Need Help with win 32 onlinegames-bdn

Viruses and worms
1

Hello. i don’t know how can this trojan get into my notebook…
i hope if someone in this forum can help me. in my next post i will post combo fix log en HJT log in case they’re needed. Thanks Pal.

Note: i will begone for 4 days counting tonight. i check this topic as fast as i can get back in my notebook. Thanks pal… and by the way… when i run the combo fix which i download from a link in other post… my avast alert me about win 32 dadora (if i’m not wrong spelling the name)

Sorry for my bad english.

2

ComboFix 07-10-11.1 - Personal 2007-10-11 15:46:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.249 [GMT 7:00]
Running from: C:\Documents and Settings\Personal\Desktop\ComboFix.exe

  • Created a new restore point
    .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-11 15:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-11 14:45 d-------- C:\WINDOWS\LastGood
2007-10-11 07:18 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-11 07:09 d-------- C:\Program Files\Winamp
2007-10-11 07:08 7,467,056 --a------ C:\spybotsd15.exe
2007-10-11 04:19 7,575,536 --a------ C:\winamp55_1550_beta_full.exe
2007-10-11 03:36 407,680 --a------ C:\aswclnr.exe
2007-10-09 12:49 d-------- C:\search.php_files
2007-10-08 13:29 86,506 -r-hs---- C:\ntde1ect.com
2007-10-08 13:28 86,506 -r-hs---- C:\WINDOWS\system32\avpo.exe
2007-10-08 13:28 27,116 -r-hs---- C:\WINDOWS\system32\avpo0.dll
2007-09-28 13:54 d-------- C:\ASC KombiS
2007-09-25 13:35 d-------- C:\Documents and Settings\Personal\Application Data\Palo Alto Software
2007-09-25 13:35 d-------- C:\Documents and Settings\Personal\Application Data\Palo Alto Software
2007-09-25 13:35 d-------- C:\Documents and Settings\Personal\Application Data\Palo Alto Software
2007-09-25 13:34 d-------- C:\Program Files\Palo Alto Software
2007-09-25 13:34 d-------- C:\Program Files\Common Files\Palo Alto Software
2007-09-25 13:34 d-------- C:\Documents and Settings\All Users\Application Data\Palo Alto Software
2007-09-25 13:31 d-------- C:\Documents and Settings\All Users\Application Data\PAS
2007-09-25 09:27 d-------- C:\WINDOWS\trans3detik
2007-09-19 16:40 d-------- C:\wtaf Vid
2007-09-17 16:11 d-------- C:\ti2p foto depart
2007-09-17 11:44 d-------- C:\AirStrike 3D
2007-09-11 14:38 d-------- C:\Program Files\Common Files\WexTech Shared
2007-09-11 14:38 d-------- C:\Program Files\Common Files\Peach
2007-09-11 14:38 d-------- C:\Program Files\Common Files\LHSPF
2007-09-11 14:38 d-------- C:\Peachw

3

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 08:44 --------- d-----w C:\Documents and Settings\Personal\Application Data\SiteAdvisor
2007-10-11 08:44 --------- d-----w C:\Documents and Settings\Personal\Application Data\SiteAdvisor
2007-10-11 08:44 --------- d-----w C:\Documents and Settings\Personal\Application Data\SiteAdvisor
2007-10-10 20:38 --------- d-----w C:\Program Files\Java
2007-10-08 05:10 --------- d-----w C:\Documents and Settings\Personal\Application Data\U3
2007-10-08 05:10 --------- d-----w C:\Documents and Settings\Personal\Application Data\U3
2007-10-08 05:10 --------- d-----w C:\Documents and Settings\Personal\Application Data\U3
2007-09-26 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-26 03:24 --------- d-----w C:\Program Files\RF Online
2007-09-25 06:34 --------- d-----w C:\Program Files\Common Files\Intuit
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 09:01 --------- d-----w C:\Program Files\LimeWire
2007-09-06 05:07 --------- d-----w C:\Program Files\Canon
2007-09-06 03:24 --------- d-----w C:\Program Files\Google
2007-09-03 09:54 --------- d-----w C:\Program Files\Jun
2007-08-29 14:34 --------- d-----w C:\Program Files\AyoDance
2007-08-29 08:19 --------- d-----w C:\Program Files\GameHouse
2007-08-27 09:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\55-55-55-55-55-55
2007-08-15 07:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-08-15 07:18 --------- d-----w C:\Program Files\Notebook Maximizer
2007-08-15 07:18 --------- d-----w C:\Program Files\Microsoft Works
2007-08-15 07:18 --------- d-----w C:\Program Files\JetAudio
2007-08-15 07:18 --------- d-----w C:\Program Files\FireTune
2007-08-15 07:18 --------- d-----w C:\Program Files\Acala DVD 3gp Ripper
2007-08-15 07:18 --------- d-----w C:\Program Files\Acala 3GP Movies Free
2007-08-14 09:15 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-08-11 06:31 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 06:31 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-07-30 12:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 12:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 12:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 12:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 12:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 12:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 12:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 12:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 12:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 12:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-23 10:11 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-07-14 06:12 45,509 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2007-06-18 15:50 128 --sha-w C:\Program Files\desktop.ini
2007-06-20 14:36:04 1,752,608 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-20 14:36:04 18,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

