Hi all, I have this problem, please help:

(note that I know some hardware but not much about software)

I ran dual boot XP/XP and my "main" windows began to slow down and then froze. Tried to reboot in there but the OS froze right away. In the other XP I can't see in "My Computer" one of my HDD (looked empty and now it writes: D:\Resycled\boot.com is not a valid WIN32 application"). In Windows Explorer, however I can see and work with the HDD.

I have run a lot of antispyware/antivirus programs to no avail.:(

Welcome to http://www.pcguide.com/ubb/pcgubb.gif forums...


Please read this thread (http://www.pcguide.com/vb/showthread.php?t=60009) and post a fresh Hijackthis log.

Thanks for the reply. I try not to take other people's time so I did some extensive search and, using some tutorials I deleted files, also from the registry but nothing.

So I reinstalled the XP but when I clicked a HDD (not the one with the second OS), I got the same message. Then I formatted the HDD with the second OS.

Spybot found three problems, fixed two of them but not that one:

(SBI $72640A46)Program directory
C:\resycled\

"...the associated files are still in use (in memory). This could be fixed after a restart."

Didn't fix it. A my computer search couldn't find "resycled" or "boot com" (in the non-hidden folders).

Maybe I should mention that in the deleted OS, Spybot found first Win32 and then, on a second scan, zlob dns changer.

I will post the log tomorrow, thanks again.

On the last scan Spybot and Avira found nothing but the problem persists so I post the log. I kept the OS as clean as possible, thank you for your time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:30 AM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Windows Media Player\wmplayer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\mosorel\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] F:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] F:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] F:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] F:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

--
End of file - 3961 bytes

P.S. I have only six processes in the startup, the option "enable all" is disabled.

First: Disable Tea Timer

Turn off TeaTimer to remove those entries. Open Spybot S&D in advanced mode, click Tools > Resident, and remove the check from "Resident Tea-Timer". Reboot after unchecking the entry.


Second:
How to run a scan with Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.[/QUOTE]

Third:

Please do the following:


Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop). Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you.


Note:

Do not mouseclick Combofix's window while it is running. That may cause the program to stall...

Third:


Re-boot the system
Post the Combofix Log
Post the MBAM log
Post a new HJT log
Tell us how the system is running.

