As I have just mentioned, Bit Comet and also Daemon Tools.

i just remove it now.. here's the new log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:36 PM, on 10/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\RVHOST.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 1.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Jimmy\Desktop\FIX\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Bing:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingl eInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 1.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7C5203-244E-4AB0-BC16-DE1C1132B6B5}: NameServer = 10.17.3.252 10.17.3.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F7C5203-244E-4AB0-BC16-DE1C1132B6B5}: NameServer = 10.17.3.252 10.17.3.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F7C5203-244E-4AB0-BC16-DE1C1132B6B5}: NameServer = 10.17.3.252 10.17.3.254
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8827 bytes


plus i attach some files u may need to check too...Attach.txt

checkup.txt

DDS.txt

RootRepeal.txt

hijackthis.log

A member of the Security Team staff will advise you further with regard to this, please be patient.

Thank you.

Hi.Welcome to the forum

Run both these programs.

Please download Malwarebytes' Anti-Malware from one of these places:
|MG| Malwarebytes Anti-Malware 1.41 Download
Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com


Double Click mbam-setup.exe to install the application.
If it will not run make a copy of the MBAM.exe and rename MBAM.exe to xxx.exe and run that.Keep the genuine MBAM.exe as we may need to run that later as is.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
PLEASE NOTE:
If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Once that Malwarebytes' Anti-Malware is done removing the malware and you have rebooted the computer, browse around and see if you are still having that problem.

================================================== ===================================


You will need to download ComboFix.exe. Download Combofix from any of the links below. You must rename it before saving it. Name it ComFx, and Save it to your desktop.


http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop
It is important that it is saved and renamed following this process directly to your desktop**


Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools. More help on your specific AV here: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double click on ComFx.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.
When finished, it shall produce a log for you. Please include the ComboFix.txt in your reply.

Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.

i already scan with mbam... but suddenly windows-no disk pops up. what should i do to remove it??

i have done whatever you say above...

but i feel there is still another virus that bother me..
1. when i tried to scan using mbam.. suddenly windows - no disk pops up.. i tried to close it but it always appear continuously..
2. when i finished using mbam and wanted to reboot my PC, suddenly "Windows cannot find "RVHOST.exe". make sure you typed the name correctly and then try again." pops up...

i was panicked and just reboot my PC.. when my windows started, that "Windows cannot find "RVHOST.exe". make sure you typed the name correctly and then try again." pops up again..

please check this up.. i dont know whats wrong with my PC since i've done what you said..

