Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"your Privacy is in danger"! virus... PLEASE PLEASE HELP

Started by siddhu7_d , Aug 03 2008 08:27 AM

  • This topic is locked This topic is locked

#1
siddhu7_d
Posted 03 August 2008 - 08:27 AM

siddhu7_d

    Member

  • Member
  • PipPip
  • 10 posts
I've been stuck with this red screen which says "your privacy is in danger".. i've tried the malwarebytes too, but of no use!
Help would be greatly appreciated!
Thank you sooo much!

This is my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:58 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: QXK Olive - {DC6DF9D6-6F2E-4545-8C79-8F9BD0E56482} - C:\WINDOWS\nfavxwdbtex.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: fdkowvbp - {BC773027-E244-461F-849E-D2ABB72F17E1} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{880D8573-9C61-4DE4-B469-1836B9A473B8}: NameServer = 172.19.0.1,202.56.250.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: eqvwamkl - {473B0BDB-D0DC-4441-9FB6-38D34249409F} - C:\WINDOWS\eqvwamkl.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6733 bytes

Reason for Edit: Merged posts.

Please don't post more than once or bump the topic as Helpers usually first look for threads with no replies.

Edited by Octagonal, 04 August 2008 - 04:24 AM.

  • 0

Advertisements

#2
Thunderbird1988
Posted 04 August 2008 - 04:36 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello siddhu7_d,

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Thunderbird1988
  • 0

#3
siddhu7_d
Posted 04 August 2008 - 05:39 AM

siddhu7_d

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for the response Thunderbird!
Will post my logs soon:)
  • 0

