Malware And Adware Havoc..please Help.[INACTIVE]

rohangpatil · October 4, 2007

I've been getting Security warning window.. and when i click on the close button IE 7 opens and

site opens.

even this site..

computing is becoming very irksome..

HijackThis (2.0.2) log file

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:53:57 PM, on 10/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Protexis\License Service\PSIService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AvaFind\AvaFind.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\VisualTaskTips\VisualTaskTips.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: MSVPS System - {3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A} - C:\WINDOWS\bndsrwlq.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\styler\TB\StylerTB.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: VisualTaskTips.lnk = C:\Program Files\VisualTaskTips\VisualTaskTips.exe

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=Q306&bd=presario&pf=laptop

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C7CA81-1E6D-4D0C-BE56-E5381BE5D0DA}: NameServer = 192.168.1.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O21 - SSODL: msvb - {9CD13CF8-2B77-45E1-9C0D-40B559E3BED3} - C:\WINDOWS\msvb.dll

O21 - SSODL: sysdx - {F6B0F9C4-B12D-45B2-ACE4-06C415122EBD} - C:\WINDOWS\sysdx.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--

End of file - 13307 bytes

Andro1d · October 9, 2007

Hello and Welcome to BT.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Sorry for the delay!

Step 1

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Step 2

Download Deckard's System Scanner (DSS) to your Desktop.

Close all applications and windows.
Double-click on DSS.exe to run it, and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply along with the combofix log.

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

rohangpatil · October 9, 2007

Hi Again!

Thanks For the reply!

I used to use the laptop with explorer.exe closed. It used to solve my problem partially.. Done as instructed..

ComboFix Log File.

ComboFix 07-10-09.3 - Rohan 2007-10-09 20:32:07.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.97 [GMT 5.5:30]

Running from: C:\Documents and Settings\Rohan\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Rohan\Desktop\Error Cleaner.url

C:\Documents and Settings\Rohan\Desktop\Privacy Protector.url

C:\Documents and Settings\Rohan\Desktop\Spyware&Malware Protection.url

C:\Documents and Settings\Rohan\Favorites\Error Cleaner.url

C:\Documents and Settings\Rohan\Favorites\Privacy Protector.url

C:\Documents and Settings\Rohan\Favorites\Spyware&Malware Protection.url

C:\Documents and Settings\Rohan\My Documents\Vth sem\sudhakar\Database Management System (ISE-CSE)\100 Q's\Desktop_.ini

C:\Documents and Settings\Rohan\My Documents\Vth sem\sudhakar\Database Management System (ISE-CSE)\Desktop_.ini

C:\Documents and Settings\Rohan\My Documents\Vth sem\sudhakar\Database Management System (ISE-CSE)\Lesson Plan\Desktop_.ini

C:\Documents and Settings\Rohan\My Documents\Vth sem\sudhakar\Database Management System (ISE-CSE)\Notes\Desktop_.ini

C:\Documents and Settings\Rohan\My Documents\Vth sem\sudhakar\Lesson Plan\Desktop_.ini

C:\Program Files\VideoAccessCodec

C:\Program Files\VideoAccessCodec\install.ico

C:\Program Files\VideoAccessCodec\Uninstall.exe

C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx

C:\WINDOWS\bndsrwlq.dll

C:\WINDOWS\dat.txt

C:\WINDOWS\main_uninstaller.exe

C:\WINDOWS\msvb.dll

C:\WINDOWS\netadv.dll

C:\WINDOWS\rs.txt

C:\WINDOWS\search_res.txt

C:\WINDOWS\sysdx.dll

.

((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))

.

2007-10-09 20:31 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-05 12:54 <DIR> d-------- C:\.Trash-guest

2007-10-05 10:20 <DIR> d-------- C:\Program Files\Webroot

2007-10-05 09:29 <DIR> d-------- C:\Program Files\Lavasoft

2007-10-05 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-10-05 09:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-10-05 03:58 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-10-04 18:45 <DIR> d-------- C:\Documents and Settings\Rohan\Application Data\Styler

2007-10-04 18:40 <DIR> d-------- C:\Program Files\VisualTaskTips

2007-10-04 18:40 218,624 --a------ C:\WINDOWS\system32\dllcache\uxtheme.dll

2007-10-04 18:18 <DIR> d-------- C:\temp

2007-10-04 18:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager

2007-10-04 18:18 <DIR> d-------- C:\Program Files\Avex

2007-10-04 18:07 <DIR> d-------- C:\Program Files\SystemDefender

2007-10-03 20:38 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\WinRAR

2007-10-02 22:15 <DIR> d-------- C:\Program Files\TopCoder UML Tool

2007-10-02 12:11 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Google

2007-10-02 12:08 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Real

2007-09-27 21:38 <DIR> d-------- C:\Program Files\DFX

2007-09-27 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX

2007-09-27 21:35 <DIR> d-------- C:\Program Files\Winamp

2007-09-27 21:35 <DIR> d-------- C:\Documents and Settings\Rohan\Application Data\Winamp

2007-09-27 21:35 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2007-09-27 21:35 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2007-09-27 21:35 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2007-09-27 13:37 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-27 13:29 <DIR> d-------- C:\Program Files\ABC Amber LIT Converter

