My Inlaws computer gots Virus problems.

[WasTech]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:35:45 PM, on 9/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {D69E4E92-1D8E-4649-B927-4A56AF723CB1} - C:\WINDOWS\System32\avica.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

--
End of file - 1379 bytes


Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 1

9/24/2008 5:15:22 PM
mbam-log-2008-09-24 (17-15-22).txt

Scan type: Quick Scan
Objects scanned: 71990
Time elapsed: 46 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SmitFraudFix v2.328

Scan done at 16:04:34.59, Wed 09/24/2008
Run from C:\Documents and Settings\E-Machine\My Documents\v suck\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[Osiris]

Prevx CSI Download


Run this scan and let me know what it finds

 

[WasTech]

Ok I tried to scan with it but it won't run because I can't use the internet. Unless you know a way around it.

 

[Osiris]

Try this

Trojan Remover - Program Details

Fully functional trial and let me know if avica is still present

 

[WasTech]

It found others and avica seems to be gone. There is a registry key TDSSserv.sys.vir it's under Win\drivers I'm going to try to remove it now. Still can't use cd drive.

***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
9/25/2008 04:33:36 PM: Trojan Remover has been restarted
C:\WINDOWS\System32\drivers\TDSSserv.sys has been renamed to C:\WINDOWS\System32\drivers\TDSSserv.sys.vir
C:\WINDOWS\system32\drivers\jxbnwbom.dat has been deleted
=======================================================
Removing the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv - already removed
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys - removed
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys - removed
=======================================================
=======================================================
Deleting the following registry value(s):
HKLM\SYSTEM\CurrentControlSet\Services\qeppwsjh\[ImagePath] - deleted
=======================================================
C:\WINDOWS\System32\drivers\TDSSserv.sys has been renamed to C:\WINDOWS\System32\drivers\TDSSserv.sys.vir
9/25/2008 04:33:36 PM: Trojan Remover closed
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.0.2534. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 04:28:02 PM 25 Sep 2008
Using Database v7020
Operating System: Windows XP SP1 [Windows XP Home Edition Service Pack 1 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\E-Machine\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Program Files\Trojan Remover\
Logfile directory: C:\Documents and Settings\E-Machine\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************

**************************************************
04:28:03 PM: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

**************************************************
04:28:03 PM: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

**************************************************
04:28:03 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
Hidden Service Keyname: TDSSserv
ERROR: Access Violation calling SystemTimeToDateTime in procedure FileTimeToDTime
Entry has been scheduled for deletion when the PC is restarted
SafeBoot\Minimal entry for TDSSserv.sys removed
SafeBoot\Network entry for TDSSserv.sys removed
C:\WINDOWS\System32\drivers\TDSSserv.sys - file ownership assigned to: EMACHINE\E-Machine
[kill file error: C:\WINDOWS\System32\drivers\TDSSserv.sys, The process cannot access the file because another process has locked a portion of the file.
]
C:\WINDOWS\System32\drivers\TDSSserv.sys - file backed up to C:\WINDOWS\System32\drivers\TDSSserv.sys.vir
C:\WINDOWS\System32\drivers\TDSSserv.sys - marked for renaming when the PC is restarted
----------
----------

**************************************************
04:29:08 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1004032 bytes
Created: 7/17/2003
Modified: 8/29/2002
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
22016 bytes
Created: 9/30/2001
Modified: 8/29/2002
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\System32\logonui.exe
504320 bytes
Created: 7/17/2003
Modified: 8/29/2002
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Trojan Remover\Trjscan.exe
878672 bytes
Created: 9/25/2008
Modified: 6/3/2008
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

**************************************************
04:29:09 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

**************************************************
04:29:09 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

**************************************************
04:29:10 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\System32\logon.scr
C:\WINDOWS\System32\logon.scr
219648 bytes
Created: 7/17/2003
Modified: 8/29/2002
Company: Microsoft Corporation
--------------------

**************************************************
04:29:10 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

**************************************************
04:29:11 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: AppMgmt
%SystemRoot%\System32\appmgmts.dll - file is globally excluded (file cannot be found)
--------------------
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------
Key: WmdmPmSp
Path: C:\WINDOWS\System32\mspmspsv.dll
C:\WINDOWS\System32\mspmspsv.dll
47104 bytes
Created: 9/30/2001
Modified: 8/18/2001
Company: Microsoft Corporation
--------------------
Key: wuauserv
Path: C:\WINDOWS\System32\wuauserv.dll
C:\WINDOWS\System32\wuauserv.dll
9216 bytes
Created: 7/17/2003
Modified: 8/29/2002
Company: Microsoft Corporation
--------------------