#4
siddhu7_d
Posted 04 August 2008 - 07:07 AM

siddhu7_d

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
This is the ComboFix Log
ComboFix 08-08-03.05 - user 2008-08-04 18:21:24.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1859 [GMT 5.5:30]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\nfavxwdbtex.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-04 00:18 . 2008-08-04 01:10 616,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-04 00:18 . 2008-08-04 01:06 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-04 00:18 . 2008-08-04 01:06 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-04 00:18 . 2008-08-04 01:10 3,524 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-04 00:18 . 2008-08-04 01:10 1,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-04 00:18 . 2008-08-04 01:10 1,100 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-04 00:17 . 2008-08-04 00:17 <DIR> d-------- C:\kav
2008-08-04 00:02 . 2008-08-04 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 23:59 . 2008-08-03 23:59 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-03 19:38 . 2008-08-03 19:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 19:36 . 2008-08-03 19:36 <DIR> d-------- C:\Deckard
2008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\_OTMoveIt
2008-08-03 01:10 . 2008-08-03 01:10 <DIR> d---s---- C:\Documents and Settings\user\UserData
2008-08-02 03:17 . 2008-08-02 03:17 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-08-02 02:09 . 2001-08-23 12:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-08-02 02:06 . 2008-08-02 02:06 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 17:05 . 2008-07-23 17:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-21 20:38 . 2008-07-21 20:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-19 23:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-19 23:36 . 2008-07-19 23:36 <DIR> d-------- C:\Program Files\Java
2008-07-19 23:13 . 2008-07-19 23:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-18 21:53 . 2008-07-18 21:53 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-07-18 21:52 . 2008-07-18 21:52 <DIR> d-------- C:\Documents and Settings\user\Application Data\ArcSoft
2008-07-18 21:51 . 2008-07-18 21:51 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-18 21:51 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-07-18 21:51 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\InstallShield
2008-07-18 21:50 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-18 21:49 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-07-18 21:48 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-17 22:04 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\MSBuild
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-17 21:59 . 2008-07-17 21:59 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-17 21:50 . 2008-07-17 21:50 <DIR> dr-h----- C:\MSOCache
2008-07-17 16:59 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-07-15 23:13 . 2007-02-07 14:21 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-07-15 23:11 . 2006-11-22 22:26 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-07-14 23:11 . 2008-07-14 23:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\Corel
2008-07-14 23:11 . 2008-07-20 20:45 900 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-14 23:11 . 2008-07-20 20:44 88 -r-hs---- C:\WINDOWS\system32\789ED35EEC.sys
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Program Files\Corel
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-14 12:20 . 2008-07-14 12:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\U3
2008-07-14 12:16 . 2008-07-14 12:16 <DIR> dra-s---- C:\Program Files\FlashGuard
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 20:03 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-13 17:57 . 2008-07-13 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-11 23:59 . 2008-07-11 23:59 <DIR> d-------- C:\Documents and Settings\user\Application Data\Sony
2008-07-11 23:58 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-07-11 23:58 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-07-11 23:58 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-07-11 23:58 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-11 23:58 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-07-11 23:58 . 2008-07-11 23:58 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-11 23:47 . 2008-07-11 23:47 <DIR> d-------- C:\Program Files\Total Video Converter
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\syswin
2008-07-11 23:46 . 2007-11-22 19:05 550,400 --ahs---- C:\WINDOWS\system32\imapd.exe
2008-07-11 23:46 . 2007-11-22 19:05 199,680 --ahs---- C:\WINDOWS\system32\imapdc.dll
2008-07-11 23:46 . 2007-11-22 19:05 33,280 --ahs---- C:\WINDOWS\system32\imapdb.dll
2008-07-11 23:46 . 2007-11-22 19:06 30,208 --ahs---- C:\WINDOWS\system32\imapdd.dll
2008-07-11 23:46 . 2007-11-22 19:21 29,184 --a------ C:\WINDOWS\system32\wproxp.exe
2008-07-11 23:46 . 2007-11-22 20:31 19,456 --ahs---- C:\WINDOWS\system32\imapdb.exe
2008-07-11 17:26 . 2008-07-11 17:26 <DIR> d-------- C:\Program Files\PhotomatixPro3
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-10 19:20 . 2008-07-10 19:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2008-07-10 00:40 . 2008-07-10 00:40 <DIR> d-------- C:\Program Files\WMA Converter
2008-07-10 00:40 . 1999-08-09 17:01 632,328 --a------ C:\WINDOWS\system32\wmaudioredist.exe
2008-07-10 00:40 . 1999-08-31 13:36 335,872 --a------ C:\WINDOWS\system32\MsAudio.ocx
2008-07-09 23:58 . 2008-07-09 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-09 23:36 . 2008-07-09 23:36 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-09 23:20 . 2008-07-09 23:21 3,120 --a------ C:\WINDOWS\system32\ALLFSAF6a.ocx
2008-07-09 23:19 . 2007-09-04 14:45 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-07-09 22:50 . 2008-07-09 22:50 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\user\Application Data\Autodesk
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Autodesk
2008-07-09 22:44 . 2008-07-09 22:44 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-07 23:16 . 2008-07-07 23:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 23:09 . 2008-07-07 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-04 13:58 . 2008-07-04 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-04 13:53 . 2008-07-04 13:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-04 13:44 . 2008-07-04 13:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-04 12:43 . 2008-07-04 12:43 <DIR> d-------- C:\Program Files\Winamp
2008-07-04 12:40 . 2008-07-04 12:40 <DIR> d-------- C:\Documents and Settings\user\Application Data\uTorrent
2008-07-04 12:39 . 2008-07-04 12:39 <DIR> d-------- C:\Program Files\Google
2008-07-04 11:07 . 2008-07-04 11:07 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 19:36 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-31 12:00 90,112 ----a-w C:\WINDOWS\DUMP758d.tmp
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\user\Application Data\CyberLink
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-03 16:04 --------- d-----w C:\Program Files\Common Files\xing shared
2008-07-03 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-03 13:01 --------- d-----w C:\Documents and Settings\user\Application Data\vlc
2008-07-03 06:25 --------- d-----w C:\Program Files\VideoLAN
2008-07-03 06:23 --------- d-----w C:\Program Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-03 06:21 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-03 06:21 348,160 ------w C:\WINDOWS\system32\msvcr71.dll
2008-07-03 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-03 06:12 --------- d-----w C:\Program Files\WIDCOMM
2008-07-03 06:07 --------- d-----w C:\Program Files\NetWaiting
2008-07-03 05:34 --------- d-----w C:\Program Files\CyberLink
2008-07-03 05:34 --------- d-----w C:\Program Files\Common Files\Nero
2008-07-03 05:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-03 05:33 --------- d-----w C:\Program Files\Ahead
2008-07-03 04:47 --------- d-----w C:\Program Files\CONEXANT
2008-07-03 04:46 --------- d-----w C:\Program Files\HPQ
2008-07-03 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 04:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-03 04:27 --------- d-----w C:\Program Files\Broadcom
2008-07-02 13:53 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-22 13:35 550,400 --sha-w C:\WINDOWS\system32\imapd.exe
2007-11-22 13:35 33,280 --sha-w C:\WINDOWS\system32\imapdb.dll
2007-11-22 15:01 19,456 --sha-w C:\WINDOWS\system32\imapdb.exe
2007-11-22 13:35 199,680 --sha-w C:\WINDOWS\system32\imapdc.dll
2007-11-22 13:36 30,208 --sha-w C:\WINDOWS\system32\imapdd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-17 02:36 8437760]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [2007-08-30 06:32 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-03 21:34 185896]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 22:44 35328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"imapd"="C:\WINDOWS\system32\imapd.exe" [2007-11-22 19:05 550400]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 07:18:22 10872]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-17 02:36 8437760 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-17 02:36 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-03 21:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 22:44 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-17 02:36 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\LayOut\\LayOut.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"G:\\dumps\\utorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 usbvm328;HP Camera;C:\WINDOWS\system32\Drivers\usbvm326.sys [2006-10-13 06:12]
S3 vmfilter323;VC0326 filter service for Serome;C:\WINDOWS\system32\drivers\vmfilter323.sys [2006-08-11 09:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{333bfe20-555b-11dd-9be1-001636f0f7df}]
\Shell\AutoRun\command - H:\System\Security\DriveGuard.exe -run
\Shell\Explore\Command - H:\System\Security\DriveGuard.exe -run
\Shell\Open\Command - H:\System\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85ad2224-5310-11dd-9bdc-001636f0f7df}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1513ac7-5ec8-11dd-9bf3-001636f0f7df}]
\Shell\AutoRun\command - I:\System\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - I:\System\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - I:\System\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf163b82-48fe-11dd-9bbd-001636f0f7df}]
\Shell\Auto\command - gb32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL gb32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c42b2c3c-4c4a-11dd-9bc7-001636f0f7df}]
\Shell\AutoRun\command - H:\System\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - H:\System\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - H:\System\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78f1380-571d-11dd-9be5-001636f0f7df}]
\Shell\AutoRun\command - H:\System\Security\DriveGuard.exe -run
\Shell\Explore\Command - H:\System\Security\DriveGuard.exe -run
\Shell\Open\Command - H:\System\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa4-516e-11dd-9bda-001636f0f7df}]
\Shell\AutoRun\command - J:\System\Security\DriveGuard.exe -run
\Shell\Explore\Command - J:\System\Security\DriveGuard.exe -run
\Shell\Open\Command - J:\System\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa5-516e-11dd-9bda-001636f0f7df}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa7-516e-11dd-9bda-001636f0f7df}]
\Shell\AutoRun\command - H:\System\Security\DriveGuard.exe -run
\Shell\Explore\Command - H:\System\Security\DriveGuard.exe -run
\Shell\Open\Command - H:\System\Security\DriveGuard.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa8-516e-11dd-9bda-001636f0f7df}]
\Shell\AutoRun\command - H:\WD_Windows_Tools\Setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{BC773027-E244-461F-849E-D2ABB72F17E1} - C:\WINDOWS\fdkowvbp.dll
MSConfigStartUp-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\w766s9w6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.abduzeedo.com
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 18:33:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-04 18:35:12
ComboFix-quarantined-files.txt 2008-08-04 13:05:06

