Error "application cannot be run on win32 mode"

Salam ,Saya nak minta tolong setelkan masalah ni.Setiap kali klik kat partition selain dr (C)dia akan klua error ni "application cannot be run on win32 mode" .semua tak boleh buka.

mungkin disbbkn oleh virus
update av dan buat full system scan
pastu download hijackthis, scan dan paste log dia sini

Yup mungkin sebab virus.
Cuba jangan guna doubleclick; smithmagge rightclick partition tu, pastu klik Open.

johnburn wrote:mungkin disbbkn oleh virus
update av dan buat full system scan
pastu download hijackthis, scan dan paste log dia sini

Punca memang kena virus .Selepas scan apa semua tu yang jd camni.Masalahnya Sekarang ni saya nak download apapun tak boleh dia akan hang/stuck camtu je.

??????????? wrote:Yup mungkin sebab virus.
Cuba jangan guna doubleclick; smithmagge rightclick partition tu, pastu klik Open.

Tak boleh gak aa.

task manager bleh bkak x?
matikan process wscript.exe jika ada
pastu matikan explorer.exe
pastu klik File >> New Task (Run…) pada task manager tu dan type cmd dan tkan enter.
pada paparan command prompt tu type ni dan tkan enter:
del c:\autorun.* /f /q /a

gntikan c:\ tu dgn semua drive yg ko ada. bt satu2.

start balik explorer tgk bleh msk drive x

johnburn wrote:task manager bleh bkak x?
matikan process wscript.exe jika ada
pastu matikan explorer.exe
pastu klik File >> New Task (Run…) pada task manager tu dan type cmd dan tkan enter.
pada paparan command prompt tu type ni dan tkan enter:
del c:\autorun.* /f /q /a

gntikan c:\ tu dgn semua drive yg ko ada. bt satu2.

start balik explorer tgk bleh msk drive x

d,e dh blh buka f sja tak blh.download dh blh.

BTW ini HJT logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:28 AM, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{96B808A4-BB39-4E1F-8600-D3B10DA5F209}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 5155 bytes

Bukak hijackthis dan klik Do a system scan only. Tndakn entri berikut kmudian tekan Fix Checked:
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
Next, update Malwarebytes' Anti-Malware dan buat quick scan.
bagi log Malwarebytes dgn log hijackthis br pas dh scan ni.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/7/2009 3:02:21 AM
mbam-log-2009-10-07 (03-02-11).txt

Scan type: Quick Scan
Objects scanned: 87425
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\xih9.cmd (Trojan.Agent) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:01 AM, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 4698 bytes

log file awk ni dah ok..

try ni

task manager--kill ni jika ada wscript.exe dan explorer.exe
run--cmd--
del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a

dah siap chekc ni
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
pastikan ini betul “Userinit”=”C:\WINDOWS\system32\userinit.exe,”
jika tak betulkan..reboot

test0123 wrote:log file awk ni dah ok..

try ni

task manager--kill ni jika ada wscript.exe dan explorer.exe
run--cmd--
del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a

dah siap chekc ni
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
pastikan ini betul “Userinit”=”C:\WINDOWS\system32\userinit.exe,”
jika tak betulkan..reboot

cmna ko ckp log file dia ok?
Files Infected:
C:\xih9.cmd (Trojan.Agent) -> No action taken.

Mengenai userinit lak, kte bleh tgk pada entri F2 hijacthis kl ade prob. thats why kte xleh ambk copy paste je solution dr internet n assume stiap prob tu same.

Kepada smithmagge, download ComboFix dan save kan ke desktop. Tutup AV ko buat smntara waktu and jalankan double click ComboFix.exe untuk jlnkn combofix. COmboFix akan hasilkan satu log bila selesai. Paste log tu (bleh di dapati di C:\ComboFix.txt) beserta log hijackthis yg baru.

Kalau aku laa, entry "xih9.cmd" tu kasi remove dulu

e_sentinel wrote:Kalau aku laa, entry "xih9.cmd" tu kasi remove dulu

tu yg aku cube buat skang ni
spttnye combofix bleh buang yg tu
tp kne tgk log combofix dlu berjaya buang x

smithmagge tak klik "Remove Selected" kat MBAM .. kenapa?

bro john...btul jgk yer..aku tak perasan la yg kat atas tu..heheh

aku setuju jgk dgb bro esentinel , nape dia tak removed masa scan malwarebaytes

johnburn wrote:

test0123 wrote:log file awk ni dah ok..

try ni

task manager--kill ni jika ada wscript.exe dan explorer.exe
run--cmd--
del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a

dah siap chekc ni
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
pastikan ini betul “Userinit”=”C:\WINDOWS\system32\userinit.exe,”
jika tak betulkan..reboot

cmna ko ckp log file dia ok?
Files Infected:
C:\xih9.cmd (Trojan.Agent) -> No action taken.

Mengenai userinit lak, kte bleh tgk pada entri F2 hijacthis kl ade prob. thats why kte xleh ambk copy paste je solution dr internet n assume stiap prob tu same.