2007-09-27 12:20 <DIR> d-------- C:\Program Files\Microsoft Reader

2007-09-27 12:20 60,944 --a------ C:\WINDOWS\DASShp.dll

2007-09-27 12:17 <DIR> d-------- C:\Documents and Settings\Rohan\Application Data\WinRAR

2007-09-26 19:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-09-24 00:40 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-09-24 00:40 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2007-09-23 03:21 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2007-09-23 03:19 <DIR> d-------- C:\Program Files\MSBuild

2007-09-23 03:16 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-09-23 03:12 <DIR> d-------- C:\WINDOWS\SHELLNEW

2007-09-23 03:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

2007-09-23 03:06 <DIR> dr-h----- C:\MSOCache

2007-09-21 19:04 <DIR> d-------- C:\Program Files\The KMPlayer

2007-09-20 22:21 <DIR> d-------- C:\Documents and Settings\Rohan\Application Data\VMware

2007-09-20 22:19 <DIR> d-------- C:\Program Files\VMware

2007-09-14 10:53 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared

2007-09-14 10:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime

2007-09-14 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

2007-09-14 09:45 <DIR> d-------- C:\Program Files\Bonjour

2007-09-14 09:29 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

2007-09-13 19:30 <DIR> d-------- C:\Program Files\Kaspersky Lab

2007-09-13 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-09-13 19:30 19,204,896 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-09-13 19:30 386,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-09-13 19:30 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat

2007-09-13 19:30 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-09 15:17 37,292 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2007-10-09 15:17 258,260 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-10-09 12:41 --------- d-----w C:\Documents and Settings\Rohan\Application Data\AvaFind Data

2007-10-05 03:51 --------- d-----w C:\Documents and Settings\Rohan\Application Data\uTorrent

2007-10-04 13:18 --------- d-----w C:\Program Files\EasyEclipse Expert Java 1.3.0

2007-09-27 06:50 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-09-22 21:49 --------- d-----w C:\Program Files\Microsoft Works

2007-09-15 18:03 --------- d-----w C:\Program Files\Hp

2007-09-15 18:02 --------- d-----w C:\Program Files\Hewlett-Packard

2007-09-13 13:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-09-13 13:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2007-09-08 15:38 --------- d-----w C:\Program Files\DAMN NFO Viewer

2007-09-08 15:37 --------- d-----w C:\Program Files\BitTyrant

2007-09-08 15:22 --------- d-----w C:\Documents and Settings\Rohan\Application Data\BitTyrant

2007-09-08 15:22 --------- d-----w C:\Documents and Settings\Rohan\Application Data\Azureus

2007-09-08 15:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus

2007-09-07 17:55 --------- d-----w C:\Program Files\Common Files\xing shared

2007-09-07 17:55 --------- d-----w C:\Program Files\Common Files\Real

2007-09-07 17:32 --------- d-----w C:\Documents and Settings\Rohan\Application Data\Real

2007-09-07 17:26 --------- d-----w C:\Program Files\Real

2007-09-04 14:14 --------- d-----w C:\Documents and Settings\Rohan\Application Data\Subversion

2007-08-30 14:23 --------- d-----w C:\Documents and Settings\Rohan\Application Data\Help

2007-08-29 10:52 --------- d-----w C:\Program Files\EA SPORTS

2007-08-27 16:57 296 ----a-w C:\Documents and Settings\Rohan\Application Data\wklnhst.dat

2007-08-25 16:19 --------- d-----w C:\Documents and Settings\Rohan\Application Data\dvdcss

2007-08-14 15:41 317,712 ------w C:\MASMsetup.EXE

2007-08-14 15:40 2,686,232 ------w C:\vcredist_x86.exe

2007-08-10 17:27 --------- d-----w C:\Documents and Settings\Rohan\Application Data\Ahead

2007-08-10 09:02 --------- d-----w C:\Program Files\Common Files\LightScribe

2007-08-10 08:58 --------- d-----w C:\Program Files\Common Files\Ahead

2007-08-10 08:54 --------- d-----w C:\Program Files\Nero

2007-08-10 05:50 --------- d-----w C:\Program Files\PowerISO

2007-08-10 03:01 --------- d-----w C:\Documents and Settings\Rohan\Application Data\Sonic

2007-08-10 03:00 --------- d-----w C:\Documents and Settings\Rohan\Application Data\Leadertech

2004-06-01 07:18 295,936 ----a-w C:\Documents and Settings\Rohan\AvaFind.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 08:19]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 01:59 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 10:31]

"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 19:24]

"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 09:08]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 13:48]

"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 07:53]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 18:30]

"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 18:30]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 18:30]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2007-10-05 19:14]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2007-10-05 19:14]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" []

"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15]

"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]

"LFAgent"="" []

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-22 08:32]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-22 08:32]

"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-22 08:32]

"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 12:39]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-07 23:24]

"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 03:52]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-09 23:53]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 02:30]

"AvaFind"="C:\Program Files\AvaFind\AvaFind.exe" [2004-06-01 12:48]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R2 LF30FS;LF30FS;\??\C:\Program Files\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys

R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3b4628b-3471-11dc-b0da-806d6172696f}]

AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.

**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-09 20:49:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???hX????????@???????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-10-09 20:53:22 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-10-09 20:53

.

--- E O F ---

HijackThis Log File.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:00:56 PM, on 10/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Protexis\License Service\PSIService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AvaFind\AvaFind.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop