Hi

I think my computer is infected. Computer switches itself off, very slow at times. And anit-virus reboots itself at least 4 times in an hour.

dxwizard.exe is somehow installed on the copmuter, is it safe?

Attached log for HiJackThis and MBAM.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:14 PM, on 10/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dxwizard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\RAHUL\My Documents\Hi Jack This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pctools.com/en/spyware-doctor/p...product=Spyware Doctor&subproduct=NRM&version=6.1.0.447&code=0-0-0-0&suversion=6.1.0.38&osversion=5.1.2600.2&osspack=Service Pack 3&sulang=en&platform=32 (obfuscated)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: DirectX common - Unknown owner - C:\WINDOWS\system32\dxwizard.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6759 bytes

Malwarebytes' Anti-Malware 1.41
Database version: 2940
Windows 5.1.2600 Service Pack 3

10/11/2009 2:33:44 PM
mbam-log-2009-10-11 (14-33-44).txt

Scan type: Quick Scan
Objects scanned: 102523
Time elapsed: 25 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Regards

Tui

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

Log for combofix

ComboFix 09-10-12.03 - RAHUL 10/13/2009 20:22.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.178 [GMT 11:00]
Running from: c:\documents and settings\RAHUL\Desktop\ComboFix.exe
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\odbc.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-06 11:31 . 2009-10-06 11:31 -------- d-----w- c:\program files\SonicWallES
2009-10-05 02:36 . 2009-10-05 02:36 -------- d-----w- c:\program files\uTorrent
2009-10-05 02:35 . 2009-10-12 10:42 -------- d-----w- c:\documents and settings\RAHUL\Application Data\uTorrent
2009-10-03 09:51 . 2009-09-30 23:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-03 08:45 . 2009-09-23 10:04 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-10-03 08:45 . 2009-09-23 10:04 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-10-03 08:44 . 2009-09-23 10:04 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-23 13:44 . 2009-09-23 14:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-13 12:00 . 2009-09-13 12:00 -------- d-----w- c:\documents and settings\RAHUL\Local Settings\Application Data\Ahead
2009-09-13 11:29 . 2009-09-13 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2009-09-13 11:26 . 2009-10-06 11:31 -------- d-----w- c:\documents and settings\RAHUL\Application Data\MailFrontier
2009-09-13 11:08 . 2009-10-13 08:19 144 ----a-w- c:\windows\system32\pdfl.dat
2009-09-13 11:08 . 2009-09-13 11:08 80 ----a-w- c:\windows\system32\ibfl.dat
2009-09-13 11:07 . 2009-10-13 07:15 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-13 11:07 . 2009-09-23 10:05 72584 ----a-w- c:\windows\zllsputility.exe
2009-09-13 11:04 . 2009-10-03 08:52 -------- d-----w- c:\windows\system32\ZoneLabs
2009-09-13 11:04 . 2009-09-13 11:04 -------- d-----w- c:\program files\Zone Labs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-13 08:38 . 2009-08-24 12:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-05 01:20 . 2009-08-24 12:03 -------- d-----w- c:\program files\Spyware Doctor
2009-10-02 13:27 . 2009-08-29 05:52 -------- d-----w- c:\program files\SpywareBlaster
2009-10-02 13:24 . 2009-08-25 11:56 -------- d-----w- c:\program files\SpywareGuard
2009-10-02 10:03 . 2009-08-25 12:03 -------- d-----w- c:\program files\ThreatFire
2009-10-02 09:57 . 2009-08-24 11:41 -------- d-----w- c:\documents and settings\RAHUL\Application Data\CheckPoint
2009-09-13 12:16 . 2009-08-26 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 11:07 . 2009-08-24 11:26 -------- d-----w- c:\program files\CheckPoint
2009-09-13 05:25 . 2009-08-25 12:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 05:11 . 2009-08-26 12:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 04:54 . 2009-08-25 12:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53 . 2009-08-25 12:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 12:18 . 2009-09-07 12:18 -------- d-----w- c:\program files\Alwil Software
2009-09-03 12:47 . 2009-08-24 12:04 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-03 12:47 . 2009-09-03 12:47 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-03 10:25 . 2009-09-03 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-03 10:21 . 2009-09-03 10:21 -------- d-----w- c:\program files\NOS
2009-09-03 09:29 . 2009-09-03 09:29 -------- d-----w- c:\program files\Secunia
2009-09-01 12:11 . 2009-08-26 12:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-31 12:05 . 2009-08-31 12:05 -------- d-----w- c:\documents and settings\RAHUL\Application Data\HP
2009-08-31 11:30 . 2009-08-24 11:01 47648 ----a-w- c:\documents and settings\RAHUL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 11:30 . 2009-08-31 10:45 100584 ----a-w- c:\windows\hpgins14.dat
2009-08-31 11:15 . 2009-08-31 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-31 11:15 . 2009-08-31 11:15 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-31 11:13 . 2009-08-30 09:59 -------- d-----w- c:\program files\Common Files\HP
2009-08-31 10:58 . 2009-08-31 10:55 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-31 10:56 . 2009-08-31 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-31 10:45 . 2009-08-31 10:34 -------- d-----w- c:\program files\COL10861
2009-08-31 09:43 . 2009-08-31 09:43 -------- d-----w- c:\program files\MSXML 4.0
2009-08-30 12:39 . 2009-08-30 09:40 29196 ----a-w- c:\windows\hpoins03.dat
2009-08-30 11:26 . 2009-08-30 11:26 128 ----a-w- c:\documents and settings\RAHUL\Local Settings\Application Data\fusioncache.dat
2009-08-30 10:22 . 2009-08-30 09:41 -------- d-----w- c:\program files\HP
2009-08-30 10:20 . 2009-08-30 10:20 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-30 05:52 . 2009-08-30 05:52 -------- d-----w- c:\program files\Microsoft.NET