Pre-Run: 7,802,388,480 bytes free
Post-Run: 7,744,012,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
D:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

283



This is the Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:41 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{880D8573-9C61-4DE4-B469-1836B9A473B8}: NameServer = 172.19.0.1,202.56.250.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 6343 bytes
  • 0

#5
Thunderbird1988
Posted 04 August 2008 - 10:02 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello siddhu7_d,

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\WINDOWS\system32\imapd.exe
C:\WINDOWS\system32\imapdc.dll
C:\WINDOWS\system32\imapdb.dll
C:\WINDOWS\system32\imapdd.dll
C:\WINDOWS\system32\wproxp.exe
C:\WINDOWS\system32\imapdb.exe

Folder::

C:\Program Files\FlashGuard

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{333bfe20-555b-11dd-9be1-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85ad2224-5310-11dd-9bdc-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1513ac7-5ec8-11dd-9bf3-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf163b82-48fe-11dd-9bbd-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c42b2c3c-4c4a-11dd-9bc7-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78f1380-571d-11dd-9be5-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa4-516e-11dd-9bda-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa5-516e-11dd-9bda-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa7-516e-11dd-9bda-001636f0f7df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{feccafa8-516e-11dd-9bda-001636f0f7df}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Thunderbird1988
  • 0

#6
siddhu7_d
Posted 04 August 2008 - 11:48 AM

siddhu7_d

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank You very much Thunderbird for your time. Highly appreciate it man!!