ComboFix 08-12-06.06 - mosorel 2008-12-07 14:07:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1623 [GMT 0:00]
Running from: f:\documents and settings\mosorel\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\resycled
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
E:\Autorun.inf
E:\resycled
e:\resycled\boot.com
I:\autorun.inf
I:\resycled
i:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 14:01 . 2008-12-07 14:01 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2008-12-07 14:01 . 2008-12-03 19:52 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 14:01 . 2008-12-03 19:52 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2008-12-07 12:22 . 2008-12-07 12:22 <DIR> d-------- f:\documents and settings\mosorel\Application Data\Malwarebytes
2008-12-07 12:22 . 2008-12-07 12:22 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 11:52 . 2008-12-07 11:52 <DIR> d-------- F:\HJT
2008-12-06 19:08 . 2008-12-06 19:08 <DIR> d-------- f:\windows\OPTIONS
2008-12-06 19:08 . 2008-12-06 19:08 <DIR> d-------- f:\documents and settings\mosorel\Application Data\InstallShield
2008-12-06 19:08 . 2006-12-14 08:44 85,120 -ra------ f:\windows\system32\drivers\Rtnicxp.sys
2008-12-06 19:08 . 2006-08-01 06:02 49,152 -r------- f:\windows\system32\ChCfg.exe
2008-12-06 19:07 . 2008-12-06 19:07 <DIR> d-------- f:\program files\Realtek
2008-12-06 19:06 . 2008-12-06 19:06 <DIR> d----c--- f:\windows\system32\DRVSTORE
2008-12-06 19:06 . 2008-12-06 19:06 <DIR> d-------- f:\program files\DIFX
2008-12-06 19:05 . 2008-12-06 19:05 15,600 --a------ f:\windows\gdrv.sys
2008-12-06 19:00 . 2008-12-06 19:00 <DIR> d-------- f:\program files\Common Files\ATI Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-07 13:47 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 19:09 --------- d-----w f:\program files\Spybot - Search & Destroy
2008-12-06 19:08 --------- d--h--w f:\program files\InstallShield Installation Information
2008-12-06 19:07 315,392 ----a-w f:\windows\HideWin.exe
2008-12-06 19:03 --------- d-----w f:\program files\ATI Technologies
2008-12-06 19:01 --------- d-----w f:\program files\Common Files\InstallShield
2008-12-06 18:47 --------- d-----w f:\program files\Microsoft ActiveSync
2008-12-06 18:44 107,132 ----a-w f:\windows\UninstallFirefox.exe
2008-12-06 18:44 --------- d-----w f:\program files\QuickTime Alternative
2008-12-06 18:44 --------- d-----w f:\documents and settings\All Users\Application Data\Apple Computer
2008-12-06 18:43 --------- d-----w f:\program files\Common Files\Adobe
2008-12-06 18:39 --------- d-----w f:\program files\Unlocker
2008-12-06 18:36 --------- d-----w f:\program files\MSN Messenger
2008-12-06 18:30 --------- d-----w f:\program files\CCleaner
2008-12-06 17:20 --------- d-----w f:\program files\Avira
2008-12-06 17:20 --------- d-----w f:\documents and settings\All Users\Application Data\Avira
2008-12-06 17:13 --------- d-----w f:\documents and settings\mosorel\Application Data\ATI
2008-12-06 17:13 --------- d-----w f:\documents and settings\All Users\Application Data\ATI
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="f:\program files\MSN Messenger\MsnMsgr.Exe" [2005-12-14 7095344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"avgnt"="f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 f:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="f:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=


*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - f:\documents and settings\mosorel\Application Data\Mozilla\Firefox\Profiles\vmuhv3at.default\
FF -: plugin - f:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 14:08:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
f:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-07 14:08:50
ComboFix-quarantined-files.txt 2008-12-07 14:08:48

Pre-Run: 20,572,909,568 bytes free
Post-Run: 20,563,795,968 bytes free

108

Malwarebytes found nothing. However, I run it a few hours ago (before seeing your post), I post that log:

(The problem was still there after that)

Malwarebytes' Anti-Malware 1.31
Database version: 1469
Windows 5.1.2600 Service Pack 2

12/7/2008 12:51:30 PM
mbam-log-2008-12-07 (12-51-30).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 118260
Time elapsed: 27 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\msnsc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\msnsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:45 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\mosorel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

--
End of file - 3356 bytes

I don't get that message anymore, it seems ComboFix did it. All my hdd and partitions were infected (including a USB falsh stick), except for the two I formatted.

Thank you very much, you're the man ! :)

Should I enable back the Tea Timer ?

Please see if you can enable everything n MSCONFIG and then post another log....

I can't enable the processes in the startup.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:32 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Winamp\winamp.exe
F:\Documents and Settings\mosorel\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "F:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

--
End of file - 3525 bytes

The system works fine.

What is not activated?

There are now 7 processes in there, used to be six. There are no processes greyed out, the enalbe all button is. I added two programs, Winamp and Nero and it shows now "Winampa" and "Nero Check" in there. However, since I didn't uninstall anything sholudn't I have now 8 processes since I had 6 - before running ComboFix ? It seems one of them is gone, sorry I didn't note them down.