2009-08-30 05:52 . 2009-08-30 05:52 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-30 02:26 . 2009-08-30 02:26 -------- d-----w- c:\program files\Common Files\Vbox
2009-08-30 02:26 . 2009-08-30 00:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-30 02:22 . 2009-08-24 10:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 02:16 . 2009-08-30 02:07 -------- d-----w- c:\documents and settings\RAHUL\Application Data\ACD Systems
2009-08-30 02:13 . 2009-08-30 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-08-30 02:13 . 2009-08-30 02:04 -------- d-----w- c:\program files\ACD Systems
2009-08-30 02:05 . 2009-08-30 02:04 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-08-30 02:03 . 2009-08-30 02:03 10368 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-08-30 01:58 . 2009-08-30 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-30 01:06 . 2009-08-30 01:06 -------- d-----w- c:\program files\Ahead
2009-08-30 01:06 . 2009-08-30 01:06 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-30 00:51 . 2009-08-30 00:51 1379 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
2009-08-30 00:51 . 2009-08-30 00:49 130048 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-08-30 00:49 . 2009-08-30 00:49 36604 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-08-30 00:47 . 2009-08-30 00:47 -------- d-----w- c:\program files\Illustrate
2009-08-30 00:42 . 2009-08-30 00:42 -------- d-----w- c:\program files\MSN Messenger
2009-08-30 00:38 . 2009-08-30 00:38 -------- d-----w- c:\program files\COED11
2009-08-30 00:31 . 2009-08-30 00:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-30 00:15 . 2009-08-30 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-29 23:36 . 2009-08-29 23:33 -------- d-----w- c:\program files\SiS VGA Utilities V3.75
2009-08-29 23:35 . 2009-08-29 23:35 -------- d-----w- c:\program files\sisagp
2009-08-29 05:20 . 2009-08-26 11:23 -------- d-----w- c:\program files\XP Codec Pack
2009-08-26 12:51 . 2009-08-26 12:51 -------- d-----w- c:\program files\Windows Defender
2009-08-26 12:45 . 2009-08-26 12:45 -------- d-----w- c:\program files\Java
2009-08-26 12:43 . 2009-08-26 12:43 -------- d-----w- c:\program files\WOT
2009-08-26 11:22 . 2009-08-26 11:22 -------- d-----w- c:\program files\CCleaner
2009-08-26 11:16 . 2009-08-26 11:16 0 ----a-w- c:\windows\nsreg.dat
2009-08-25 12:08 . 2009-08-25 12:08 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Malwarebytes
2009-08-25 12:07 . 2009-08-25 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-25 12:07 . 2009-08-25 12:07 114688 ----a-w- c:\windows\system32\dxwizard.exe
2009-08-25 12:03 . 2009-08-24 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-24 12:05 . 2009-08-24 12:03 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-24 12:03 . 2009-08-24 12:03 -------- d-----w- c:\documents and settings\RAHUL\Application Data\PC Tools
2009-08-24 11:26 . 2009-08-24 11:26 144 ----a-w- c:\windows\system32\lkfl.dat
2009-08-24 10:42 . 2009-08-24 10:42 -------- d-----w- c:\program files\Microsoft Hardware
2009-08-24 10:35 . 2009-08-24 10:35 -------- d-----w- c:\program files\Silicon Integrated Systems
2009-08-24 10:35 . 2009-08-24 10:34 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\Realtek Sound Manager
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\AvRack
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\SiSLan
2009-08-24 10:33 . 2009-08-24 10:33 -------- d-----w- c:\program files\Gigabyte
2009-08-23 11:56 . 2009-08-23 11:56 -------- d-----w- c:\program files\microsoft frontpage
2009-08-23 11:53 . 2009-08-23 11:53 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-06 08:24 . 2009-08-24 10:56 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 08:24 . 2009-08-24 10:56 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 08:24 . 2009-08-24 10:56 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 08:24 . 2008-10-16 04:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 08:24 . 2009-08-24 10:25 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 08:24 . 2009-08-24 10:26 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 08:23 . 2009-08-24 10:56 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 08:23 . 2009-08-24 10:25 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2009-08-24 10:25 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 03:36 . 2009-08-25 12:11 38160 ----a-w- c:\windows\system32\drivers\is-BGIAV.tmp
2009-07-29 04:37 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2009-08-24 10:26 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-23 1011080]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-06-28 49152]

c:\documents and settings\RAHUL\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RAHUL^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\RAHUL\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/24/2009 11:04 PM 206256]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/24/2009 12:44 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/24/2009 12:44 AM 59664]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [8/27/2009 3:20 AM 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [8/27/2009 3:20 AM 439664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/25/2009 11:08 PM 269648]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/23/2001 11:00 PM 14336]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [8/27/2009 3:20 AM 35448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/25/2009 11:08 PM 19160]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/24/2009 12:44 AM 33552]
S2 DirectX common;DirectX common;c:\windows\system32\dxwizard.exe [8/25/2009 11:07 PM 114688]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/23/2001 11:00 PM 14336]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 11:20 PM 12648]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/24/2009 11:03 PM 348752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\Malwarebytes' Scheduled Update for RAHUL.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-25 04:53]