here these archives you wanted:
mbam-log-2009-10-07 (15-17-17).txt

combofixlog.txt

ComboFix 09-10-06.03 - Jimmy 10/07/2009 15:38.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.480 [GMT 7:00]
Running from: c:\documents and settings\Jimmy\Desktop\ComFx.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\setting.ini
.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.
2009-10-07 08:08 . 2009-10-07 08:08 -------- d-----w- c:\documents and settings\Jimmy\Application Data\Malwarebytes
2009-10-07 08:08 . 2009-09-10 07:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 08:08 . 2009-10-07 08:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 08:08 . 2009-10-07 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 08:08 . 2009-09-10 07:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-07 08:05 . 2009-10-07 08:05 -------- d--h--w- c:\windows\PIF
2009-10-06 01:16 . 2009-10-06 01:16 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-04 13:57 . 2001-08-17 06:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-10-04 13:57 . 2001-08-17 06:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2009-09-25 12:42 . 2001-08-17 15:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-09-25 12:42 . 2001-08-17 15:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-09-25 12:42 . 2001-08-17 15:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-09-25 12:42 . 2001-08-17 15:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-09-25 12:42 . 2001-08-17 07:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-09-25 12:42 . 2001-08-17 07:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-09-25 12:42 . 2001-08-17 07:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-09-25 12:42 . 2001-08-17 07:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-09-25 12:42 . 2001-08-17 07:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-25 12:42 . 2001-08-17 07:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-25 12:42 . 2008-04-13 22:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-25 12:42 . 2008-04-13 22:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-09-20 03:32 . 2009-09-20 03:32 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-09-20 03:15 . 2009-09-20 03:16 -------- d-----w- c:\documents and settings\Jimmy\Application Data\Ventrilo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-07 08:21 . 2009-08-22 10:49 -------- d-----w- c:\documents and settings\Jimmy\Application Data\Orbit
2009-10-06 15:57 . 2009-08-22 11:04 -------- d-----w- c:\documents and settings\Jimmy\Application Data\foobar2000
2009-10-06 11:18 . 2009-08-31 09:10 -------- d-----w- c:\program files\BitComet
2009-09-08 08:32 . 2009-08-22 10:56 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-08-31 12:47 . 2009-08-31 12:47 -------- d-----w- c:\program files\Microsoft
2009-08-31 12:46 . 2009-08-31 12:46 -------- d-----w- c:\program files\Windows Live
2009-08-30 11:24 . 2009-08-29 07:48 -------- d-----w- c:\program files\Garena
2009-08-30 05:22 . 2009-08-20 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-29 14:48 . 2009-08-22 10:49 -------- d-----w- c:\program files\Orbitdownloader
2009-08-27 10:35 . 2009-08-27 10:35 -------- d-----w- c:\documents and settings\Jimmy\Application Data\Media Player Classic
2009-08-27 09:15 . 2009-08-22 10:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-27 09:15 . 2009-08-22 10:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-27 09:15 . 2009-08-22 10:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 09:09 . 2009-08-21 07:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-27 09:08 . 2009-08-27 09:08 -------- d-----w- c:\documents and settings\Jimmy\Application Data\InstallShield
2009-08-26 01:05 . 2009-08-26 01:05 -------- d-----w- c:\program files\MSXML 4.0
2009-08-24 12:13 . 2009-08-24 12:13 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-24 02:40 . 2009-08-24 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-24 02:40 . 2009-08-24 02:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-08-24 02:39 . 2009-08-22 10:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-24 02:23 . 2009-08-24 02:22 -------- d-----w- c:\program files\Axesstel
2009-08-23 07:42 . 2009-08-20 14:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-22 14:55 . 2009-08-22 14:55 0 ----a-w- c:\windows\nsreg.dat
2009-08-22 14:54 . 2009-08-22 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-22 14:53 . 2009-08-22 10:43 -------- d-----w- c:\documents and settings\Jimmy\Application Data\Yahoo!
2009-08-22 14:53 . 2009-08-22 10:43 -------- d-----w- c:\program files\Yahoo!
2009-08-22 14:52 . 2009-08-22 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-22 14:03 . 2009-08-22 14:03 -------- d-----w- c:\documents and settings\Jimmy\Application Data\MSNInstaller
2009-08-22 13:57 . 2009-08-22 13:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-22 13:47 . 2009-08-22 13:47 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-22 13:32 . 2009-08-22 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-08-22 11:04 . 2009-08-22 11:04 -------- d-----w- c:\program files\foobar2000
2009-08-22 10:50 . 2009-08-22 10:50 -------- d-----w- c:\program files\7-Zip
2009-08-22 10:50 . 2009-08-22 10:50 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-22 10:49 . 2009-08-22 10:49 -------- d-----w- c:\documents and settings\Jimmy\Application Data\GrabPro
2009-08-22 10:48 . 2009-08-22 10:44 -------- d-----w- c:\documents and settings\Jimmy\Application Data\DAEMON Tools Lite
2009-08-22 10:47 . 2009-08-22 10:41 -------- d-----w- c:\documents and settings\Jimmy\Application Data\AVGTOOLBAR
2009-08-22 10:47 . 2009-08-22 10:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-22 10:47 . 2009-08-22 10:47 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-22 10:44 . 2009-08-22 10:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-22 10:43 . 2009-08-22 10:43 -------- d-----w- c:\program files\CCleaner
2009-08-22 10:41 . 2009-08-22 10:41 -------- d-----w- c:\program files\AVG
2009-08-22 10:41 . 2009-08-22 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-22 10:27 . 2009-08-22 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-08-22 09:57 . 2009-08-22 09:57 -------- d-----w- c:\program files\Marvell
2009-08-22 09:56 . 2009-08-20 14:40 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-22 09:56 . 2009-08-22 09:56 -------- d-----w- c:\program files\Realtek Sound Manager
2009-08-22 09:56 . 2009-08-22 09:56 -------- d-----w- c:\program files\AvRack
2009-08-22 09:54 . 2009-08-22 09:54 -------- d-----w- c:\program files\Intel
2009-08-21 08:01 . 2009-08-21 08:01 -------- d-----w- c:\documents and settings\Jimmy\Application Data\CyberLink
2009-08-21 08:01 . 2009-08-21 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-21 08:00 . 2009-08-21 07:59 -------- d-----w- c:\program files\CyberLink
2009-08-20 14:43 . 2009-08-20 14:13 23576 ----a-w- c:\documents and settings\Jimmy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 14:43 . 2009-08-20 14:43 128 ----a-w- c:\documents and settings\Jimmy\Local Settings\Application Data\fusioncache.dat
2009-08-20 14:35 . 2009-08-20 14:29 94187 ----a-w- c:\windows\HPHins03.dat
2009-08-20 14:35 . 2009-08-20 14:35 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-20 14:35 . 2009-08-20 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-08-20 14:35 . 2009-08-20 14:30 -------- d-----w- c:\program files\HP
2009-08-20 14:34 . 2009-08-20 14:34 -------- d-----w- c:\program files\Common Files\HP
2009-08-20 14:22 . 2009-08-20 14:22 -------- d-----w- c:\program files\Microsoft Works
2009-08-20 14:17 . 2009-08-20 14:17 -------- d-----w- c:\documents and settings\Jimmy\Application Data\InterTrust
2009-08-20 14:00 . 2009-08-20 14:00 -------- d-----w- c:\program files\microsoft frontpage
2009-08-20 13:57 . 2009-08-20 13:57 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-26 09:44 . 2009-07-26 09:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 05:21 . 2008-04-14 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2007-04-06 01:40 . 2009-08-24 02:23 118784 ----a-r- c:\program files\MSP_Uninstall.exe
2007-04-04 07:24 . 2009-08-24 02:23 90112 ----a-r- c:\program files\axesstel.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 09:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2009-05-07 1561840]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-04-19 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-07 2023704]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\xxx.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-8-22 1719496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-27 09:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/22/2009 5:41 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/22/2009 5:41 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/24/2009 9:39 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/24/2009 9:39 AM 297752]
R3 Axtmvflt;Axesstel USB Filter Service;c:\windows\system32\drivers\Axtmvflt.sys [8/22/2009 5:19 PM 3456]
R3 Axtmvmdm;Axesstel USB Modem;c:\windows\system32\drivers\Axtmvmdm.sys [8/22/2009 5:19 PM 40064]
R3 Axtmvprt;Axesstel Diagnostic Port;c:\windows\system32\drivers\Axtmvprt.sys [8/22/2009 5:19 PM 38784]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Jimmy\ LOCALS~1\Temp\RNC13.tmp --> c:\docume~1\Jimmy\LOCALS~1\Temp\RNC13.tmp [?]
.
Contents of the 'Scheduled Tasks' folder
2009-10-06 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe [2004-06-07 06:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {0F7C5203-244E-4AB0-BC16-DE1C1132B6B5} = 10.17.3.252 10.17.3.254
FF - ProfilePath - c:\documents and settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\3x3hp0qt.default\
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://ide.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ide&p=
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\compone nts\xpavgtbapi.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 15:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\G arenaPEngine]
"ImagePath"="\??\c:\docume~1\Jimmy\LOCALS~1\Temp\R NC13.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macrome d\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUt il10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1911415 6-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4 C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-07 15:41
ComboFix-quarantined-files.txt 2009-10-07 08:41
Pre-Run: 14,758,785,024 bytes free
Post-Run: 14,736,461,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
236 --- E O F --- 2009-09-03 13:13