4

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2004-01-27 09:03]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2004-01-27 09:03]
“Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [2003-10-31 06:46]
“SigmaTel StacMon”=“C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe” [2003-08-04 06:01]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-04-19 01:20 C:\WINDOWS\agrsmmsg.exe]
“00THotkey”=“C:\WINDOWS\System32\00THotkey.exe” [2004-02-26 04:12]
“000StTHK”=“000StTHK.exe” [2001-06-24 10:28 C:\WINDOWS\system32\000StTHK.exe]
“TFncKy”=“TFncKy.exe”
“TFNF5”=“TFNF5.exe” [2003-12-03 04:15 C:\WINDOWS\system32\TFNF5.exe]
“TPSMain”=“TPSMain.exe” [2004-03-04 02:57 C:\WINDOWS\system32\TPSMain.exe]
“PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [2004-02-04 04:47]
“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [2004-03-03 03:45]
“TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [2003-01-22 08:00]
“Pinger”=“C:\TOSHIBA\IVP\ISM\pinger.exe” [2005-03-17 16:37]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]
“Media Codec Update Service”=“C:\Program Files\Essentials Codec Pack\update.exe” [2007-04-08 23:44]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 17:06]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2007-08-28 10:24]
“Easy-PrintToolBox”=“C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe” [2004-01-14 08:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:56]
“SRS Audio Sandbox”=“C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe”
“FreeRAM XP”=“C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe” [2006-03-23 00:13]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-09-05 15:18]
“avpa”=“C:\WINDOWS\system32\avpo.exe” [2007-09-19 06:57]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46]

C:\Documents and Settings\Personal\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-17 09:16:50]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-21 00:57:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 18:44:06]
Palo Alto Software Update Manager 9.0.lnk - C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe [2006-09-05 15:55:24]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-04-08 01:47:35]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoResolveSearch”=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{56F9679E-7826-4C84-81F3-532071A8BCC5}”= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 14:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll 2003-12-17 06:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

S3 s116bus;Sony Ericsson Device 116 driver (WDM);C:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);C:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);C:\WINDOWS\system32\DRIVERS\s116unic.sys
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE27bus.sys
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE27mdm.sys
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS);C:\WINDOWS\system32\DRIVERS\se27nd5.sys
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE27obex.sys
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM);C:\WINDOWS\system32\DRIVERS\se27unic.sys
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter_i386.sys

5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{20938f52-5abf-11dc-b965-00038a000015}]
1\Command - F:.\rundll.exe
2\Command - F:.\Rundll.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\Rundll.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{28cee192-5f82-11dc-b974-00038a000015}]
1\Command - .\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{434ed7b0-5d39-11dc-b96d-00038a000015}]
1\Command - .\rundll.exe
2\Command - .\Rundll.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\Rundll.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{610b8202-4a1b-11dc-b949-000e3547d722}]
AutoRun\command - RavMon.exe
explore\Command - RavMon.exe -e
open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{61220610-5de5-11dc-b970-00038a000015}]
1\Command - .\rundll.exe
2\Command - .\Rundll.exe
AutoRun\command - .\rundll.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{76c74d98-6120-11dc-b978-00038a000015}]
AutoRun\command - E:\cintia.ico

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8aa2a6f4-2e96-11dc-b913-00038a000015}]
1\Command - .\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8ac9d021-4725-11dc-b941-00038a000015}]
1\Command - .\rundll.exe
2\Command - .\Rundll.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\Rundll.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8c6ca4f2-12d0-11dc-b8bc-00038a000015}]
Auto\command - infrom.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8e548a23-3420-11dc-b91e-00038a000015}]
1\Command - E:.\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a84d4118-5145-11dc-b955-00038a000015}]
1\Command - .\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c993dad2-1be0-11dc-b8e3-00038a000015}]
AutoRun\command - E:\ntde1ect.com
explore\Command - E:\ntde1ect.com
open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cfa528d2-5b77-11dc-b967-00038a000015}]
AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{da1c95f2-12e8-11dc-b8be-000e7bdd5315}]
1\Command - .\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{df5d2af0-4235-11dc-b932-00038a000015}]
1\Command - F:.\rundll.exe
2\Command - F:.\Rundll.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\Rundll.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e224be72-117a-11dc-b8ac-00038a000015}]
1\Command - .\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ed575110-6bf5-11dc-b9a5-00038a000015}]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f66fc120-2515-11dc-b8f6-00038a000015}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fdafefad-1ccf-11dc-b8eb-00038a000015}]
1\Command - .\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fe0ddfe2-4fcb-11dc-b953-00038a000015}]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fe0ddfe3-4fcb-11dc-b953-00038a000015}]
AutoRun\command - G:\ntde1ect.com
explore\Command - G:\ntde1ect.com
open\Command - G:\ntde1ect.com

Newly Created Service - CATCHME
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 15:48:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

.
Completion time: 2007-10-11 15:49:33
.
— E O F —

6

Logfile of HijackThis v1.99.1
Scan saved at 4:04:42 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Jun\hijackthis\HijackThis.exe

7

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://redirect.zonelabs.com/redirect/route?oem=1043&prod=5&mode=1000&app=inclient&version=6.0.631.003&lang=en&locale=en-US&date=1367256704&link_id=4&dest=whats_new
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.petra.ac.id:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.petra.ac.id;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [TFNF5] TFNF5.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SRS Audio Sandbox] “C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe” /hideme
O4 - HKCU..\Run: [FreeRAM XP] “C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe” -win
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

8

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

9

Based on the C:\Autorun.inf and F:\Autorun.inf files being present it is likely that this cam from a USB drive. Autorun.inf files are normally only found on removable media and not fixed HDDs like C:.

What is drive F:\ on your system ?

If combofix saves copies (in quarantine) of the deletions, you can open C:\Autorun.inf using notepad (it is just a text file), inside it there will be command lines with files to be loaded/executed, but you probably won’t be able to do that if quarantined). Can you paste the contents of the .inf files ?

Sorry I don’t have the tools to help with the analysis of your combofix log, so I will have to leave that to someone else.