Nope ;-)

It's already moved. A redirect is in place for you so your link to the thread continues to work.

Go ahead and concentrate on completing the PreWork.

Hi DCIAdmin,
Please find the logs below:

Run by Administrator at 10:28:35.03 on Sat 04/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.5.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1283 [GMT 5.5:30]


============== Running Processes ===============

F:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS.0\System32\svchost.exe -k netsvcs
F:\WINDOWS.0\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
F:\WINDOWS.0\system32\svchost.exe
F:\WINDOWS.0\Explorer.EXE
F:\WINDOWS.0\system32\spoolsv.exe
F:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\WINDOWS.0\system32\nvsvc32.exe
F:\WINDOWS.0\system32\svchost.exe -k imgsvc
F:\WINDOWS.0\System32\TUProgSt.exe
svchost.exe "F:\WINDOWS.0\system32\1037e.exe"
F:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
F:\WINDOWS.0\system32\ctfmon.exe
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BN4D.tmp
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\system32\svchost.exe
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BN4E.tmp
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BN53.tmp
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BN54.tmp
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BN5C.tmp
F:\WINDOWS.0\system32\msiexec.exe
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BN71.tmp
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BNA7.tmp
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\System32\svchost.exe
F:\WINDOWS.0\TEMP\BNA8.tmp
F:\WINDOWS.0\System32\svchost.exe
F:\Documents and Settings\Administrator.HOME\Desktop\Download\dds.s cr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = www.google.com
uInternet Connection Wizard,ShellNext = hxxp://85.114.141.207/meds/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - f:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - f:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre1.5.0_16\bin\ssv.dll
uRun: [ctfmon.exe] f:\windows.0\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "f:\program files\java\jre1.5.0_16\bin\jusched.exe"
mRun: [AVP] "f:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: f:\docume~1\alluse~1.0\startm~1\programs\startup\c iscos~1.lnk - f:\program files\cisco systems\vpn client\ipsecdialer.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC} - f:\program files\java\jre1.5.0_16\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - f:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - f:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: klogon - f:\windows.0\system32\klogon.dll
Notify: tdwvuips - tdwvuips32.dll
AppInit_DLLs: f:\progra~1\kasper~1\kasper~1\mzvkbd.dll,f:\progra ~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows.0\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\admini~1.hom\applic~1\mozilla\firefox\ profiles\i8z24rx2.default\
FF - plugin: f:\program files\java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: f:\program files\java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: f:\program files\java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: f:\program files\java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: f:\program files\java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: f:\program files\java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: f:\program files\java\jre1.5.0_16\bin\NPOJI610.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000

============= SERVICES / DRIVERS ===============

R1 FDCENT;FDCENT;f:\windows.0\system32\drivers\FDCENT .SYS [2009-5-20 47470]
R1 KLIF;Kaspersky Lab Driver;f:\windows.0\system32\drivers\klif.sys [2009-4-4 227344]
R2 CVPNDRV;Cisco Systems IPsec Driver;f:\windows.0\system32\drivers\CVPNDrv.sys [2009-5-29 263749]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;f:\windows.0\system32\TUProgSt.exe [2009-5-31 603904]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;f:\windows.0\system32\drivers\klim5.sys [2008-4-30 24592]
S0 kl1;Kl1;f:\windows.0\system32\drivers\kl1.sys [2008-7-21 121872]
S0 klbg;Kaspersky Lab Boot Guard Driver;f:\windows.0\system32\drivers\klbg.sys [2008-1-29 32784]
S1 2e89eb79;2e89eb79;f:\windows.0\system32\drivers\2e 89eb79.sys --> f:\windows.0\system32\drivers\2e89eb79.sys [?]
S2 AVP;Kaspersky Anti-Virus;f:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 206088]
S2 WebClientProtectedStorage;WebClient WebClientProtectedStorage;f:\windows.0\system32\10 37e.exe srv --> f:\windows.0\system32\1037e.exe srv [?]
S3 restore;restore;\??\f:\windows.0\system32\drivers\ restore.sys --> f:\windows.0\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-04-04 10:25 <DIR> --d----- f:\program files\Kaspersky Lab
2009-04-04 10:25 <DIR> --d----- f:\docume~1\alluse~1.0\applic~1\Kaspersky Lab
2009-04-04 10:10 49,265 a------- f:\windows.0\system32\jpicpl32.cpl
2009-04-04 09:29 96,976 a------- f:\windows.0\system32\drivers\klin.dat
2009-04-04 09:29 87,855 a------- f:\windows.0\system32\drivers\klick.dat

==================== Find3M ====================

2009-03-27 08:14 453,152 a------- f:\windows.0\system32\nvuninst.exe
2009-02-09 07:37 7,808 a------- f:\windows.0\system32\drivers\usbser_lowerfltj.sys
2009-02-09 07:37 659,968 a------- f:\windows.0\system32\nmwcdcocls.dll
2009-02-09 07:37 7,808 a------- f:\windows.0\system32\drivers\usbser_lowerflt.sys
2009-02-09 07:37 22,016 a------- f:\windows.0\system32\drivers\ccdcmbo.sys
2009-02-09 07:37 17,664 a------- f:\windows.0\system32\drivers\ccdcmb.sys
2009-02-09 07:32 1,112,288 a------- f:\windows.0\system32\wdfcoinstaller01007.dll
2009-01-16 18:24 70,936 a------- f:\windows.0\system32\PhysXLoader.dll
2008-03-09 07:25 236 a------- f:\program files\common files\dx.reg
2009-05-31 20:41 51,712 ---shr-- f:\windows.0\system32\1037e.exe
2009-06-04 01:36 20,480 a--sh--- f:\windows.0\system32\acctress.dll

============= FINISH: 10:28:50.35 ===============

BTW I forgot to tell you. Y`day in some forum I found a tip regarding this. It says that I need to rename windows\regedit.exe to windows\regedit.com . I did that to my surprise it worked. Now I am able to open regedit. However now I got a different problem. I installed Kaspersky antivirus and after installing I am neither able to open the UI nor start the service of kaspersky. It says error 1053 while starting the service. Can you help.

Pavanbl,

Even though you resolved your Regedit issue, I'll go ahead and check your HJT log.

The Kaspersky issue I will need to research. I'm not that familiar with Kaspersky.

I'll get back with you as quickly as possible.

Hi DCIAdmin,
Do you have any update on this.

Pavanbl,

My apologies. I got caught up in work. I'll get this analyzed ASAP.

In the meantime, I would appreciate it if you would please download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry. Please download from one of these webpages.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
Double-click on ComboFix.exe & follow the prompts.
If it will not run rename Combofix to xxx.exe and run that.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes to continue scanning for malware.
When finished, it will produce a log - C:\ComboFix.txt - that I would like you to include in your next reply.

Hi DCIAdmin,
I downloaded ComboFix to my desktop. However when I click on it nothing happens. Neither it gives me any error message. I even checked the background process. It is not there. Can you please help.