Here's my last Combofix:

ComboFix 08-12-06.06 - mosorel 2008-12-08 4:09:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1634 [GMT 2:00]
Running from: f:\documents and settings\mosorel\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 19:45 . 2008-12-07 19:45 <DIR> d-------- f:\program files\Paragon Software
2008-12-07 19:45 . 2006-08-23 14:10 4,239,360 --a------ f:\windows\system32\qtp-mt334.dll
2008-12-07 19:45 . 2006-08-23 14:10 30,808 --a------ f:\windows\system32\drivers\hotcore2.sys
2008-12-07 19:45 . 2006-08-23 14:10 8,192 --a------ f:\windows\system32\wnaspi32.dll
2008-12-07 19:38 . 2008-12-07 19:38 <DIR> d-------- f:\program files\uTorrent
2008-12-07 19:38 . 2008-12-07 19:45 <DIR> d-------- f:\documents and settings\mosorel\Application Data\uTorrent
2008-12-07 19:37 . 2008-12-07 19:37 <DIR> d-------- f:\program files\Mv2Player
2008-12-07 19:37 . 2008-12-07 19:37 <DIR> d-------- f:\program files\Common Files\Ahead
2008-12-07 19:37 . 2008-12-07 19:37 <DIR> d-------- f:\program files\Ahead
2008-12-07 19:37 . 2004-07-20 19:24 1,568,768 --------- f:\windows\system32\ImagX7.dll
2008-12-07 19:37 . 2004-07-20 19:24 476,320 --------- f:\windows\system32\ImagXpr7.dll
2008-12-07 19:37 . 2004-07-20 19:24 471,040 --------- f:\windows\system32\ImagXRA7.dll
2008-12-07 19:37 . 2004-07-09 11:43 364,544 --------- f:\windows\system32\TwnLib4.dll
2008-12-07 19:37 . 2004-07-20 19:24 262,144 --------- f:\windows\system32\ImagXR7.dll
2008-12-07 19:37 . 2001-07-09 13:50 155,648 --a------ f:\windows\system32\NeroCheck.exe
2008-12-07 19:37 . 2004-03-03 23:30 125,184 --------- f:\windows\system32\drivers\imagesrv.sys
2008-12-07 19:37 . 2000-06-26 13:45 106,496 --a------ f:\windows\system32\TwnLib20.dll
2008-12-07 19:37 . 2001-06-26 10:15 38,912 --------- f:\windows\system32\picn20.dll
2008-12-07 19:37 . 2004-03-03 23:30 5,504 --------- f:\windows\system32\drivers\imagedrv.sys
2008-12-07 19:36 . 2008-12-07 19:36 <DIR> d-------- f:\program files\ffdshow
2008-12-07 19:33 . 2008-12-07 19:34 <DIR> d-------- f:\program files\Winamp
2008-12-07 19:33 . 2008-12-07 19:39 <DIR> d-------- f:\documents and settings\mosorel\Application Data\Winamp
2008-12-07 16:01 . 2008-12-07 16:01 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2008-12-07 16:01 . 2008-12-03 21:52 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 16:01 . 2008-12-03 21:52 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2008-12-07 14:22 . 2008-12-07 14:22 <DIR> d-------- f:\documents and settings\mosorel\Application Data\Malwarebytes
2008-12-07 14:22 . 2008-12-07 14:22 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 13:52 . 2008-12-07 13:52 <DIR> d-------- F:\HJT
2008-12-06 21:08 . 2008-12-06 21:08 <DIR> d-------- f:\windows\OPTIONS
2008-12-06 21:08 . 2008-12-06 21:08 <DIR> d-------- f:\documents and settings\mosorel\Application Data\InstallShield
2008-12-06 21:08 . 2006-12-14 10:44 85,120 -ra------ f:\windows\system32\drivers\Rtnicxp.sys
2008-12-06 21:08 . 2006-08-01 08:02 49,152 -r------- f:\windows\system32\ChCfg.exe
2008-12-06 21:07 . 2008-12-06 21:07 <DIR> d-------- f:\program files\Realtek
2008-12-06 21:06 . 2008-12-06 21:06 <DIR> d----c--- f:\windows\system32\DRVSTORE
2008-12-06 21:06 . 2008-12-06 21:06 <DIR> d-------- f:\program files\DIFX
2008-12-06 21:05 . 2008-12-06 21:05 15,600 --a------ f:\windows\gdrv.sys
2008-12-06 21:00 . 2008-12-06 21:00 <DIR> d-------- f:\program files\Common Files\ATI Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-08 02:06 --------- d-----w f:\program files\Spybot - Search & Destroy