This is my new combofix log

ComboFix 08-08-03.05 - user 2008-08-04 23:02:01.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2003 [GMT 5.5:30]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-04 00:18 . 2008-08-04 22:54 625,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-04 00:18 . 2008-08-04 01:06 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-04 00:18 . 2008-08-04 01:06 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-04 00:18 . 2008-08-04 22:54 11,468 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-04 00:18 . 2008-08-04 22:54 3,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-04 00:18 . 2008-08-04 22:54 2,336 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-04 00:17 . 2008-08-04 00:17 <DIR> d-------- C:\kav
2008-08-04 00:02 . 2008-08-04 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 23:59 . 2008-08-03 23:59 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-03 19:38 . 2008-08-03 19:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 19:36 . 2008-08-03 19:36 <DIR> d-------- C:\Deckard
2008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\_OTMoveIt
2008-08-03 01:10 . 2008-08-03 01:10 <DIR> d---s---- C:\Documents and Settings\user\UserData
2008-08-02 03:17 . 2008-08-02 03:17 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-08-02 02:09 . 2001-08-23 12:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-08-02 02:06 . 2008-08-02 02:06 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 17:05 . 2008-07-23 17:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-21 20:38 . 2008-07-21 20:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-19 23:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-19 23:36 . 2008-07-19 23:36 <DIR> d-------- C:\Program Files\Java
2008-07-19 23:13 . 2008-07-19 23:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-18 21:53 . 2008-07-18 21:53 <DIR> d-------- C:\WINDOWS\EffectResources
2008-07-18 21:52 . 2008-07-18 21:52 <DIR> d-------- C:\Documents and Settings\user\Application Data\ArcSoft
2008-07-18 21:51 . 2008-07-18 21:51 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-18 21:51 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-07-18 21:51 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\InstallShield
2008-07-18 21:50 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-18 21:49 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-07-18 21:48 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-17 22:04 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\MSBuild
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-17 21:59 . 2008-07-17 21:59 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-17 21:50 . 2008-07-17 21:50 <DIR> dr-h----- C:\MSOCache
2008-07-17 16:59 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-07-15 23:13 . 2007-02-07 14:21 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-07-15 23:11 . 2006-11-22 22:26 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-07-14 23:11 . 2008-07-14 23:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\Corel
2008-07-14 23:11 . 2008-07-20 20:45 900 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-14 23:11 . 2008-07-20 20:44 88 -r-hs---- C:\WINDOWS\system32\789ED35EEC.sys
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Program Files\Corel
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-14 12:20 . 2008-07-14 12:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\U3
2008-07-14 12:16 . 2008-07-14 12:16 <DIR> dra-s---- C:\Program Files\FlashGuard
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 20:03 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-13 17:57 . 2008-07-13 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-11 23:59 . 2008-07-11 23:59 <DIR> d-------- C:\Documents and Settings\user\Application Data\Sony
2008-07-11 23:58 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-07-11 23:58 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-07-11 23:58 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-07-11 23:58 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-11 23:58 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-07-11 23:58 . 2008-07-11 23:58 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-11 23:47 . 2008-07-11 23:47 <DIR> d-------- C:\Program Files\Total Video Converter
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\syswin
2008-07-11 23:46 . 2007-11-22 19:05 550,400 --ahs---- C:\WINDOWS\system32\imapd.exe
2008-07-11 23:46 . 2007-11-22 19:05 199,680 --ahs---- C:\WINDOWS\system32\imapdc.dll
2008-07-11 23:46 . 2007-11-22 19:05 33,280 --ahs---- C:\WINDOWS\system32\imapdb.dll
2008-07-11 23:46 . 2007-11-22 19:06 30,208 --ahs---- C:\WINDOWS\system32\imapdd.dll
2008-07-11 23:46 . 2007-11-22 19:21 29,184 --a------ C:\WINDOWS\system32\wproxp.exe
2008-07-11 23:46 . 2007-11-22 20:31 19,456 --ahs---- C:\WINDOWS\system32\imapdb.exe
2008-07-11 17:26 . 2008-07-11 17:26 <DIR> d-------- C:\Program Files\PhotomatixPro3
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-10 19:20 . 2008-07-10 19:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2008-07-10 00:40 . 2008-07-10 00:40 <DIR> d-------- C:\Program Files\WMA Converter
2008-07-10 00:40 . 1999-08-09 17:01 632,328 --a------ C:\WINDOWS\system32\wmaudioredist.exe
2008-07-10 00:40 . 1999-08-31 13:36 335,872 --a------ C:\WINDOWS\system32\MsAudio.ocx
2008-07-09 23:58 . 2008-07-09 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-09 23:36 . 2008-07-09 23:36 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-09 23:20 . 2008-07-09 23:21 3,120 --a------ C:\WINDOWS\system32\ALLFSAF6a.ocx
2008-07-09 23:19 . 2007-09-04 14:45 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-07-09 22:50 . 2008-07-09 22:50 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\user\Application Data\Autodesk
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Autodesk
2008-07-09 22:44 . 2008-07-09 22:44 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-07 23:16 . 2008-07-07 23:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 23:09 . 2008-07-07 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-04 13:58 . 2008-07-04 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-04 13:53 . 2008-07-04 13:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-04 13:44 . 2008-07-04 13:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-04 12:43 . 2008-07-04 12:43 <DIR> d-------- C:\Program Files\Winamp
2008-07-04 12:40 . 2008-07-04 12:40 <DIR> d-------- C:\Documents and Settings\user\Application Data\uTorrent
2008-07-04 12:39 . 2008-07-04 12:39 <DIR> d-------- C:\Program Files\Google
2008-07-04 11:07 . 2008-07-04 11:07 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 19:36 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-31 12:00 90,112 ----a-w C:\WINDOWS\DUMP758d.tmp
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\user\Application Data\CyberLink
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-03 16:04 --------- d-----w C:\Program Files\Common Files\xing shared
2008-07-03 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-03 13:01 --------- d-----w C:\Documents and Settings\user\Application Data\vlc
2008-07-03 06:25 --------- d-----w C:\Program Files\VideoLAN
2008-07-03 06:23 --------- d-----w C:\Program Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-03 06:21 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-03 06:21 348,160 ------w C:\WINDOWS\system32\msvcr71.dll
2008-07-03 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-03 06:12 --------- d-----w C:\Program Files\WIDCOMM
2008-07-03 06:07 --------- d-----w C:\Program Files\NetWaiting
2008-07-03 05:34 --------- d-----w C:\Program Files\CyberLink
2008-07-03 05:34 --------- d-----w C:\Program Files\Common Files\Nero
2008-07-03 05:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-03 05:33 --------- d-----w C:\Program Files\Ahead
2008-07-03 04:47 --------- d-----w C:\Program Files\CONEXANT
2008-07-03 04:46 --------- d-----w C:\Program Files\HPQ
2008-07-03 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 04:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-03 04:27 --------- d-----w C:\Program Files\Broadcom
2008-07-02 13:53 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-22 13:35 550,400 --sha-w C:\WINDOWS\system32\imapd.exe
2007-11-22 13:35 33,280 --sha-w C:\WINDOWS\system32\imapdb.dll
2007-11-22 15:01 19,456 --sha-w C:\WINDOWS\system32\imapdb.exe
2007-11-22 13:35 199,680 --sha-w C:\WINDOWS\system32\imapdc.dll
2007-11-22 13:36 30,208 --sha-w C:\WINDOWS\system32\imapdd.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_18.34.00.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-03 19:45:44 53,806 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-04 17:30:04 53,806 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-03 19:45:44 383,492 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-04 17:30:04 383,492 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-17 02:36 8437760]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [2007-08-30 06:32 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-03 21:34 185896]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 22:44 35328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"imapd"="C:\WINDOWS\system32\imapd.exe" [2007-11-22 19:05 550400]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 07:18:22 10872]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-17 02:36 8437760 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-17 02:36 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-03 21:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 22:44 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-17 02:36 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\LayOut\\LayOut.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"G:\\dumps\\utorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 usbvm328;HP Camera;C:\WINDOWS\system32\Drivers\usbvm326.sys [2006-10-13 06:12]
S3 vmfilter323;VC0326 filter service for Serome;C:\WINDOWS\system32\drivers\vmfilter323.sys [2006-08-11 09:30]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 23:12:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-04 23:13:33
ComboFix-quarantined-files.txt 2008-08-04 17:43:28
ComboFix2.txt 2008-08-04 13:05:16