2009-10-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/spyware-doctor/purchase/?cclick=Register_11&product=Spyware%20Doctor&subproduct=NRM&version=6%2E1%2E0%2E447&code=0%2D0%2D0%2D0&suversion=6%2E1%2E0%2E38&osversion=5%2E1%2E2600%2E2&osspack=Service%20Pack%203&sulang=en&platform=32
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\RAHUL\Application Data\Mozilla\Firefox\Profiles\y6i1nd5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\RAHUL\Application Data\Mozilla\Firefox\Profiles\y6i1nd5e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe
AddRemove-HijackThis - c:\documents and settings\RAHUL\My Documents\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 21:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(736)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'csrss.exe'(656)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
Completion time: 2009-10-13 22:08
ComboFix-quarantined-files.txt 2009-10-13 11:07

Pre-Run: 66,128,916,480 bytes free
Post-Run: 66,756,640,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

252 --- E O F --- 2009-10-09 09:42


log for hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:38 PM, on 10/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\RAHUL\My Documents\Hi Jack This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pctools.com/en/spyware-doctor/p...product=Spyware Doctor&subproduct=NRM&version=6.1.0.447&code=0-0-0-0&suversion=6.1.0.38&osversion=5.1.2600.2&osspack=Service Pack 3&sulang=en&platform=32 (obfuscated)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: DirectX common - Unknown owner - C:\WINDOWS\system32\dxwizard.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6618 bytes

The logs are clean. You can remove Combofix..

Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.




THe shutdown issue may be the result of overheating.

Check with Zonealarm support to see if others report the reboot issue. I suspect that problem is ZA specific.


Check your event logs. (Control Panel -> Administrative Tools -> Event Viewer) to see if more information is available for these issues.

I have uninstalled combofix. How do I reconfigure autorun of ALL CD, floppy and USB devices and set firefox as my default brower.

Cheers

Tui

For Autoplay on XP

Open My Computer
Under the Devices with Removable Storage section
Right click on the device you want to change
Select Properties, then Auto Play

I strongly suggest that you DO NOT set and USB device (flash drives) to Autoplay. I se etoo many infections that come on USB Drives.

To change your default browser open Control Panels, Add Remove Programs, the select Set Program Defaults and use the Custom selection.

You can also change it in FireFox. For version 3.5.x (the one I use) open the Options, select Advanced tabm, then the General tab. In the System Defaults area you can elect to have FireFox always check if it is the default browser. The check is made when FireFox is launched, You can also press the Check Now button to change it then, if needed.

Thanks

C:\WINDOWS\system32\dxwizard.exe

Is this item should be there. At the moment I have blocked it from internet access.

Regards

Tui

Information I have show it is part of Direct X. To be safe...

Please submit the following file(s) to VirusTotal for analysis: http://www.virustotal.com

C:\WINDOWS\system32\dxwizard.exe


Be sure to post the results in this thread.

here is log for virustotal scan

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.10.04 Virus.Win32.Rootkit!IK
AhnLab-V3 5.0.0.2 2009.10.03 -
AntiVir 7.9.1.27 2009.10.02 -
Antiy-AVL 2.0.3.7 2009.10.04 -
Authentium 5.1.2.4 2009.10.03 W32/Spyware-WebActiveClick-based!Maximus
Avast 4.8.1351.0 2009.10.03 -
AVG 8.5.0.420 2009.10.03 -
BitDefender 7.2 2009.10.04 -
CAT-QuickHeal 10.00 2009.10.03 -
ClamAV 0.94.1 2009.10.03 -
Comodo 2508 2009.10.04 -
DrWeb 5.0.0.12182 2009.10.04 -
eSafe 7.0.17.0 2009.10.01 -
eTrust-Vet 31.6.6774 2009.10.02 -
F-Prot 4.5.1.85 2009.10.03 W32/Spyware-WebActiveClick-based!Maximus
F-Secure 8.0.14470.0 2009.10.03 -
Fortinet 3.120.0.0 2009.10.04 W32/KillAV.MHT!tr
GData 19 2009.10.04 -
Ikarus T3.1.1.72.0 2009.10.04 Virus.Win32.Rootkit
Jiangmin 11.0.800 2009.10.04 -
K7AntiVirus 7.10.861 2009.10.03 -
Kaspersky 7.0.0.125 2009.10.04 -
McAfee 5760 2009.10.03 -
McAfee+Artemis 5760 2009.10.03 Suspect-29!1C2F8F2B74BB
McAfee-GW-Edition 6.8.5 2009.10.04 -
Microsoft 1.5101 2009.10.04 -
NOD32 4478 2009.10.03 -
Norman 6.01.09 2009.10.03 -
nProtect 2009.1.8.0 2009.10.04 -
Panda 10.0.2.2 2009.10.03 -
PCTools 4.4.2.0 2009.10.03 -
Prevx 3.0 2009.10.04 High Risk Cloaked Malware
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.04 -
Sunbelt 3.2.1858.2 2009.10.03 -
Symantec 1.4.4.12 2009.10.04 -
TheHacker 6.5.0.2.028 2009.10.03 -
TrendMicro 8.950.0.1094 2009.10.04 TROJ_KILLAV.ACX
VBA32 3.12.10.11 2009.10.03 -
ViRobot 2009.10.2.1968 2009.10.02 -
VirusBuster 4.6.5.0 2009.10.03 -
Additional information
File size: 114688 bytes
MD5 : 1c2f8f2b74bb618b7e24729ea5ad4c1e
SHA1 : 75e010e8967c19b05616baf1e4ca8df3946c502c
SHA256: 8c0aed0134da8fb6397532d4fda6a57637a3ba97beae7682f41bd8b25d7491af
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x9DF0
timedatestamp.....: 0x49C61D7C (Sun Mar 22 12:14:04 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x11B14 0x12000 6.65 731c706cfc26c00697fa0024e237437f
.rdata 0x13000 0x36DA 0x4000 4.78 d8ad11430a4aa841807e33278464e6f1
.data 0x17000 0x85664 0x3000 2.29 5f8d7a46146c310b22729f8eecdaa858
.rsrc 0x9D000 0x1210 0x2000 3.04 a144e451ac29d6b620ba353928d789a1