Kepada smithmagge, download ComboFix dan save kan ke desktop. Tutup AV ko buat smntara waktu and jalankan double click ComboFix.exe untuk jlnkn combofix. COmboFix akan hasilkan satu log bila selesai. Paste log tu (bleh di dapati di C:\ComboFix.txt) beserta log hijackthis yg baru.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:23 AM, on 10/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{96B808A4-BB39-4E1F-8600-D3B10DA5F209}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 4567 bytes



ComboFix 09-10-06.04 - USER 10/08/2009 2:10.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.105 [GMT 8:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 080923-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\AccessibleMarshal.dll
c:\program files\Mozilla Firefox\Components\browserdirprovider.dll
c:\program files\Mozilla Firefox\Components\brwsrcmp.dll
c:\program files\Mozilla Firefox\xpcom.dll
c:\program files\Mozilla Firefox\xul.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
C:\xih9.cmd
D:\xih9.cmd
E:\resycled
E:\xih9.cmd
H:\em8tqm.cmd

.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-07 18:07 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-07 18:06 . 2009-10-07 18:07 -------- d-----w- c:\windows\ie8updates
2009-10-07 18:06 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-07 18:06 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-07 18:04 . 2009-10-07 18:06 -------- dc-h--w- c:\windows\ie8
2009-10-07 16:37 . 2008-04-13 16:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-10-07 14:18 . 2009-10-07 16:28 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Adobe
2009-10-07 14:14 . 2009-10-07 14:14 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-07 13:45 . 2009-10-07 13:45 -------- d-----w- c:\windows\LastGood
2009-10-07 02:52 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-07 02:52 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-10-07 02:17 . 2009-10-07 02:17 -------- d-----w- c:\documents and settings\USER\Application Data\AVG8
2009-10-07 01:59 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-07 01:59 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-07 01:59 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-07 01:53 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-06 19:17 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-06 19:14 . 2009-01-07 10:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-06 18:36 . 2009-10-06 18:36 -------- d-----w- c:\program files\VideoLAN
2009-10-06 17:38 . 2009-10-06 17:38 -------- d-----w- c:\program files\Trend Micro
2009-10-06 14:47 . 2009-10-06 14:47 -------- d-----w- c:\documents and settings\USER\Application Data\Malwarebytes
2009-10-06 14:47 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-06 14:47 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-06 14:47 . 2009-10-07 01:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 14:47 . 2009-10-06 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-06 14:44 . 2009-10-06 14:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-06 14:43 . 2009-10-06 14:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-06 14:21 . 2006-10-26 11:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-06 14:21 . 2009-10-06 14:21 -------- d-----w- c:\program files\Microsoft Works
2009-10-06 14:20 . 2009-10-06 14:20 -------- d-----w- c:\program files\MSBuild
2009-10-06 14:18 . 2009-10-06 14:18 0 ----a-w- c:\windows\nsreg.dat
2009-10-06 14:18 . 2009-10-06 14:18 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Mozilla
2009-10-06 14:17 . 2009-10-06 14:20 -------- d-----w- c:\windows\SHELLNEW
2009-10-06 14:16 . 2009-10-06 14:16 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Microsoft Help
2009-10-06 14:15 . 2009-10-06 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-06 14:15 . 2009-10-06 14:15 -------- d-----r- C:\MSOCache
2009-10-06 14:05 . 2009-10-06 17:35 -------- d-----w- c:\documents and settings\USER\Application Data\DMCache
2009-10-06 14:04 . 2009-10-06 14:04 -------- d-----w- c:\program files\Lavalys
2009-10-06 13:57 . 2009-10-06 14:30 68456 ----a-w- c:\documents and settings\USER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 13:53 . 2001-08-17 05:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-06 13:53 . 2001-08-17 05:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-06 13:53 . 2008-04-13 16:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-10-06 13:53 . 2008-04-13 16:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 14:03 . 2009-10-06 14:03 -------- d-----w- c:\program files\Alwil Software
2009-09-24 14:09 . 2009-09-24 14:09 0 ----a-w- c:\windows\ativpsrm.bin
2009-09-24 14:06 . 2009-09-24 14:06 -------- d-----w- c:\program files\Realtek
2009-09-24 14:06 . 2009-09-24 14:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 14:06 . 2009-09-24 14:06 315392 ----a-w- c:\windows\HideWin.exe
2009-09-24 14:06 . 2009-09-24 14:03 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-24 14:04 . 2009-09-24 14:04 -------- d-----w- c:\program files\VIA
2009-09-24 13:57 . 2009-09-24 13:57 -------- d-----w- c:\program files\microsoft frontpage
2009-09-24 13:53 . 2009-09-24 13:53 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-24 13:53 . 2009-09-24 13:52 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-05 09:01 . 2008-04-14 00:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2008-04-14 00:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2008-04-14 00:41 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-19 13:18 . 2009-10-07 18:06 5937152 ------w- c:\windows\system32\SET492.tmp
2009-07-19 10:48 . 2009-10-07 18:06 11067392 ------w- c:\windows\system32\SET499.tmp
2009-07-17 19:01 . 2009-07-17 19:01 58880 ----a-w- c:\windows\system32\SET34D.tmp
2009-07-13 15:43 . 2008-08-29 22:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

------- Sigcheck -------

[-] 2008-08-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-10-11 1826816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NoIE4StubProcessing"="c:\windows\system32\reg.exe" [2008-04-14 50176]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [10/9/2008 8:38 PM 17920]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/6/2009 10:03 PM 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/6/2009 10:03 PM 20560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/6/2009 10:47 PM 269648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/6/2009 10:47 PM 19160]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [10/7/2009 3:14 AM 26144]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-07 c:\windows\Tasks\Malwarebytes' Scheduled Update for USER.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-06 06:53]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {96B808A4-BB39-4E1F-8600-D3B10DA5F209} = 202.188.0.133 202.188.1.5
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\xkq3wf32.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 02:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-07 2:14
ComboFix-quarantined-files.txt 2009-10-07 18:14

Pre-Run: 35,722,891,264 bytes free
Post-Run: 35,872,272,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

157 --- E O F --- 2009-10-07 18:08

rox lah korang