**************************************************
04:29:13 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: ALCXWDM
ImagePath: system32\drivers\ALCXWDM.SYS
C:\WINDOWS\system32\drivers\ALCXWDM.SYS
271981 bytes
Created: 9/30/2001
Modified: 8/17/2001
Company: Avance Logic, Inc.
----------
Key: AN983
ImagePath: System32\DRIVERS\AN983.sys
C:\WINDOWS\System32\DRIVERS\AN983.sys
36224 bytes
Created: 9/30/2001
Modified: 8/29/2002
Company: ADMtek Incorporated.
----------
Key: catchme
ImagePath: \??\C:\DOCUME~1\E-MACH~1\LOCALS~1\Temp\catchme.sys - this file is globally excluded
----------
Key: CSIScanner
ImagePath: "C:\Program Files\PrevxCSI\prevxcsi.exe" /service
C:\Program Files\PrevxCSI\prevxcsi.exe
618040 bytes
Created: 9/25/2008
Modified: 9/25/2008
Company: Prevx
----------
Key: ms_mpu401
ImagePath: system32\drivers\msmpu401.sys
C:\WINDOWS\system32\drivers\msmpu401.sys
2944 bytes
Created: 9/29/2001
Modified: 8/17/2001
Company: Microsoft Corporation
----------
Key: nv4
ImagePath: System32\DRIVERS\nv4.sys
C:\WINDOWS\System32\DRIVERS\nv4.sys
731648 bytes
Created: 9/29/2001
Modified: 8/17/2001
Company: NVIDIA Corporation
----------
Key: pxark
ImagePath: System32\drivers\pxark.sys
C:\WINDOWS\System32\drivers\pxark.sys
17408 bytes
Created: 9/25/2008
Modified: 9/25/2008
Company: Prevx
----------
Key: qeppwsjh
ImagePath: system32\drivers\jxbnwbom.dat
C:\WINDOWS\system32\drivers\jxbnwbom.dat
18688 bytes
Created: 8/23/2008
Modified: 8/23/2008
Company:
C:\WINDOWS\system32\drivers\jxbnwbom.dat appears to be in-use/locked
C:\WINDOWS\system32\drivers\jxbnwbom.dat - this registry value could not be removed
[ACCESS ERROR]: unable to access the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\qeppwsjh\"ImagePath"
C:\WINDOWS\system32\drivers\jxbnwbom.dat - unable to take ownership/change permissions (file may not exist)
C:\WINDOWS\system32\drivers\jxbnwbom.dat - file backed up to C:\WINDOWS\system32\drivers\jxbnwbom.dat.vir
C:\WINDOWS\system32\drivers\jxbnwbom.dat - file has been neutralised
C:\WINDOWS\system32\drivers\jxbnwbom.dat - marked for renaming when the PC is restarted
----------
Key: rtl8139
ImagePath: System32\DRIVERS\RTL8139.SYS
C:\WINDOWS\System32\DRIVERS\RTL8139.SYS
23070 bytes
Created: 9/29/2001
Modified: 8/17/2001
Company: Realtek Semiconductor Corporation
----------
Key: Secdrv
ImagePath: System32\DRIVERS\secdrv.sys
C:\WINDOWS\System32\DRIVERS\secdrv.sys
27440 bytes
Created: 9/30/2001
Modified: 8/18/2001
Company:
----------
Key: sr
ImagePath: \SystemRoot\System32\DRIVERS\sr.sys
C:\WINDOWS\System32\DRIVERS\sr.sys
69248 bytes
Created: 9/30/2001
Modified: 8/29/2002
Company: Microsoft Corporation
----------
Key: SwPrv
ImagePath: C:\WINDOWS\System32\dllhost.exe /Processid:{39A9FCBA-5264-40FE-8918-2C92BEAA9E83}
C:\WINDOWS\System32\dllhost.exe
4608 bytes
Created: 9/30/2001
Modified: 8/18/2001
Company: Microsoft Corporation
----------
Key: SYMIDSCO
ImagePath: \??\C:\WINDOWS\System32\Drivers\SYMIDSCO.SYS
C:\WINDOWS\System32\Drivers\SYMIDSCO.SYS [file not found to scan]
----------
Key: vsdatant
ImagePath: \??\C:\WINDOWS\System32\vsdatant.sys
C:\WINDOWS\System32\vsdatant.sys
141752 bytes
Created: 6/29/2008
Modified: 7/16/2002
Company: Zone Labs Inc.
----------
Key: vsmon
ImagePath: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service - this file is globally excluded
----------

**************************************************
04:30:56 PM: Scanning -----VXD ENTRIES-----
Checking the following VxD entries:
C:\WINDOWS\System32\JAVASUP.VXD
7315 bytes
Created: 5/19/2003
Modified: 2/28/2003
Company:
VxD Key = JAVASUP
----------
----------

**************************************************
04:30:56 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----

**************************************************
04:30:56 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key: PropertiesPlus
CLSID: {0b95b7e0-c8b9-11cf-8f59-444553540000}
Path: C:\WINDOWS\System32\ShellExt\ppshlext.dll
C:\WINDOWS\System32\ShellExt\ppshlext.dll
18944 bytes
Created: 6/29/2008
Modified: 5/15/1998
Company: kish design
----------

**************************************************
04:30:56 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----

**************************************************
04:30:56 PM: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {D69E4E92-1D8E-4649-B927-4A56AF723CB1}
BHO: C:\WINDOWS\System32\avica.dll
C:\WINDOWS\System32\avica.dll
91648 bytes
Created: 8/21/2008
Modified: 8/18/2001
Company:
----------
Key: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
BHO: C:\Program Files\Microsoft Money\System\mnyviewer.dll
C:\Program Files\Microsoft Money\System\mnyviewer.dll
143420 bytes
Created: 7/25/2001
Modified: 7/25/2001
Company: Microsoft Corporation
----------

**************************************************
04:30:57 PM: Scanning ----- SHELLSERVICEOBJECTS -----
Key: WebCheck
CLSID: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Path: %SystemRoot%\System32\webcheck.dll
C:\WINDOWS\System32\webcheck.dll
258048 bytes
Created: 7/17/2003
Modified: 8/29/2002
Company: Microsoft Corporation
----------

**************************************************
04:30:57 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

**************************************************
04:30:57 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

**************************************************
04:30:57 PM: Scanning ----- APPINIT_DLLS -----
APPINIT_DLLs entry not checked - could not open Key

**************************************************
04:30:57 PM: Scanning ----- SECURITY PROVIDER DLLS -----

**************************************************
04:30:57 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 9/29/2001
Modified: 9/30/2001
Company:
--------------------

**************************************************
04:30:57 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 8/31/2008
Modified: 9/30/2001
Company:
----------
--------------------
Checking Startup Group for: E-Machine
[C:\Documents and Settings\E-Machine\START MENU\PROGRAMS\STARTUP]
The Startup Group for E-Machine attempts to load the following file(s):
C:\Documents and Settings\E-Machine\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 2/21/2001
Modified: 9/30/2001
Company:
----------
--------------------
Checking Startup Group for: Maryanne
[C:\Documents and Settings\Maryanne\START MENU\PROGRAMS\STARTUP]
The Startup Group for Maryanne attempts to load the following file(s):
C:\Documents and Settings\Maryanne\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 8/29/2008
Modified: 9/30/2001
Company:
----------
--------------------
Checking Startup Group for: Mike
[C:\Documents and Settings\Mike\START MENU\PROGRAMS\STARTUP]
The Startup Group for Mike attempts to load the following file(s):
C:\Documents and Settings\Mike\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 6/30/2008
Modified: 9/30/2001
Company:
----------
--------------------
Checking Startup Group for: Owner
[C:\Documents and Settings\Owner\START MENU\PROGRAMS\STARTUP]
The Startup Group for Owner attempts to load the following file(s):
C:\Documents and Settings\Owner\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 9/30/2001
Modified: 9/30/2001
Company:
----------

**************************************************
04:30:58 PM: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan

**************************************************
04:30:58 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\WINDOWS\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created: 9/30/2001
Modified: 9/30/2001
Company:
----------
Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created: 9/30/2001
Modified: 9/30/2001
Company:
----------
Additional file checks completed

**************************************************
04:31:00 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
--------------------
C:\WINDOWS\system32\csrss.exe
--------------------
C:\WINDOWS\system32\winlogon.exe
--------------------
C:\WINDOWS\system32\services.exe
--------------------
C:\WINDOWS\system32\lsass.exe
--------------------
C:\WINDOWS\system32\svchost.exe
--------------------
C:\Program Files\PrevxCSI\prevxcsi.exe
--------------------
C:\Program Files\PrevxCSI\prevxcsi.exe
--------------------
C:\WINDOWS\Explorer.EXE
--------------------
C:\Documents and Settings\E-Machine\Application Data\Simply Super Software\Trojan Remover\nkc1.exe
FileSize: 2486848
[This is a Trojan Remover component]
--------------------
--------------------

**************************************************
04:31:02 PM: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file

**************************************************
04:31:02 PM: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\System32
No malicious entries were found in the AUTOEXEC.NT file

**************************************************
04:31:02 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file

**************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
Live Search
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
Sign In
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
Live Search
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
Google
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
Live Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
Live Search

**************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 04:31:02 PM 25 Sep 2008
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
9/25/2008 04:31:17 PM: restart commenced
************************************************************

 

[Osiris]

Well thats good. Post a new hijackthis log, it may have uncovered other items

About ur CD drive, can you see it or can you not see it? When you press the power button does it open? Have you uninstalled it yet?

 

[WasTech]

Ok here is new HJlog. Like I said when I first started this post. This thing even disabled the CD drive. I can't get to it. It says Data on this is the main computer S: which is really D: The picture of it has a red line on the bottom. After I got the HJ I deleted Avica again both of them. So I guess they just regen on restart. I also can't delete the TDSSserv ref in reg. Man this thing just won't let you delete any of it's files.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:06:23 AM, on 9/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: (no name) - {D69E4E92-1D8E-4649-B927-4A56AF723CB1} - C:\WINDOWS\System32\avica.dll
O2 - BHO: (no name) - {D89A9DD5-24A3-46E1-AF99-18F6105BDB3D} - C:\WINDOWS\System32\avica.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe

--
End of file - 2076 bytes

 

[Osiris]

ok, the first log you posted there was only one avica entry, now there is two. So run combo fix again and see what happens...

and make sure its not running under msconfig>startup, if so uncheck and restart

 

[WasTech]

ComboFix 08-08-29.01 - E-Machine 2008-09-28 13:54:11.3 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-25 18:38 . 2008-09-25 18:47 <DIR> d-------- C:\Program Files\Registry Easy
2008-09-25 16:27 . 2008-09-25 16:27 <DIR> d-------- C:\Program Files\Trojan Remover
2008-09-25 16:27 . 2008-09-25 16:27 <DIR> d-------- C:\Documents and Settings\E-Machine\Application Data\Simply Super Software
2008-09-25 16:27 . 2008-09-28 02:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-25 16:27 . 2008-09-25 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-09-25 16:27 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-09-25 16:27 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-09-25 16:27 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-09-25 16:27 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-09-25 16:27 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-09-25 14:07 . 2008-09-25 14:07 <DIR> d-------- C:\Program Files\PrevxCSI
2008-09-25 14:07 . 2008-09-25 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-25 14:07 . 2008-09-25 14:07 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-09-24 15:41 . 2008-09-24 15:41 <DIR> d-------- C:\Program Files\Remove on Reboot
2008-09-24 14:55 . 2008-09-25 18:16 <DIR> d-------- C:\!KillBox
2008-09-23 22:01 . 2008-09-24 16:19 214 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-23 20:03 . 2008-09-23 20:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-23 20:02 . 2008-09-23 20:02 <DIR> d-------- C:\Documents and Settings\E-Machine\Application Data\Malwarebytes
2008-09-23 18:26 . 2008-09-23 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-23 18:26 . 2008-09-23 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-23 18:26 . 2008-09-23 18:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-23 18:26 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-23 18:26 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-23 17:30 . 2008-09-24 16:07 <DIR> d-------- C:\File split
2008-09-23 17:13 . 2008-09-23 17:13 <DIR> d-------- C:\VundoFix Backups
2008-08-31 21:21 . 2008-08-31 21:21 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\TmpRecentIcons
2008-08-31 20:41 . 2001-09-30 05:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-08-31 20:41 . 2008-08-31 20:41 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-29 19:57 . 2001-09-30 05:18 <DIR> d-------- C:\Documents and Settings\Maryanne\Application Data\InterTrust
2008-08-29 19:57 . 2008-08-29 19:57 <DIR> d-------- C:\Documents and Settings\Maryanne
2008-08-29 19:50 . 2008-08-29 19:50 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll
2008-08-29 19:49 . 2008-08-29 19:22 94,208 --a------ C:\WINDOWS\rvoelbxt.exe
2008-08-28 21:16 . 2008-08-28 21:16 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 01:17 114,176 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-09-01 01:17 101,888 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-08-29 21:15 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-08-29 21:13 110,592 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-08-28 21:11 99,840 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-08-28 21:11 23,040 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-08-28 03:06 22,016 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-08-27 21:28 23,552 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-08-27 21:25 99,840 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-08-27 01:27 12,800 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-08-27 01:24 99,840 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-08-27 01:24 39,936 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-08-27 01:18 99,840 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-08-24 19:00 99,840 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-08-24 19:00 246,272 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-08-23 12:41 5,120 ----a-w C:\WINDOWS\system32\drivers\apdzhfaw.dat
2008-08-10 22:49 93,184 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-08-10 22:49 16,896 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-08-10 19:51 35,328 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-08-10 19:24 93,184 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-08-10 16:07 37,376 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-08-10 13:50 93,184 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-08 17:42 93,184 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-08-08 17:42 226,304 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-07-23 18:44 86,528 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-07-23 18:44 694,784 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2003-12-30 18:09 1,648 ----a-w C:\Program Files\INSTALL.LOG
.

------- Sigcheck -------

2001-08-18 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\svchost.exe
2001-08-18 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\dllcache\svchost.exe

2002-08-29 06:41 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\ServicePackFiles\i386\user32.dll
2005-03-02 14:20 561152 74202eb1bd67e8be9509e38c8d2234b0 C:\WINDOWS\SoftwareDistribution\Download\58bffe479c581eda56fcf7412cce5cc0\sp1qfe\user32.dll
2003-09-25 12:49 560128 32173306185f603e75c477e117f3bb8d C:\WINDOWS\system32\user32.dll
2003-09-25 12:49 560128 32173306185f603e75c477e117f3bb8d C:\WINDOWS\system32\dllcache\user32.dll

2006-08-16 08:14 70656 7b6a08441a4f11320421599d7ecf8d41 C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\SP1QFE\ws2_32.dll
2001-08-18 08:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\system32\ws2_32.dll
2001-08-18 08:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\system32\dllcache\ws2_32.dll

2002-08-29 06:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINDOWS\SoftwareDistribution\Download\a6392ee21d2c4ac260d9625143b6b111\rtmgdr\wininet.dll
2006-06-23 14:29 587776 40f777875dfa05cd61fd1e8a593be8e9 C:\WINDOWS\SoftwareDistribution\Download\a6392ee21d2c4ac260d9625143b6b111\RTMQFE\wininet.dll
2002-08-29 06:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\system32\wininet.dll
2002-08-29 06:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\system32\dllcache\wininet.dll

2002-08-29 04:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2006-04-20 07:38 340480 b8158e2a6112c0a5ca67bc158fc70218 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\SP1QFE\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\SP2GDR\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\SP2QFE\tcpip.sys
2002-08-29 04:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\system32\drivers\tcpip.sys

2002-08-29 06:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2002-08-29 06:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\system32\winlogon.exe
2002-08-29 06:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\system32\dllcache\winlogon.exe

2002-08-29 05:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2002-08-29 05:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\system32\drivers\ndis.sys

2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2002-08-29 04:04 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 C:\WINDOWS\system32\ntkrnlpa.exe

2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2002-08-29 05:03 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 C:\WINDOWS\system32\ntoskrnl.exe

2002-08-29 06:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\explorer.exe
2002-08-29 06:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2002-08-29 06:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\system32\dllcache\explorer.exe

2001-08-18 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\system32\services.exe
2001-08-18 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\system32\dllcache\services.exe

2002-08-29 06:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2002-08-29 06:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\system32\lsass.exe

2002-08-29 06:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2002-08-29 06:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\system32\ctfmon.exe

2005-06-10 19:55 53248 6b4bf97957a0b8795811975d4bf1acfe C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp1qfe\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2qfe\spoolsv.exe
2001-08-18 08:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\system32\spoolsv.exe
2001-08-18 08:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\system32\dllcache\spoolsv.exe

2002-08-29 06:41 22016 e931e0a2b8bf0019db902e98d03662cb C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2002-08-29 06:41 22016 e931e0a2b8bf0019db902e98d03662cb C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm.lnk
backup=C:\WINDOWS\pss\ZoneAlarm.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
--a------ 2008-06-03 20:33 878672 C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSp"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"vsmon"=2 (0x2)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"uploadmgr"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"MDM"=2 (0x2)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"cisvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=2 (0x2)

.
Contents of the 'Scheduled Tasks' folder

2008-09-25 C:\WINDOWS\Tasks\Schedule Task Weekly.job
- C:\Program Files\Registry Easy\RE.exe [2008-09-23 16:30]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\E-Machine\Application Data\Mozilla\Firefox\Profiles\ibb7u1wh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - Google
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 13:54:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"
.
Completion time: 2008-09-28 13:57:46
ComboFix-quarantined-files.txt 2008-09-28 17:57:40
ComboFix2.txt 2008-09-25 23:35:37

Pre-Run: 34,565,320,704 bytes free
Post-Run: 34,556,989,440 bytes free

232 --- E O F --- 2008-09-01 00:39:24

 

[Osiris]

Can you remove those avica entries now?