Pre-Run: 7,785,136,128 bytes free
Post-Run: 7,760,576,512 bytes free

231




This is my new Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:04 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{880D8573-9C61-4DE4-B469-1836B9A473B8}: NameServer = 172.19.0.1,202.56.250.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 6344 bytes
  • 0

#7
Thunderbird1988
Posted 04 August 2008 - 02:21 PM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello siddhu7_d,

Combofix seems to have a bug. Please remove it, and download a new copy from here

After that, please do the following.

Please run Flash Disinfector again, discribed in my previous post.

Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\WINDOWS\system32\imapd.exe
C:\WINDOWS\system32\imapdc.dll
C:\WINDOWS\system32\imapdb.dll
C:\WINDOWS\system32\imapdd.dll
C:\WINDOWS\system32\wproxp.exe
C:\WINDOWS\system32\imapdb.exe

Folder::

C:\Program Files\FlashGuard



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Thunderbird1988

Edited by Thunderbird1988, 05 August 2008 - 11:39 AM.
Updated instructions

  • 0

#8
Thunderbird1988
Posted 05 August 2008 - 11:41 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
I have updated my instructions. If you have read the instructions in post #7 (The post above this one) before I posted this, please read the instructions again.

Thunderbird1988
  • 0

#9
siddhu7_d
Posted 06 August 2008 - 01:18 PM

siddhu7_d

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey thunderbird! Thanks for ur kind assistance. Sorry wasn't "quick replying", was out for a couple of days!
Will post the logs soon, now that i'm back!
Thanks again!

And btw.. the red screen has gone and so are the popups! But anyways, you'll be knowing if its clean totally!

Edited by siddhu7_d, 06 August 2008 - 01:46 PM.

  • 0

#10
siddhu7_d
Posted 06 August 2008 - 02:09 PM

siddhu7_d

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
This is my new ComboFix Log..