( 4 imports )

> advapi32.dll: CloseServiceHandle, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, DeleteService, RegOpenKeyExA, RegDeleteKeyA, ControlService, StartServiceA, SetServiceStatus, OpenServiceA, RegQueryValueExA, ReportEventA, OpenSCManagerA, CreateServiceA, ChangeServiceConfig2A, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegisterEventSourceA, DeregisterEventSource
> kernel32.dll: GetLocalTime, GetTickCount, GetComputerNameA, SetConsoleCtrlHandler, WriteFile, Sleep, GetModuleHandleA, FindResourceA, SizeofResource, LoadResource, WriteConsoleA, GetStdHandle, GetModuleFileNameA, GetLastError, FormatMessageA, CreateFileA, ReadFile, CloseHandle, LocalFree, GetFileSize, LocalAlloc, HeapFree, GetSystemTimeAsFileTime, RtlUnwind, GetCommandLineA, GetVersionExA, HeapAlloc, RaiseException, GetACP, GetOEMCP, GetCPInfo, TlsAlloc, SetLastError, GetCurrentThreadId, TlsFree, TlsSetValue, TlsGetValue, GetProcAddress, HeapDestroy, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, IsBadWritePtr, ExitProcess, TerminateProcess, GetCurrentProcess, HeapSize, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, SetUnhandledExceptionFilter, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, InitializeCriticalSection, InterlockedExchange, VirtualQuery, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, GetFileAttributesA, SetFilePointer, GetLocaleInfoA, IsBadReadPtr, IsBadCodePtr, LoadLibraryA, SetStdHandle, FlushFileBuffers, VirtualProtect, GetSystemInfo, QueryPerformanceCounter, GetCurrentProcessId
> user32.dll: CharToOemBuffA, WinHelpA, wsprintfA
> wininet.dll: InternetCloseHandle, InternetAttemptConnect, InternetConnectA, InternetOpenA, HttpSendRequestA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetReadFile, HttpQueryInfoA, HttpEndRequestA, InternetWriteFile, HttpSendRequestExA

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 1536:4DyzfGsO52JCyJ8StaEr5ZRxjgDef4C5dd8PFpmGNIsTfvdtglwVvclG:DZO5iCyJ8Stau91Dw7KeIMdtglw
Prevx Info: http://info.prevx.com/aboutprogramtext.asp...ABF630065F68509
PEiD : -
RDS : NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info

Not safe, we need to remove it. Time for Combofix again.


Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

here is a log for ComboFix

ComboFix 09-10-16.09 - RAHUL 10/18/2009 12:19.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.124 [GMT 11:00]
Running from: c:\documents and settings\RAHUL\Desktop\ComboFix.exe
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
/wow section - STAGE 1

/wow section not completed

/wow section not completed

((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-17 23:50 . 2009-10-17 23:50 -------- d-----w- c:\documents and settings\RAHUL\Application Data\#ISW.FS#
2009-10-06 11:31 . 2009-10-06 11:31 -------- d-----w- c:\program files\SonicWallES
2009-10-05 02:36 . 2009-10-05 02:36 -------- d-----w- c:\program files\uTorrent
2009-10-05 02:35 . 2009-10-17 01:49 -------- d-----w- c:\documents and settings\RAHUL\Application Data\uTorrent
2009-10-03 09:51 . 2009-09-30 23:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-03 08:45 . 2009-09-23 10:04 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-10-03 08:45 . 2009-09-23 10:04 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-10-03 08:44 . 2009-09-23 10:04 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-23 13:44 . 2009-09-23 14:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-17 23:56 . 2009-08-24 12:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-17 22:57 . 2009-09-13 11:08 144 ----a-w- c:\windows\system32\pdfl.dat
2009-10-17 01:51 . 2009-08-23 12:03 -------- d-s---w- c:\documents and settings\RAHUL\Application Data\Microsoft
2009-10-15 08:16 . 2009-08-24 12:03 -------- d-----w- c:\program files\Spyware Doctor
2009-10-13 07:15 . 2009-09-13 11:07 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-06 11:31 . 2009-09-13 11:26 -------- d-----w- c:\documents and settings\RAHUL\Application Data\MailFrontier
2009-10-02 13:27 . 2009-08-29 05:52 -------- d-----w- c:\program files\SpywareBlaster
2009-10-02 13:24 . 2009-08-25 11:56 -------- d-----w- c:\program files\SpywareGuard
2009-10-02 10:03 . 2009-08-25 12:03 -------- d-----w- c:\program files\ThreatFire
2009-10-02 09:57 . 2009-08-24 11:41 -------- d-----w- c:\documents and settings\RAHUL\Application Data\CheckPoint
2009-09-23 10:05 . 2009-09-13 11:07 72584 ----a-w- c:\windows\zllsputility.exe
2009-09-13 12:16 . 2009-08-26 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 12:14 . 2009-08-30 00:31 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Adobe
2009-09-13 12:14 . 2009-08-30 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe
2009-09-13 11:29 . 2009-09-13 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2009-09-13 11:08 . 2009-09-13 11:08 80 ----a-w- c:\windows\system32\ibfl.dat
2009-09-13 11:07 . 2009-08-24 11:26 -------- d-----w- c:\program files\CheckPoint
2009-09-13 11:04 . 2009-09-13 11:04 -------- d-----w- c:\program files\Zone Labs
2009-09-13 05:25 . 2009-08-25 12:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 05:11 . 2009-08-26 12:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 04:54 . 2009-08-25 12:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53 . 2009-08-25 12:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 12:18 . 2009-09-07 12:18 -------- d-----w- c:\program files\Alwil Software
2009-09-03 12:47 . 2009-08-24 12:04 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-03 12:47 . 2009-09-03 12:47 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-03 10:25 . 2009-09-03 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-03 10:21 . 2009-09-03 10:21 -------- d-----w- c:\program files\NOS
2009-09-03 09:29 . 2009-09-03 09:29 -------- d-----w- c:\program files\Secunia
2009-09-01 12:11 . 2009-08-26 12:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-31 12:05 . 2009-08-31 12:05 -------- d-----w- c:\documents and settings\RAHUL\Application Data\HP
2009-08-31 11:30 . 2009-08-24 11:01 47648 ----a-w- c:\documents and settings\RAHUL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 11:30 . 2009-08-31 10:45 100584 ----a-w- c:\windows\hpgins14.dat
2009-08-31 11:15 . 2009-08-31 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-31 11:15 . 2009-08-31 11:15 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-31 11:13 . 2009-08-30 09:59 -------- d-----w- c:\program files\Common Files\HP
2009-08-31 10:58 . 2009-08-31 10:55 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-31 10:56 . 2009-08-31 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-31 10:45 . 2009-08-31 10:34 -------- d-----w- c:\program files\COL10861
2009-08-31 09:47 . 2009-08-23 21:26 -------- d-s---w- c:\documents and settings\Default User\Application Data\Microsoft
2009-08-31 09:44 . 2009-08-23 12:02 -------- d-s---w- c:\documents and settings\NetworkService\Application Data\Microsoft
2009-08-31 09:43 . 2009-08-31 09:43 -------- d-----w- c:\program files\MSXML 4.0
2009-08-30 12:39 . 2009-08-30 09:40 29196 ----a-w- c:\windows\hpoins03.dat
2009-08-30 11:26 . 2009-08-30 11:26 128 ----a-w- c:\documents and settings\RAHUL\Local Settings\Application Data\fusioncache.dat
2009-08-30 10:22 . 2009-08-30 09:41 -------- d-----w- c:\program files\HP
2009-08-30 10:20 . 2009-08-30 10:20 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-30 05:52 . 2009-08-30 05:52 -------- d-----w- c:\program files\Microsoft.NET
2009-08-30 05:52 . 2009-08-30 05:52 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-30 05:50 . 2009-08-23 21:26 -------- d-s---w- c:\documents and settings\All Users\Application Data\Microsoft
2009-08-30 02:26 . 2009-08-30 02:26 -------- d-----w- c:\program files\Common Files\Vbox
2009-08-30 02:26 . 2009-08-30 00:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-30 02:22 . 2009-08-24 10:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 02:16 . 2009-08-30 02:07 -------- d-----w- c:\documents and settings\RAHUL\Application Data\ACD Systems
2009-08-30 02:13 . 2009-08-30 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-08-30 02:13 . 2009-08-30 02:04 -------- d-----w- c:\program files\ACD Systems
2009-08-30 02:05 . 2009-08-30 02:04 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-08-30 02:03 . 2009-08-30 02:03 10368 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-08-30 01:58 . 2009-08-30 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-30 01:06 . 2009-08-30 01:06 -------- d-----w- c:\program files\Ahead
2009-08-30 01:06 . 2009-08-30 01:06 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-30 00:51 . 2009-08-30 00:51 1379 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
2009-08-30 00:51 . 2009-08-30 00:49 130048 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-08-30 00:49 . 2009-08-30 00:49 36604 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-08-30 00:47 . 2009-08-30 00:47 -------- d-----w- c:\program files\Illustrate
2009-08-30 00:42 . 2009-08-30 00:42 -------- d-----w- c:\program files\MSN Messenger
2009-08-30 00:38 . 2009-08-30 00:38 -------- d-----w- c:\program files\COED11
2009-08-30 00:31 . 2009-08-30 00:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-30 00:31 . 2009-08-30 00:31 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Macromedia
2009-08-30 00:19 . 2009-08-30 00:19 -------- d-----w- c:\documents and settings\RAHUL\Application Data\WinRAR
2009-08-30 00:15 . 2009-08-30 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-29 23:36 . 2009-08-29 23:33 -------- d-----w- c:\program files\SiS VGA Utilities V3.75
2009-08-29 23:35 . 2009-08-29 23:35 -------- d-----w- c:\program files\sisagp
2009-08-29 05:20 . 2009-08-26 11:23 -------- d-----w- c:\program files\XP Codec Pack
2009-08-26 12:51 . 2009-08-26 12:51 -------- d-----w- c:\program files\Windows Defender
2009-08-26 12:45 . 2009-08-26 12:45 -------- d-----w- c:\program files\Java
2009-08-26 12:44 . 2009-08-26 12:44 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Sun
2009-08-26 12:43 . 2009-08-26 12:43 -------- d-----w- c:\program files\WOT
2009-08-26 11:22 . 2009-08-26 11:22 -------- d-----w- c:\program files\CCleaner
2009-08-26 11:16 . 2009-08-26 11:16 0 ----a-w- c:\windows\nsreg.dat
2009-08-26 11:16 . 2009-08-26 11:16 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Mozilla
2009-08-25 12:08 . 2009-08-25 12:08 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Malwarebytes
2009-08-25 12:07 . 2009-08-25 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-25 12:07 . 2009-08-25 12:07 114688 ----a-w- c:\windows\system32\dxwizard.exe
2009-08-25 12:03 . 2009-08-24 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-24 12:05 . 2009-08-24 12:03 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-24 12:05 . 2009-08-23 11:58 -------- d-s---w- c:\windows\system32\config\systemprofile\Application Data\Microsoft
2009-08-24 12:03 . 2009-08-24 12:03 -------- d-----w- c:\documents and settings\RAHUL\Application Data\PC Tools
2009-08-24 11:26 . 2009-08-24 11:26 144 ----a-w- c:\windows\system32\lkfl.dat
2009-08-24 10:42 . 2009-08-24 10:42 -------- d-----w- c:\program files\Microsoft Hardware
2009-08-24 10:35 . 2009-08-24 10:35 -------- d-----w- c:\program files\Silicon Integrated Systems
2009-08-24 10:35 . 2009-08-24 10:34 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\Realtek Sound Manager
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\AvRack
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\SiSLan
2009-08-24 10:33 . 2009-08-24 10:33 -------- d-----w- c:\program files\Gigabyte
2009-08-23 12:03 . 2009-08-23 12:03 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Identities
2009-08-23 11:56 . 2009-08-23 11:56 -------- d-----w- c:\program files\microsoft frontpage
2009-08-23 11:55 . 2009-08-23 12:02 -------- d-s---w- c:\documents and settings\LocalService\Application Data\Microsoft
2009-08-23 11:53 . 2009-08-23 11:53 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-06 08:24 . 2009-08-24 10:56 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 08:24 . 2009-08-24 10:56 209632 ----a-w- c:\windows\system32\wuweb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-23 1011080]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-06-28 49152]

c:\documents and settings\RAHUL\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RAHUL^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\RAHUL\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/24/2009 11:04 PM 206256]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/24/2009 12:44 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/24/2009 12:44 AM 59664]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [8/27/2009 3:20 AM 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [8/27/2009 3:20 AM 439664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/25/2009 11:08 PM 269648]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [8/27/2009 3:20 AM 35448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/25/2009 11:08 PM 19160]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/24/2009 12:44 AM 33552]
S2 DirectX common;DirectX common;c:\windows\system32\dxwizard.exe [8/25/2009 11:07 PM 114688]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/23/2001 11:00 PM 14336]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 11:20 PM 12648]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/24/2009 11:03 PM 348752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\Malwarebytes' Scheduled Update for RAHUL.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-25 04:53]

2009-10-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/spyware-doctor/purchase/?cclick=Register_11&product=Spyware%20Doctor&subproduct=NRM&version=6%2E1%2E0%2E447&code=0%2D0%2D0%2D0&suversion=6%2E1%2E0%2E38&osversion=5%2E1%2E2600%2E2&osspack=Service%20Pack%203&sulang=en&platform=32
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\RAHUL\Application Data\Mozilla\Firefox\Profiles\y6i1nd5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\RAHUL\Application Data\Mozilla\Firefox\Profiles\y6i1nd5e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 12:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'winlogon.exe'(4092)
c:\program files\ThreatFire\TfWah.dll
c:\program files\CheckPoint\ZAForceField\ISWUL.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWHRCL.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(732)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(4176)
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TfWah.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll

- - - - - - - > 'csrss.exe'(652)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
Completion time: 2009-10-18 13:02
ComboFix-quarantined-files.txt 2009-10-18 02:00

Pre-Run: 66,757,730,304 bytes free
Post-Run: 66,722,906,112 bytes free

256 --- E O F --- 2009-10-17 05:07



Here is a log for HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:49 PM, on 10/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Documents and Settings\RAHUL\Local Settings\Temp\Heuristics\winlogon.exe
C:\Documents and Settings\RAHUL\Local Settings\Temp\Heuristics\notepad.exe
C:\32788R22FWJFW\hidec.exe
C:\32788R22FWJFW\hidec.exe
C:\Program Files\CheckPoint\ZAForceField\ISWLDR.dat
C:\32788R22FWJFW\pev.exe
C:\32788R22FWJFW\PEV.exe
C:\32788R22FWJFW\swreg.exe
C:\32788R22FWJFW\swreg.exe
C:\32788R22FWJFW\SWREG.exe
C:\32788R22FWJFW\swreg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\RAHUL\My Documents\Hi Jack This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pctools.com/en/spyware-doctor/p...product=Spyware Doctor&subproduct=NRM&version=6.1.0.447&code=0-0-0-0&suversion=6.1.0.38&osversion=5.1.2600.2&osspack=Service Pack 3&sulang=en&platform=32 (obfuscated)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: DirectX common - Unknown owner - C:\WINDOWS\system32\dxwizard.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6545 bytes


Regards

Tui

First:
Run HiJackThis and press the Scan' button

When the scan is finished:
Check the following items in HijackThis.
O23 - Service: DirectX common - Unknown owner - C:\WINDOWS\system32\dxwizard.exe

Close all windows except HijackThis and click Fix checked.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Second:
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix does not generate a log. I have waited for about 4 hours.
I will try it again in the weekend.

Here is a log for hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:35 PM, on 10/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Documents and Settings\RAHUL\My Documents\Hi Jack This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pctools.com/en/spyware-doctor/p...product=Spyware Doctor&subproduct=NRM&version=6.1.0.447&code=0-0-0-0&suversion=6.1.0.38&osversion=5.1.2600.2&osspack=Service Pack 3&sulang=en&platform=32 (obfuscated)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6257 bytes

There should have been a new combofix log as well. Can you post that please.

here is a log for ComboFix

ComboFix 09-10-20.03 - RAHUL 10/22/2009 22:14.2.2 - NTFSx86
Running from: c:\documents and settings\RAHUL\Desktop\ComboFix.exe
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-17 23:50 . 2009-10-21 10:52 -------- d-----w- c:\documents and settings\RAHUL\Application Data\#ISW.FS#
2009-10-06 11:31 . 2009-10-06 11:31 -------- d-----w- c:\program files\SonicWallES
2009-10-05 02:36 . 2009-10-05 02:36 -------- d-----w- c:\program files\uTorrent
2009-10-05 02:35 . 2009-10-17 01:49 -------- d-----w- c:\documents and settings\RAHUL\Application Data\uTorrent
2009-10-03 09:51 . 2009-09-30 23:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-03 08:45 . 2009-09-23 10:04 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-10-03 08:45 . 2009-09-23 10:04 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-10-03 08:44 . 2009-09-23 10:04 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-23 13:44 . 2009-09-23 14:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 10:50 . 2009-09-13 11:08 144 ----a-w- c:\windows\system32\pdfl.dat
2009-10-20 07:13 . 2009-09-13 11:07 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-19 08:00 . 2009-08-24 12:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-19 06:32 . 2009-08-24 12:03 -------- d-----w- c:\program files\Spyware Doctor
2009-10-06 11:31 . 2009-09-13 11:26 -------- d-----w- c:\documents and settings\RAHUL\Application Data\MailFrontier
2009-10-02 13:27 . 2009-08-29 05:52 -------- d-----w- c:\program files\SpywareBlaster
2009-10-02 13:24 . 2009-08-25 11:56 -------- d-----w- c:\program files\SpywareGuard
2009-10-02 10:03 . 2009-08-25 12:03 -------- d-----w- c:\program files\ThreatFire
2009-10-02 09:57 . 2009-08-24 11:41 -------- d-----w- c:\documents and settings\RAHUL\Application Data\CheckPoint
2009-09-23 10:05 . 2009-09-13 11:07 72584 ----a-w- c:\windows\zllsputility.exe
2009-09-13 12:16 . 2009-08-26 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 11:29 . 2009-09-13 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2009-09-13 11:08 . 2009-09-13 11:08 80 ----a-w- c:\windows\system32\ibfl.dat
2009-09-13 11:07 . 2009-08-24 11:26 -------- d-----w- c:\program files\CheckPoint
2009-09-13 11:04 . 2009-09-13 11:04 -------- d-----w- c:\program files\Zone Labs
2009-09-13 05:25 . 2009-08-25 12:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 05:11 . 2009-08-26 12:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 04:54 . 2009-08-25 12:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53 . 2009-08-25 12:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 12:18 . 2009-09-07 12:18 -------- d-----w- c:\program files\Alwil Software
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 12:47 . 2009-08-24 12:04 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-03 12:47 . 2009-09-03 12:47 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-03 10:25 . 2009-09-03 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-03 10:21 . 2009-09-03 10:21 -------- d-----w- c:\program files\NOS
2009-09-03 09:29 . 2009-09-03 09:29 -------- d-----w- c:\program files\Secunia
2009-09-01 12:11 . 2009-08-26 12:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-31 12:05 . 2009-08-31 12:05 -------- d-----w- c:\documents and settings\RAHUL\Application Data\HP
2009-08-31 11:30 . 2009-08-24 11:01 47648 ----a-w- c:\documents and settings\RAHUL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 11:30 . 2009-08-31 10:45 100584 ----a-w- c:\windows\hpgins14.dat
2009-08-31 11:15 . 2009-08-31 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-31 11:15 . 2009-08-31 11:15 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-31 11:13 . 2009-08-30 09:59 -------- d-----w- c:\program files\Common Files\HP
2009-08-31 10:58 . 2009-08-31 10:55 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-31 10:56 . 2009-08-31 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-31 10:45 . 2009-08-31 10:34 -------- d-----w- c:\program files\COL10861
2009-08-31 09:43 . 2009-08-31 09:43 -------- d-----w- c:\program files\MSXML 4.0
2009-08-30 12:39 . 2009-08-30 09:40 29196 ----a-w- c:\windows\hpoins03.dat
2009-08-30 11:26 . 2009-08-30 11:26 128 ----a-w- c:\documents and settings\RAHUL\Local Settings\Application Data\fusioncache.dat
2009-08-30 10:22 . 2009-08-30 09:41 -------- d-----w- c:\program files\HP
2009-08-30 10:20 . 2009-08-30 10:20 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-30 05:52 . 2009-08-30 05:52 -------- d-----w- c:\program files\Microsoft.NET
2009-08-30 05:52 . 2009-08-30 05:52 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-30 02:26 . 2009-08-30 02:26 -------- d-----w- c:\program files\Common Files\Vbox
2009-08-30 02:26 . 2009-08-30 00:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-30 02:22 . 2009-08-24 10:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 02:16 . 2009-08-30 02:07 -------- d-----w- c:\documents and settings\RAHUL\Application Data\ACD Systems
2009-08-30 02:13 . 2009-08-30 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-08-30 02:13 . 2009-08-30 02:04 -------- d-----w- c:\program files\ACD Systems
2009-08-30 02:05 . 2009-08-30 02:04 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-08-30 02:03 . 2009-08-30 02:03 10368 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-08-30 01:58 . 2009-08-30 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-30 01:06 . 2009-08-30 01:06 -------- d-----w- c:\program files\Ahead
2009-08-30 01:06 . 2009-08-30 01:06 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-30 00:51 . 2009-08-30 00:51 1379 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
2009-08-30 00:51 . 2009-08-30 00:49 130048 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-08-30 00:49 . 2009-08-30 00:49 36604 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-08-30 00:47 . 2009-08-30 00:47 -------- d-----w- c:\program files\Illustrate
2009-08-30 00:42 . 2009-08-30 00:42 -------- d-----w- c:\program files\MSN Messenger
2009-08-30 00:38 . 2009-08-30 00:38 -------- d-----w- c:\program files\COED11
2009-08-30 00:31 . 2009-08-30 00:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-30 00:15 . 2009-08-30 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-29 23:36 . 2009-08-29 23:33 -------- d-----w- c:\program files\SiS VGA Utilities V3.75
2009-08-29 23:35 . 2009-08-29 23:35 -------- d-----w- c:\program files\sisagp
2009-08-29 08:08 . 2009-08-24 10:25 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 05:20 . 2009-08-26 11:23 -------- d-----w- c:\program files\XP Codec Pack
2009-08-26 12:51 . 2009-08-26 12:51 -------- d-----w- c:\program files\Windows Defender
2009-08-26 12:45 . 2009-08-26 12:45 -------- d-----w- c:\program files\Java
2009-08-26 12:43 . 2009-08-26 12:43 -------- d-----w- c:\program files\WOT
2009-08-26 11:22 . 2009-08-26 11:22 -------- d-----w- c:\program files\CCleaner
2009-08-26 11:16 . 2009-08-26 11:16 0 ----a-w- c:\windows\nsreg.dat
2009-08-26 08:00 . 2009-08-24 10:25 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 12:08 . 2009-08-25 12:08 -------- d-----w- c:\documents and settings\RAHUL\Application Data\Malwarebytes
2009-08-25 12:07 . 2009-08-25 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-25 12:07 . 2009-08-25 12:07 114688 ----a-w- c:\windows\system32\dxwizard.exe
2009-08-25 12:03 . 2009-08-24 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-24 12:05 . 2009-08-24 12:03 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-24 12:03 . 2009-08-24 12:03 -------- d-----w- c:\documents and settings\RAHUL\Application Data\PC Tools
2009-08-24 11:26 . 2009-08-24 11:26 144 ----a-w- c:\windows\system32\lkfl.dat
2009-08-24 10:42 . 2009-08-24 10:42 -------- d-----w- c:\program files\Microsoft Hardware
2009-08-24 10:35 . 2009-08-24 10:35 -------- d-----w- c:\program files\Silicon Integrated Systems
2009-08-24 10:35 . 2009-08-24 10:34 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\Realtek Sound Manager
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\AvRack
2009-08-24 10:34 . 2009-08-24 10:34 -------- d-----w- c:\program files\SiSLan
2009-08-24 10:33 . 2009-08-24 10:33 -------- d-----w- c:\program files\Gigabyte
2009-08-23 11:53 . 2009-08-23 11:53 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-06 08:24 . 2009-08-24 10:56 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 08:24 . 2009-08-24 10:56 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 08:24 . 2009-08-24 10:56 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 08:24 . 2008-10-16 04:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 08:24 . 2009-08-24 10:25 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 08:24 . 2009-08-24 10:26 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 08:23 . 2009-08-24 10:56 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 08:23 . 2009-08-24 10:25 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2009-08-24 10:25 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2001-08-23 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2001-08-17 13:48 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 03:36 . 2009-08-25 12:11 38160 ----a-w- c:\windows\system32\drivers\is-BGIAV.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-23 1011080]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-06-28 49152]

c:\documents and settings\RAHUL\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RAHUL^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\RAHUL\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/24/2009 11:04 PM 206256]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/24/2009 12:44 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/24/2009 12:44 AM 59664]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [8/27/2009 3:20 AM 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [8/27/2009 3:20 AM 439664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/25/2009 11:08 PM 269648]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [8/27/2009 3:20 AM 35448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/25/2009 11:08 PM 19160]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/24/2009 12:44 AM 33552]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/23/2001 11:00 PM 14336]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 11:20 PM 12648]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/24/2009 11:03 PM 348752]
S4 DirectX common;DirectX common;c:\windows\system32\dxwizard.exe [8/25/2009 11:07 PM 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\Malwarebytes' Scheduled Update for RAHUL.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-25 04:53]

2009-10-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/spyware-doctor/purchase/?cclick=Register_11&product=Spyware%20Doctor&subproduct=NRM&version=6%2E1%2E0%2E447&code=0%2D0%2D0%2D0&suversion=6%2E1%2E0%2E38&osversion=5%2E1%2E2600%2E2&osspack=Service%20Pack%203&sulang=en&platform=32
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\RAHUL\Application Data\Mozilla\Firefox\Profiles\y6i1nd5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\RAHUL\Application Data\Mozilla\Firefox\Profiles\y6i1nd5e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 23:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(736)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TfWah.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll

- - - - - - - > 'csrss.exe'(656)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
Completion time: 2009-10-22 0:12
ComboFix-quarantined-files.txt 2009-10-22 13:11

Pre-Run: 66,728,910,848 bytes free
Post-Run: 67,142,057,984 bytes free

- - End Of File - - 462F10A9C98D65E85B91F6B7CB08A232

The latest Combofix and HJT Logs are good. Are there still any issues outstanding that need addressing?

No that's all for this time.

Thanks very much for your help.

Cheers

Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.

I have un-installed ComboFix and reset firefox as my default browser.

Thanks

Cheers