOWS\RtlUpd.exe
.
 
(((((((((((((((((((((((((((((   snapshot@2008-01-16_19.35.50.62   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 14:03:54	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-16 16:13:56	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-16 14:03:54	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-16 16:13:56	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-16 14:03:54	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-16 16:13:56	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-16 14:03:56	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-16 16:13:56	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-16 14:03:56	872,448	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-16 16:13:56	888,832	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-16 14:03:56	12,288	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-16 16:13:56	12,288	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2000-08-31 02:30:00	163,328	----a-w	C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [2008-01-11 18:24 229621]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, killer.exe"
 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 16:10:38 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 21:45:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-01-16 21:45:55
ComboFix-quarantined-files.txt  2008-01-16 16:15:56
ComboFix3.txt  2008-01-16 14:06:00
ComboFix2.txt  2008-01-16 14:40:00
.
2008-01-16 12:22:13	--- E O F ---  

Select allOpen in new window

Here is Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:35 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\killer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paretologic.com/go.aspx?aid=3&vid=31245&pid=1&lid=en&uid=0
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D82B6F-245B-40E6-B778-7B6977AA5EE6}: NameServer = 218.248.240.23 218.248.240.135
 
--
End of file - 1631 bytes

Select allOpen in new window

Dave is giving you great help.

You might want to physically open your computer (or go into BIOS), and disconnect/disable every drive but your Primary (C:).  Start with cleaning that one.  Once you have that one locked down via antivirus, firewall, disabling accounts, you can attempt to  enable another drive and clean via command line or similar route.  Don't be surprised if you get reinfected though.

Again, if you have backed up data or can stand to do without it, really, start clean by fully formatting (not quick formatting) every drive.   If you try to save data, you better scan every piece of it before introducing to another system.

Yea this thing just won't go away. Try this...keep the drives connected for now and try sUBs flash disinfector to see if that will stop it from just coming back.

Flash_Disinfector from sUBs.

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.

Give us a new HJT log after. I've also asked our top expert in this area to look in here as this one has me stumped right now.

heres a website:
http://piyushlabs.wordpress.com/smss/

You hit direct into the heart not mine but the virus. hahahahaha

thanks

<<heres a website:
http://piyushlabs.wordpress.com/smss/>>
That solution help me.
thanks a lot.
by the way thanks to all who tried to help me.