ComboFix 08-08-06.01 - user 2008-08-07 1:22:46.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2008 [GMT 5.5:30]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\imapd.exe
C:\WINDOWS\system32\imapdb.dll
C:\WINDOWS\system32\imapdb.exe
C:\WINDOWS\system32\imapdc.dll
C:\WINDOWS\system32\imapdd.dll
C:\WINDOWS\system32\wproxp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FlashGuard
C:\Program Files\FlashGuard\ReadMe.txt
C:\WINDOWS\system32\imapd.exe
C:\WINDOWS\system32\imapdb.dll
C:\WINDOWS\system32\imapdb.exe
C:\WINDOWS\system32\imapdc.dll
C:\WINDOWS\system32\imapdd.dll
C:\WINDOWS\system32\wproxp.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-04 00:18 . 2008-08-07 01:18 634,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-04 00:18 . 2008-08-07 00:41 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-04 00:18 . 2008-08-04 01:06 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-04 00:18 . 2008-08-07 01:18 11,588 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-04 00:18 . 2008-08-07 01:18 3,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-04 00:18 . 2008-08-07 01:18 2,336 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-04 00:17 . 2008-08-04 00:17 <DIR> d-------- C:\kav
2008-08-04 00:02 . 2008-08-04 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 19:38 . 2008-08-03 19:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 19:36 . 2008-08-03 19:36 <DIR> d-------- C:\Deckard
2008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\_OTMoveIt
2008-08-03 01:10 . 2008-08-03 01:10 <DIR> d---s---- C:\Documents and Settings\user\UserData
2008-08-02 03:17 . 2008-08-02 03:17 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-08-02 02:09 . 2001-08-23 12:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-08-02 02:06 . 2008-08-02 02:06 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 17:05 . 2008-07-23 17:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-21 20:38 . 2008-07-21 20:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-19 23:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-19 23:36 . 2008-07-19 23:36 <DIR> d-------- C:\Program Files\Java
2008-07-19 23:13 . 2008-07-19 23:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-18 21:53 . 2008-07-18 21:53 <DIR> d-------- C:\WINDOWS\EffectResources
2008-07-18 21:52 . 2008-07-18 21:52 <DIR> d-------- C:\Documents and Settings\user\Application Data\ArcSoft
2008-07-18 21:51 . 2008-07-18 21:51 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-18 21:51 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-07-18 21:51 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\InstallShield
2008-07-18 21:50 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-18 21:49 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-07-18 21:48 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-17 22:04 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\MSBuild
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-17 21:59 . 2008-07-17 21:59 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-17 21:50 . 2008-07-17 21:50 <DIR> dr-h----- C:\MSOCache
2008-07-17 16:59 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-07-15 23:13 . 2007-02-07 14:21 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-07-15 23:11 . 2006-11-22 22:26 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-07-14 23:11 . 2008-07-14 23:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\Corel
2008-07-14 23:11 . 2008-07-20 20:45 900 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-14 23:11 . 2008-07-20 20:44 88 -r-hs---- C:\WINDOWS\system32\789ED35EEC.sys
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Program Files\Corel
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-14 12:20 . 2008-07-14 12:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\U3
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 20:03 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-13 17:57 . 2008-07-13 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-11 23:59 . 2008-07-11 23:59 <DIR> d-------- C:\Documents and Settings\user\Application Data\Sony
2008-07-11 23:58 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-07-11 23:58 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-07-11 23:58 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-07-11 23:58 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-11 23:58 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-07-11 23:58 . 2008-07-11 23:58 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-11 23:47 . 2008-07-11 23:47 <DIR> d-------- C:\Program Files\Total Video Converter
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\syswin
2008-07-11 17:26 . 2008-07-11 17:26 <DIR> d-------- C:\Program Files\PhotomatixPro3
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-10 19:20 . 2008-07-10 19:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2008-07-10 00:40 . 2008-07-10 00:40 <DIR> d-------- C:\Program Files\WMA Converter
2008-07-10 00:40 . 1999-08-09 17:01 632,328 --a------ C:\WINDOWS\system32\wmaudioredist.exe
2008-07-10 00:40 . 1999-08-31 13:36 335,872 --a------ C:\WINDOWS\system32\MsAudio.ocx
2008-07-09 23:58 . 2008-07-09 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-09 23:36 . 2008-07-09 23:36 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-09 23:20 . 2008-07-09 23:21 3,120 --a------ C:\WINDOWS\system32\ALLFSAF6a.ocx
2008-07-09 23:19 . 2007-09-04 14:45 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-07-09 22:50 . 2008-07-09 22:50 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\user\Application Data\Autodesk
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Autodesk
2008-07-09 22:44 . 2008-07-09 22:44 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-07 23:16 . 2008-07-07 23:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 23:09 . 2008-07-07 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 19:36 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-31 12:00 90,112 ----a-w C:\WINDOWS\DUMP758d.tmp
2008-07-04 08:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-04 08:23 --------- d-----w C:\Program Files\Bonjour
2008-07-04 08:14 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-04 07:13 --------- d-----w C:\Program Files\Winamp
2008-07-04 07:10 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-07-04 07:09 --------- d-----w C:\Program Files\Google
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\user\Application Data\CyberLink
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-03 16:04 --------- d-----w C:\Program Files\Common Files\xing shared
2008-07-03 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-03 13:01 --------- d-----w C:\Documents and Settings\user\Application Data\vlc
2008-07-03 06:25 --------- d-----w C:\Program Files\VideoLAN
2008-07-03 06:23 --------- d-----w C:\Program Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-03 06:21 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-03 06:21 348,160 ------w C:\WINDOWS\system32\msvcr71.dll
2008-07-03 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-03 06:12 --------- d-----w C:\Program Files\WIDCOMM
2008-07-03 06:07 --------- d-----w C:\Program Files\NetWaiting
2008-07-03 05:34 --------- d-----w C:\Program Files\CyberLink
2008-07-03 05:34 --------- d-----w C:\Program Files\Common Files\Nero
2008-07-03 05:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-03 05:33 --------- d-----w C:\Program Files\Ahead
2008-07-03 04:47 --------- d-----w C:\Program Files\CONEXANT
2008-07-03 04:46 --------- d-----w C:\Program Files\HPQ
2008-07-03 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 04:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-03 04:27 --------- d-----w C:\Program Files\Broadcom
2008-07-02 13:53 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_18.34.00.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-06 19:06:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-06 19:06:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-03 19:45:44 53,806 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-06 19:53:16 53,806 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-03 19:45:44 383,492 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-06 19:53:16 383,492 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-17 02:36 8437760]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [2007-08-30 06:32 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-03 21:34 185896]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 22:44 35328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 07:18:22 10872]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-17 02:36 8437760 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-17 02:36 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-03 21:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 22:44 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-17 02:36 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\LayOut\\LayOut.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"G:\\dumps\\utorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 usbvm328;HP Camera;C:\WINDOWS\system32\Drivers\usbvm326.sys [2006-10-13 06:12]
S3 vmfilter323;VC0326 filter service for Serome;C:\WINDOWS\system32\drivers\vmfilter323.sys [2006-08-11 09:30]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-imapd - C:\WINDOWS\system32\imapd.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 01:34:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-07 1:35:44
ComboFix-quarantined-files.txt 2008-08-06 20:05:40
ComboFix3.txt 2008-08-04 13:05:16
ComboFix2.txt 2008-08-04 17:43:38

Pre-Run: 7,695,302,656 bytes free
Post-Run: 7,665,319,936 bytes free

238






This is the new HijackThis log..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:28 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{880D8573-9C61-4DE4-B469-1836B9A473B8}: NameServer = 172.19.0.1,202.56.250.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 6216 bytes
  • 0

Advertisements

#11
Thunderbird1988
Posted 06 August 2008 - 02:22 PM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello siddhu7_d,

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Thunderbird1988
  • 0

#12
siddhu7_d
Posted 07 August 2008 - 07:16 AM

siddhu7_d

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Thunderbird! Here is the Kaspersky report! Thank's!

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 07, 2008 11:20:10
Records in database: 1066322
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
Scan statistics
Files scanned 81440
Threat name 1
Infected objects 13
Suspicious objects 0
Duration of the scan 01:51:34

File name Threat name Threats count
C:\Documents and Settings\user\Application Data\dxdlls\dxdlg.exe Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\Documents and Settings\user\Application Data\dxdlls\imapd.exe Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.dll Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.exe Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\Documents and Settings\user\Application Data\dxdlls\imapdc.dll Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\System Volume Information\_restore{3ACC047A-64DD-4355-A97E-5728BA7AFE43}\RP10\A0000548.EXE Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\System Volume Information\_restore{3ACC047A-64DD-4355-A97E-5728BA7AFE43}\RP10\A0000549.DLL Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\System Volume Information\_restore{3ACC047A-64DD-4355-A97E-5728BA7AFE43}\RP10\A0000550.EXE Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\System Volume Information\_restore{3ACC047A-64DD-4355-A97E-5728BA7AFE43}\RP10\A0000551.dll Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\QooBox\Quarantine\C\WINDOWS\system32\imapd.exe.vir Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\QooBox\Quarantine\C\WINDOWS\system32\imapdb.dll.vir Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\QooBox\Quarantine\C\WINDOWS\system32\imapdb.exe.vir Infected: not-a-virus:Monitor.Win32.ActMon.511 1
C:\QooBox\Quarantine\C\WINDOWS\system32\imapdc.dll.vir Infected: not-a-virus:Monitor.Win32.ActMon.511 1
The selected area was scanned.
  • 0

#13
Thunderbird1988
Posted 07 August 2008 - 08:57 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello siddhu7_d,

Please run Flash Disinfector one more time.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\Documents and Settings\user\Application Data\dxdlls\imapdc.dll
C:\Documents and Settings\user\Application Data\dxdlls\dxdlg.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapd.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.dll
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Thunderbird1988
  • 0

#14
siddhu7_d
Posted 09 August 2008 - 03:10 AM

siddhu7_d

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello Thunderbird! Sorry for the delay!
This is the ComboFix Log