2008-12-08 02:06 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 17:45 --------- d--h--w f:\program files\InstallShield Installation Information
2008-12-06 19:07 315,392 ----a-w f:\windows\HideWin.exe
2008-12-06 19:03 --------- d-----w f:\program files\ATI Technologies
2008-12-06 19:01 --------- d-----w f:\program files\Common Files\InstallShield
2008-12-06 18:47 --------- d-----w f:\program files\Microsoft ActiveSync
2008-12-06 18:44 107,132 ----a-w f:\windows\UninstallFirefox.exe
2008-12-06 18:44 --------- d-----w f:\program files\QuickTime Alternative
2008-12-06 18:44 --------- d-----w f:\documents and settings\All Users\Application Data\Apple Computer
2008-12-06 18:43 --------- d-----w f:\program files\Common Files\Adobe
2008-12-06 18:39 --------- d-----w f:\program files\Unlocker
2008-12-06 18:36 --------- d-----w f:\program files\MSN Messenger
2008-12-06 18:30 --------- d-----w f:\program files\CCleaner
2008-12-06 17:20 --------- d-----w f:\program files\Avira
2008-12-06 17:20 --------- d-----w f:\documents and settings\All Users\Application Data\Avira
2008-12-06 17:13 --------- d-----w f:\documents and settings\mosorel\Application Data\ATI
2008-12-06 17:13 --------- d-----w f:\documents and settings\All Users\Application Data\ATI
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_14.08.37.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 20:02:28 163,328 ----a-w f:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w f:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 08:00:00 28,672 ----a-w f:\windows\NIRCMD.exe
+ 2000-08-31 06:00:00 28,672 ----a-w f:\windows\NIRCMD.exe
- 2000-08-31 08:00:00 161,792 ----a-w f:\windows\SWREG.exe
+ 2000-08-31 06:00:00 161,792 ----a-w f:\windows\SWREG.exe
+ 2005-11-24 19:49:26 5,632 ----a-w f:\windows\system32\ff_vfw.dll
- 2008-12-06 17:17:18 58,800 ----a-w f:\windows\system32\perfc009.dat
+ 2008-12-08 01:29:50 58,800 ----a-w f:\windows\system32\perfc009.dat
- 2008-12-06 17:17:18 392,626 ----a-w f:\windows\system32\perfh009.dat
+ 2008-12-08 01:29:50 392,626 ----a-w f:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="f:\program files\MSN Messenger\MsnMsgr.Exe" [2005-12-14 7095344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"avgnt"="f:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"WinampAgent"="f:\program files\Winamp\winampa.exe" [2008-01-16 37376]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 f:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="f:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 hotcore2;hotcore2;f:\windows\system32\drivers\hotc ore2.sys [2008-12-07 30808]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - f:\documents and settings\mosorel\Application Data\Mozilla\Firefox\Profiles\vmuhv3at.default\
FF -: plugin - f:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 04:09:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
f:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-08 4:10:22
ComboFix-quarantined-files.txt 2008-12-08 02:10:18
ComboFix2.txt 2008-12-08 02:00:36
ComboFix3.txt 2008-12-07 14:08:51

Pre-Run: 20,368,142,336 bytes free
Post-Run: 20,358,279,168 bytes free

135


There is only one small problem I see. The computer doesn't want to remember passwords and logs on sites even when I click "remember me". I was on those sites when I was infected (Edit: I have the option "remember passwords" enabled in Firefox).

If you continue to use Torrent software, you will continue to get infected.