ComboFix 08-08-06.01 - user 2008-08-09 14:25:06.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2069 [GMT 5.5:30]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\user\Application Data\dxdlls\dxdlg.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapd.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.dll
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapdc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Application Data\dxdlls\dxdlg.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapd.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.dll
C:\Documents and Settings\user\Application Data\dxdlls\imapdb.exe
C:\Documents and Settings\user\Application Data\dxdlls\imapdc.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-04 00:18 . 2008-08-04 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-04 00:18 . 2008-08-09 14:11 697,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-04 00:18 . 2008-08-07 00:41 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-04 00:18 . 2008-08-04 01:06 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-04 00:18 . 2008-08-09 14:11 12,428 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-04 00:18 . 2008-08-09 14:11 6,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-04 00:18 . 2008-08-09 14:11 3,812 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-04 00:17 . 2008-08-04 00:17 <DIR> d-------- C:\kav
2008-08-04 00:02 . 2008-08-04 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-03 19:38 . 2008-08-03 19:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 19:36 . 2008-08-03 19:36 <DIR> d-------- C:\Deckard
2008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\_OTMoveIt
2008-08-03 01:10 . 2008-08-03 01:10 <DIR> d---s---- C:\Documents and Settings\user\UserData
2008-08-02 03:17 . 2008-08-02 03:17 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-08-02 02:09 . 2001-08-23 12:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-08-02 02:06 . 2008-08-02 02:06 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 17:05 . 2008-07-23 17:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-21 20:38 . 2008-07-21 20:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-19 23:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-19 23:36 . 2008-07-19 23:36 <DIR> d-------- C:\Program Files\Java
2008-07-19 23:13 . 2008-07-19 23:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-18 21:53 . 2008-07-18 21:53 <DIR> d-------- C:\WINDOWS\EffectResources
2008-07-18 21:52 . 2008-07-18 21:52 <DIR> d-------- C:\Documents and Settings\user\Application Data\ArcSoft
2008-07-18 21:51 . 2008-07-18 21:51 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-07-18 21:51 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-07-18 21:51 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Program Files\ArcSoft
2008-07-18 21:50 . 2008-07-18 21:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\InstallShield
2008-07-18 21:50 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-07-18 21:49 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-07-18 21:48 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-17 22:04 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\MSBuild
2008-07-17 22:01 . 2008-07-17 22:01 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-17 21:59 . 2008-07-17 21:59 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-17 21:50 . 2008-07-17 21:50 <DIR> dr-h----- C:\MSOCache
2008-07-17 16:59 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-07-15 23:13 . 2007-02-07 14:21 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-07-15 23:11 . 2006-11-22 22:26 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-07-14 23:11 . 2008-07-14 23:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\Corel
2008-07-14 23:11 . 2008-07-20 20:45 900 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-14 23:11 . 2008-07-20 20:44 88 -r-hs---- C:\WINDOWS\system32\789ED35EEC.sys
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Program Files\Corel
2008-07-14 23:10 . 2008-07-14 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-07-14 12:20 . 2008-07-14 12:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\U3
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-13 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 20:03 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-13 20:03 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-13 17:57 . 2008-07-13 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-11 23:59 . 2008-07-11 23:59 <DIR> d-------- C:\Documents and Settings\user\Application Data\Sony
2008-07-11 23:58 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-07-11 23:58 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-07-11 23:58 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-07-11 23:58 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-11 23:58 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-07-11 23:58 . 2008-07-11 23:58 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-11 23:47 . 2008-07-11 23:47 <DIR> d-------- C:\Program Files\Total Video Converter
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\dxdlls
2008-07-11 23:46 . 2008-07-11 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\syswin
2008-07-11 17:26 . 2008-07-11 17:26 <DIR> d-------- C:\Program Files\PhotomatixPro3
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-07-11 16:50 . 2008-07-11 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-10 19:20 . 2008-07-10 19:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2008-07-10 00:40 . 2008-07-10 00:40 <DIR> d-------- C:\Program Files\WMA Converter
2008-07-10 00:40 . 1999-08-09 17:01 632,328 --a------ C:\WINDOWS\system32\wmaudioredist.exe
2008-07-10 00:40 . 1999-08-31 13:36 335,872 --a------ C:\WINDOWS\system32\MsAudio.ocx
2008-07-09 23:58 . 2008-07-09 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-09 23:36 . 2008-07-09 23:36 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-09 23:20 . 2008-07-09 23:21 3,120 --a------ C:\WINDOWS\system32\ALLFSAF6a.ocx
2008-07-09 23:19 . 2007-09-04 14:45 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-07-09 22:50 . 2008-07-09 22:50 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\user\Application Data\Autodesk
2008-07-09 22:48 . 2008-07-09 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d-------- C:\Program Files\Autodesk
2008-07-09 22:44 . 2008-07-09 22:44 <DIR> d-------- C:\WINDOWS\system32\URTTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 19:36 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-31 12:00 90,112 ----a-w C:\WINDOWS\DUMP758d.tmp
2008-07-07 17:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-04 08:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-04 07:13 --------- d-----w C:\Program Files\Winamp
2008-07-04 07:10 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-07-04 07:09 --------- d-----w C:\Program Files\Google
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\user\Application Data\CyberLink
2008-07-03 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-03 16:04 --------- d-----w C:\Program Files\Common Files\xing shared
2008-07-03 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-03 13:01 --------- d-----w C:\Documents and Settings\user\Application Data\vlc
2008-07-03 06:25 --------- d-----w C:\Program Files\VideoLAN
2008-07-03 06:23 --------- d-----w C:\Program Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Real
2008-07-03 06:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-03 06:21 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-03 06:21 348,160 ------w C:\WINDOWS\system32\msvcr71.dll
2008-07-03 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-03 06:12 --------- d-----w C:\Program Files\WIDCOMM
2008-07-03 06:07 --------- d-----w C:\Program Files\NetWaiting
2008-07-03 05:34 --------- d-----w C:\Program Files\CyberLink
2008-07-03 05:34 --------- d-----w C:\Program Files\Common Files\Nero
2008-07-03 05:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-03 05:33 --------- d-----w C:\Program Files\Ahead
2008-07-03 04:47 --------- d-----w C:\Program Files\CONEXANT
2008-07-03 04:46 --------- d-----w C:\Program Files\HPQ
2008-07-03 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 04:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-03 04:27 --------- d-----w C:\Program Files\Broadcom
2008-07-02 13:53 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_18.34.00.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 13:54:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-07 13:54:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-03 19:45:44 53,806 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-09 08:46:48 53,806 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-03 19:45:44 383,492 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-09 08:46:48 383,492 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-17 02:36 8437760]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [2007-08-30 06:32 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-03 21:34 185896]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 22:44 35328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 07:18:22 10872]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-17 02:36 8437760 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-17 02:36 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-03 21:34 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 22:44 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-17 02:36 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=
"C:\\Program Files\\Google\\Google SketchUp 6\\LayOut\\LayOut.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"G:\\dumps\\utorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 usbvm328;HP Camera;C:\WINDOWS\system32\Drivers\usbvm326.sys [2006-10-13 06:12]
S3 vmfilter323;VC0326 filter service for Serome;C:\WINDOWS\system32\drivers\vmfilter323.sys [2006-08-11 09:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{704eb8ff-5d48-11dd-9bf1-001636f0f7df}]
\Shell\AutoRun\command - H:\tpfbusg.cmd
\Shell\explore\Command - H:\tpfbusg.cmd
\Shell\open\Command - H:\tpfbusg.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78f1381-571d-11dd-9be5-001636f0f7df}]
\Shell\AutoRun\command - tpfbusg.cmd
\Shell\explore\Command - tpfbusg.cmd
\Shell\open\Command - tpfbusg.cmd
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 14:36:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-09 14:37:54
ComboFix-quarantined-files.txt 2008-08-09 09:07:52
ComboFix4.txt 2008-08-04 13:05:16
ComboFix3.txt 2008-08-04 17:43:38
ComboFix2.txt 2008-08-06 20:05:52

Pre-Run: 8,212,791,296 bytes free
Post-Run: 8,231,665,664 bytes free

237





This is the HijackThis Log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:41 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{880D8573-9C61-4DE4-B469-1836B9A473B8}: NameServer = 172.19.0.1,202.56.250.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 5917 bytes
  • 0

#15
Thunderbird1988
Posted 09 August 2008 - 06:16 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello siddhu7_d,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{704eb8ff-5d48-11dd-9bf1-001636f0f7df}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78f1381-571d-11dd-9be5-001636f0f7df}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
. Please let me also know how your system is running.

Thunderbird1988
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP