WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93098 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Browsers and Internet problem

Started by power333 , Jun 15 2009 07:24 AM

This topic is locked

21 replies to this topic

#1 power333

New Member

Authentic Member
17 posts

Posted 15 June 2009 - 07:24 AM

Hello, my problem is that my internet connection hasn't been working properly and when I notified this to my ISP, they told me that the viruses on my PC are blocking my ports or something like that. I ran Avast thrice and it was unable to detect any viruses on my PC. When I told my technician about what the ISP said to me, he said that there weren't any viruses there on my PC when he installed the new smps TWO DAYS AGO. This problem with my Internet though started a few days prior to the instalment of the new smps.
Weird as it may seem, my connection works (though at a snail's pace) AFTER EVERY REBOOT for about 5-10 minutes or so and then I get "The Page Cannot Be Displayed" (IE) and "Internal Communication Error / Closed By Remote Server" (opera) messages and I can't access any websites after that and I have to reboot again to use the internet.
Weirder still, is the fact that I can still run Paltalk (voice and text chat program) without much problem even after the browsers have ceased to function and I can continue to listen and speak and text on Paltalk for HOURS (though voice does go out SOMETIMES after a while).

Another weird thing that has been happening for a month or so is that my Windows' style changes AUTOMATICALLY from "Windows XP style" to "Windows Classic style" and sometimes it stays so until I reboot and sometimes it changes BACK to "Windows XP style" IMMEDIATELY after a couple of seconds.

Thanks to all of you guys in advance for doing this for all of us computer-illiterates. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:42 PM, on 6/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\soft\Avast 4.8\New Folder\aswUpdSv.exe
D:\soft\Avast 4.8\New Folder\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\soft\Winamp\New Folder\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\soft\AVAST4~1.8\NEWFOL~1\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
D:\soft\Jre6\bin\jusched.exe
C:\WINDOWS\smngr.exe
C:\WINDOWS\system32\ctfmon.exe
D:\soft\NetMeter\NetMeter114beta_3.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\In2Cable\CMAAClient.exe
C:\WINDOWS\system32\spoolsv.exe
D:\soft\Avast 4.8\New Folder\setup\avast.setup
D:\soft\Jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
D:\soft\Avast 4.8\New Folder\ashMaiSv.exe
D:\soft\Avast 4.8\New Folder\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.in/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\soft\Jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\soft\Jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\soft\Winamp\New Folder\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] D:\soft\AVAST4~1.8\NEWFOL~1\ashDisp.exe
O4 - HKLM\..\Run: [Windows Data Serivce] smngr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\soft\Jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] D:\soft\NetMeter\NetMeter114beta_3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: In2Cable Login.lnk = C:\Program Files\In2Cable\CMAAClient.exe
O8 - Extra context menu item: Download all links with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\soft\Paltalk\New Folder\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2}: NameServer = 203.192.198.7,203.192.195.18
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\soft\Avast 4.8\New Folder\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\soft\Jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MSR System Service (msrsys) - Unknown owner - C:\WINDOWS\system\msrsys32.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6647 bytes

Edited by power333, 15 June 2009 - 07:36 AM.

Advertisements

Register to Remove

#2 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 16 June 2009 - 01:35 PM

Hello power333

Welcome to the Whatthetech Malware Removal Forum,

All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You do have some viruses on your system, first lets so this.

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it to your desktop, make sure the file type is All Files and name it FixServices.bat

sc config msrsys start= disabled
sc stop msrsys
sc delete msrsys

Double click FixServices.bat. A window will open and close. This is normal.

C:\WINDOWS\system\msrsys32.exe <--Locate and delete this file

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#3 power333

New Member

Authentic Member
17 posts

Posted 17 June 2009 - 03:11 AM

Well, my Internet connection problem has been fixed somehow, at least for the moment. As it turned out, I did have a couple of viruses which were found in the boot-time scan and may be getting rid of them has solved the problem. However, my "Windows style change" problem is still there and another thing that I've noticed about it is that AFTER the "style change", I lose my system sound and I get an error message IF I try to start the Winamp. All sound is lost, including sounds in videos and Paltalk sound, etc. BUT if I have winamp or VLC media player or Paltalk running BEFORE the "style change" has taken place (whether momentarily or till the next reboot) then I DON'T lose sound but NOW that "style change" occurred, if I close Winamp, Paltalk, etc and reopen them, then I won't have sound anymore.
I'd mentioned this sound problem to my technician and he'd reinstalled my sound drivers on Saturday and the problem ceased to occur for a couple of days or so but it seems like it is reappearing now, although it hasn't been happening as regularly now as it previously used to. I've attached the Snapshot picture of the error that I get with Winamp after the "style change".

By the way, what's a rootkit? My Avast keeps saying that it has found a rootkit and I keep clicking "Delete Now" EVERY TIME it happens but it doesn't seem to be going away for some reason. Please suggest something to get rid of that.

I've done everything that you'd told me to do in your last post but I didn't find "C:\WINDOWS\system\msrsys32.exe" file which you'd asked me to delete.

MALWAREBYTES' ANTI-MALWARE
Malwarebytes' Anti-Malware 1.37
Database version: 2293
Windows 5.1.2600 Service Pack 2

6/17/2009 11:25:08 AM
mbam-log-2009-06-17 (11-25-08).txt

Scan type: Quick Scan
Objects scanned: 83940
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\msrsys (Backdoor.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\msrsys (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:57 PM, on 6/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\soft\Avast 4.8\New Folder\aswUpdSv.exe
D:\soft\Avast 4.8\New Folder\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\soft\Winamp\New Folder\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\soft\AVAST4~1.8\NEWFOL~1\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
D:\soft\Jre6\bin\jusched.exe
D:\soft\Ashampoo Firewall\New Folder\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
D:\soft\NetMeter\NetMeter114beta_3.exe
D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\In2Cable\CMAAClient.exe
C:\WINDOWS\system32\spoolsv.exe
D:\soft\Jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
D:\soft\Avast 4.8\New Folder\ashMaiSv.exe
D:\soft\Avast 4.8\New Folder\ashWebSv.exe
D:\soft\Opera\New Folder\Opera.exe
D:\soft\Sound recorder\New Folder\Free Sound Recorder\ar.exe
D:\soft\Winamp\New Folder\Winamp\winamp.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\System32\svchost.exe
D:\soft\Malwarebytes' Anti-Malware\New Folder\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.in/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\soft\Jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\soft\Jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\soft\Winamp\New Folder\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] D:\soft\AVAST4~1.8\NEWFOL~1\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\soft\Jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ashampoo FireWall] "D:\soft\Ashampoo Firewall\New Folder\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] D:\soft\NetMeter\NetMeter114beta_3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: In2Cable Login.lnk = C:\Program Files\In2Cable\CMAAClient.exe
O8 - Extra context menu item: Download all links with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\soft\Paltalk\New Folder\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2}: NameServer = 203.192.198.7,203.192.195.18
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\soft\Avast 4.8\New Folder\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\soft\Jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7461 bytes

Attached Thumbnails

Edited by power333, 17 June 2009 - 03:13 AM.

#4 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 17 June 2009 - 04:48 AM

Hi,

Malwarebytes removed some bad entries, lets dig a bit deeper. A Rootkit is a bad infections that hides and most scans wont pick them up.

This one will

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

D:\soft\Sound recorder\New Folder\Free Sound Recorder\ar.exe <--This file

After your all clean if your still having sound problems than I can direct you to windows support forums that deal with problems like that as we just do malware removal on this one.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#5 power333

New Member

Authentic Member
17 posts

Posted 17 June 2009 - 07:04 AM

GMER REPORT

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-17 18:32:44
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF2A016B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF2A01574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF2A01A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF2A0114C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF2A0164E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF2A0108C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF2A010F0]
SSDT \??\C:\DOCUME~1\Sachin\LOCALS~1\Temp\ASFWHide ZwQuerySystemInformation [0xF7D71486] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF2A0176E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF2A0172E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF2A018AE]
SSDT \??\C:\DOCUME~1\Sachin\LOCALS~1\Temp\ASFWHide ZwTerminateProcess [0xF7D716DA] <-- ROOTKIT !!!

---- User code sections - GMER 1.0.15 ----

.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!SetScrollInfo 77D4902C 7 Bytes JMP 0424B623 D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!GetScrollPos 77D4F66F 5 Bytes JMP 0424B5D3 D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!SetScrollRange 77D4F6BB 5 Bytes JMP 0424B679 D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!SetScrollPos 77D4F780 5 Bytes JMP 0424B64E D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!GetScrollRange 77D4F7B7 5 Bytes JMP 0424B5F8 D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!ShowScrollBar 77D50142 5 Bytes JMP 0424B6A7 D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!GetScrollInfo 77D53A2F 7 Bytes JMP 0424B5AB D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text D:\soft\Winamp\New Folder\Winamp\winamp.exe[1172] USER32.dll!EnableScrollBar 77D97BAD 7 Bytes JMP 0424B583 D:\soft\Winamp\New Folder\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3952] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 32605629 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F78AE5D8] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F78AE6CE] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F78AE9F2] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F78AE99E] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F78AE99E] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F78AE6CE] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F78AE5D8] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F78AE9F2] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F78AE9F2] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F78AE99E] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F78AE6CE] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F78AE5D8] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F78AE99E] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F78AE5D8] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F78AE6CE] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F78AE9F2] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F78AE5D8] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F78AE99E] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F78AE6CE] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F78AE9F2] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F78AE99E] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F78AE6CE] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F78AE5D8] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F78AE99E] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F78AE9F2] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F78AE5D8] ENO.sys (ndishk/PCAUSA)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F78AE6CE] ENO.sys (ndishk/PCAUSA)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] gyfyqjeci <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci@DisplayName Universal Microsoft
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\gyfyqjeci\Parameters@ServiceDll C:\WINDOWS\system32\xreftpd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci@DisplayName Universal Microsoft
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\gyfyqjeci\Parameters@ServiceDll C:\WINDOWS\system32\xreftpd.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x06 0x54 0x4B 0x0E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{6cc5b596-55bd-44a8-a092-d025a6e47e96}@Model 124
Reg HKLM\SOFTWARE\Classes\CLSID\{6cc5b596-55bd-44a8-a092-d025a6e47e96}@Therad 20

---- EOF - GMER 1.0.15 ----

VIRUS TOTAL RESULTS FOR D:\soft\Sound recorder\New Folder\Free Sound Recorder\ar.exe

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.17 -
AhnLab-V3 5.0.0.2 2009.06.17 -
AntiVir 7.9.0.187 2009.06.17 -
Antiy-AVL 2.0.3.1 2009.06.17 -
Authentium 5.1.2.4 2009.06.16 -
Avast 4.8.1335.0 2009.06.16 -
AVG 8.5.0.339 2009.06.17 -
BitDefender 7.2 2009.06.17 -
CAT-QuickHeal 10.00 2009.06.17 -
ClamAV 0.94.1 2009.06.17 -
Comodo 1350 2009.06.17 -
DrWeb 5.0.0.12182 2009.06.17 -
eSafe 7.0.17.0 2009.06.17 -
eTrust-Vet 31.6.6564 2009.06.17 -
F-Prot 4.4.4.56 2009.06.16 -
F-Secure 8.0.14470.0 2009.06.17 -
Fortinet 3.117.0.0 2009.06.17 -
GData 19 2009.06.17 -
Ikarus T3.1.1.59.0 2009.06.17 -
Jiangmin 11.0.706 2009.06.17 -
K7AntiVirus 7.10.765 2009.06.16 -
Kaspersky 7.0.0.125 2009.06.17 -
McAfee 5648 2009.06.16 -
McAfee+Artemis 5648 2009.06.16 -
McAfee-GW-Edition 6.7.6 2009.06.17 -
Microsoft 1.4701 2009.06.17 -
NOD32 4162 2009.06.17 -
Norman 6.01.09 2009.06.16 -
nProtect 2009.1.8.0 2009.06.17 -
Panda 10.0.0.14 2009.06.16 -
PCTools 4.4.2.0 2009.06.12 -
Prevx 3.0 2009.06.17 -
Rising 21.34.23.00 2009.06.17 -
Sophos 4.42.0 2009.06.17 -
Sunbelt 3.2.1858.2 2009.06.17 -
Symantec 1.4.4.12 2009.06.17 -
TheHacker 6.3.4.3.347 2009.06.17 -
TrendMicro 8.950.0.1094 2009.06.17 -
VBA32 3.12.10.7 2009.06.17 -
ViRobot 2009.6.17.1792 2009.06.17 -
VirusBuster 4.6.5.0 2009.06.16 -
Additional information
File size: 716800 bytes
MD5...: 5b2ea05894a259edda1027e4574d47e5
SHA1..: 5da6d171e7022c3b47c047eb2740e2308f3cbeb9
SHA256: c3442edce7cd1a58b5ac1ec2d17843013629958ee3c736ec49580ed9c9b94342
ssdeep: 12288:vluD/65WkexltoiWflX6jIPB+8mE4HqaeAoqvgh/rE7B5lW+xBJN8X1HXJ
s:vr5WkexroR9XEIPB+tEaeARYh/g7B53z
PEiD..: ASPack v2.12
TrID..: File type identification
ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1e3001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x16b000 0x7d200 8.00 bf1842b4a33a2a8d8c515eedd613ee76
DATA 0x16c000 0x7000 0x3c00 7.98 dfde836d82fcafdb59871c008f6c3471
BSS 0x173000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x176000 0x3000 0x1000 7.92 0973a8cf0eab5b30544add1e052b7739
.tls 0x179000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x17a000 0x1000 0x200 0.20 e272d7b769e86a2ce09a5829ad23fe79
.reloc 0x17b000 0x14000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x18f000 0x54000 0x1f200 7.84 b4fd6ee3dfca93c399f90b39eb44411f
.aspack 0x1e3000 0xe000 0xda00 5.32 1fc6af89c41d16eb3cf21ed176487913
.adata 0x1f1000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 17 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegSetValueExA
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> ole32.dll: CreateStreamOnHGlobal
> oleaut32.dll: GetErrorInfo
> comctl32.dll: UninitializeFlatSB
> shell32.dll: Shell_NotifyIconA
> shell32.dll: SHGetSpecialFolderLocation
> msimg32.dll: GradientFill
> winmm.dll: waveInUnprepareHeader
> msacm32.dll: acmStreamUnprepareHeader

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): ASPack
packers (F-Prot): Aspack

NEW HIJACKTHIS LOG (last time I'd forgotten to checkmark "Display the contents of system folders" Sorry about that)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:18 PM, on 6/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\soft\Avast 4.8\New Folder\aswUpdSv.exe
D:\soft\Avast 4.8\New Folder\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\soft\Winamp\New Folder\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\soft\AVAST4~1.8\NEWFOL~1\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
D:\soft\Jre6\bin\jusched.exe
D:\soft\Ashampoo Firewall\New Folder\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
D:\soft\NetMeter\NetMeter114beta_3.exe
D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\In2Cable\CMAAClient.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\soft\Jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
D:\soft\Avast 4.8\New Folder\ashMaiSv.exe
D:\soft\Avast 4.8\New Folder\ashWebSv.exe
D:\soft\Opera\New Folder\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.in/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\soft\Jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\soft\Jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\soft\Winamp\New Folder\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] D:\soft\AVAST4~1.8\NEWFOL~1\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\soft\Jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ashampoo FireWall] "D:\soft\Ashampoo Firewall\New Folder\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] D:\soft\NetMeter\NetMeter114beta_3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: In2Cable Login.lnk = C:\Program Files\In2Cable\CMAAClient.exe
O8 - Extra context menu item: Download all links with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\soft\Paltalk\New Folder\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2}: NameServer = 203.192.198.7,203.192.195.18
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\soft\Avast 4.8\New Folder\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\soft\Avast 4.8\New Folder\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\soft\Jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7272 bytes

Edited by power333, 17 June 2009 - 07:19 AM.

#6 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 17 June 2009 - 09:11 AM

You do have a Rootkit infection

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#7 power333

New Member

Authentic Member
17 posts

Posted 17 June 2009 - 12:45 PM

I had to run combofix twice because the first time I launched it, it shut down my Internet and then it started saying that it needs to download Windows Console but I'm not connected to the Internet and before I could restart the Internet, it started scanning so I let it finish and then it rebooted the PC. On the second go, I was ready to restart my Internet and I restarted it as soon as Combofix shut it down and then it was able to download the Windows Console and proceeded with the scan.

COMBOFIX REPORT
ComboFix 09-06-16.05 - Sachin 06/17/2009 22:37.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.151 [GMT 5.5:30]
Running from: c:\documents and settings\Sachin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-17 06:56 . 2009-06-17 06:56 -------- d-----w- c:\documents and settings\Sachin\Application Data\FastStone
2009-06-17 05:44 . 2009-06-17 05:44 -------- d-----w- c:\documents and settings\Sachin\Application Data\Malwarebytes
2009-06-17 05:44 . 2009-05-26 07:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:44 . 2009-06-17 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-17 05:44 . 2009-05-26 07:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 07:29 . 2009-06-16 07:29 -------- d-----w- c:\documents and settings\Sachin\Local Settings\Application Data\Ashampoo
2009-06-16 06:42 . 2009-06-16 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-16 05:43 . 2009-06-16 05:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-15 18:48 . 2009-06-15 18:48 -------- d-----w- c:\program files\In2Cable
2009-06-15 12:05 . 2009-06-15 12:05 -------- d-----w- c:\program files\Trend Micro
2009-06-15 11:36 . 2009-06-15 11:36 -------- d-----w- c:\program files\ERUNT
2009-06-14 07:38 . 2009-06-14 07:39 152576 ----a-w- c:\documents and settings\Sachin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-13 15:26 . 2005-09-16 22:14 157184 ------r- c:\windows\system32\RtlCPAPI.dll
2009-06-13 15:24 . 2005-05-04 02:43 69632 ------r- c:\windows\Alcmtr.exe
2009-06-06 14:58 . 2009-06-06 14:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\PC Suite
2009-06-03 14:11 . 2009-06-03 14:12 61440 ----a-r- c:\documents and settings\Sachin\Application Data\Microsoft\Installer\{04DB4871-BC1D-44BF-AADB-47326365EB8C}\ARPPRODUCTICON.exe
2009-05-22 19:31 . 2009-05-22 19:31 -------- d-----w- c:\documents and settings\Sachin\Application Data\Apple Computer
2009-05-19 08:29 . 2009-05-19 08:29 -------- d-----w- c:\windows\PaltalkScene
2009-05-19 08:29 . 2009-05-19 08:29 -------- d-----w- c:\program files\Paltalk Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM5.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM4.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM3.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM2.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM1.dll
2009-05-21 06:03 . 2009-04-15 19:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-03 09:01 . 2009-05-03 09:01 -------- d-----w- c:\documents and settings\Sachin\Application Data\Nokia Multimedia Player
2009-05-03 08:58 . 2009-05-03 08:58 -------- d-----w- c:\documents and settings\Sachin\Application Data\Nokia
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\DIFX
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\documents and settings\Sachin\Application Data\PC Suite
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\Common Files\PCSuite
2009-05-03 08:48 . 2009-05-03 08:48 -------- d-----w- c:\program files\Nokia
2009-05-03 08:48 . 2009-05-03 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-29 07:18 . 2009-04-29 07:18 198064 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-04-29 07:15 . 2009-04-29 07:15 -------- d-----w- c:\documents and settings\Sachin\Application Data\IDM
2009-04-25 08:50 . 2009-04-15 11:16 68456 ----a-w- c:\documents and settings\Sachin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 15:09 . 2009-04-23 15:09 -------- d-----w- c:\documents and settings\Sachin\Application Data\Winamp
2009-04-22 07:54 . 2009-04-22 07:55 138512 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-22 07:53 . 2009-04-22 07:54 201440 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-04-22 07:53 . 2009-04-22 07:53 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-04-16 08:18 . 2009-04-15 11:09 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-16 07:32 . 2009-04-16 07:32 1915520 ----a-w- c:\documents and settings\Sachin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-04-15 19:02 . 2009-04-15 19:02 152576 ----a-w- c:\documents and settings\Sachin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 11:48 . 2009-04-15 11:18 16608 ----a-w- c:\windows\gdrv.sys
2009-04-15 11:06 . 2009-04-15 11:06 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-26 15:35 . 2009-04-03 13:24 210352 ----a-w- c:\windows\system32\idmmbc.dll
2004-08-03 14:26 . 2004-08-03 14:26 164824 --sh--r- c:\windows\system32\xreftpd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_16.59.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 17:03 . 2009-06-17 17:03 16384 c:\windows\Temp\Perflib_Perfdata_1f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"NetMeter"="d:\soft\NetMeter\NetMeter114beta_3.exe" [2009-01-28 297984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-15 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WinampAgent"="d:\soft\Winamp\New Folder\Winamp\winampa.exe" [2009-04-10 37888]
"SunJavaUpdateSched"="d:\soft\Jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-10-15 14864384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
In2Cable Login.lnk - c:\program files\In2Cable\CMAAClient.exe [2004-4-21 499712]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\soft\\Limewire\\New Folder\\LimeWire\\LimeWire.exe"=
"d:\\soft\\Opera\\New Folder\\Opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3373:TCP"= 3373:TCP:hlzqptka

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [4/20/2004 11:31 AM 42972]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/17/2009 12:04 AM 210216]
S2 gyfyqjeci;Universal Microsoft;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 7:56 PM 14336]
S2 zntphf;Image Shell;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 7:56 PM 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gyfyqjeci
zntphf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.in/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: Download all links with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2} = 203.192.198.7,203.192.195.18
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 22:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\Sachin\LOCALS~1\Temp\ASFWHide"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gyfyqjeci]
"ServiceDll"="c:\windows\system32\xreftpd.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zntphf]
"ServiceDll"="c:\windows\system32\xreftpd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):06,54,4b,0e,7a,13,98,c3,36,b4,0a,0c,b6,ad,6a,77,f8,5e,61,8d,f4,
c4,0a,23,25,79,a8,99,e0,50,9b,55,1a,96,5c,de,ad,8a,5f,4a,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6cc5b596-55bd-44a8-a092-d025a6e47e96}]
@Denied: (Full) (Everyone)
"Model"=dword:0000007c
"Therad"=dword:00000014
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1552)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2009-06-17 22:40
ComboFix-quarantined-files.txt 2009-06-17 17:10
ComboFix2.txt 2009-06-17 17:00

Pre-Run: 4,788,051,968 bytes free
Post-Run: 4,769,406,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

158

NEW HIJACKTHIS LOG

ComboFix 09-06-16.05 - Sachin 06/17/2009 22:37.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.151 [GMT 5.5:30]
Running from: c:\documents and settings\Sachin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-17 06:56 . 2009-06-17 06:56 -------- d-----w- c:\documents and settings\Sachin\Application Data\FastStone
2009-06-17 05:44 . 2009-06-17 05:44 -------- d-----w- c:\documents and settings\Sachin\Application Data\Malwarebytes
2009-06-17 05:44 . 2009-05-26 07:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:44 . 2009-06-17 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-17 05:44 . 2009-05-26 07:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 07:29 . 2009-06-16 07:29 -------- d-----w- c:\documents and settings\Sachin\Local Settings\Application Data\Ashampoo
2009-06-16 06:42 . 2009-06-16 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-16 05:43 . 2009-06-16 05:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-15 18:48 . 2009-06-15 18:48 -------- d-----w- c:\program files\In2Cable
2009-06-15 12:05 . 2009-06-15 12:05 -------- d-----w- c:\program files\Trend Micro
2009-06-15 11:36 . 2009-06-15 11:36 -------- d-----w- c:\program files\ERUNT
2009-06-14 07:38 . 2009-06-14 07:39 152576 ----a-w- c:\documents and settings\Sachin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-13 15:26 . 2005-09-16 22:14 157184 ------r- c:\windows\system32\RtlCPAPI.dll
2009-06-13 15:24 . 2005-05-04 02:43 69632 ------r- c:\windows\Alcmtr.exe
2009-06-06 14:58 . 2009-06-06 14:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\PC Suite
2009-06-03 14:11 . 2009-06-03 14:12 61440 ----a-r- c:\documents and settings\Sachin\Application Data\Microsoft\Installer\{04DB4871-BC1D-44BF-AADB-47326365EB8C}\ARPPRODUCTICON.exe
2009-05-22 19:31 . 2009-05-22 19:31 -------- d-----w- c:\documents and settings\Sachin\Application Data\Apple Computer
2009-05-19 08:29 . 2009-05-19 08:29 -------- d-----w- c:\windows\PaltalkScene
2009-05-19 08:29 . 2009-05-19 08:29 -------- d-----w- c:\program files\Paltalk Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM5.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM4.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM3.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM2.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM1.dll
2009-05-21 06:03 . 2009-04-15 19:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-03 09:01 . 2009-05-03 09:01 -------- d-----w- c:\documents and settings\Sachin\Application Data\Nokia Multimedia Player
2009-05-03 08:58 . 2009-05-03 08:58 -------- d-----w- c:\documents and settings\Sachin\Application Data\Nokia
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\DIFX
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\documents and settings\Sachin\Application Data\PC Suite
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\Common Files\PCSuite
2009-05-03 08:48 . 2009-05-03 08:48 -------- d-----w- c:\program files\Nokia
2009-05-03 08:48 . 2009-05-03 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-29 07:18 . 2009-04-29 07:18 198064 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-04-29 07:15 . 2009-04-29 07:15 -------- d-----w- c:\documents and settings\Sachin\Application Data\IDM
2009-04-25 08:50 . 2009-04-15 11:16 68456 ----a-w- c:\documents and settings\Sachin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 15:09 . 2009-04-23 15:09 -------- d-----w- c:\documents and settings\Sachin\Application Data\Winamp
2009-04-22 07:54 . 2009-04-22 07:55 138512 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-22 07:53 . 2009-04-22 07:54 201440 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-04-22 07:53 . 2009-04-22 07:53 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-04-16 08:18 . 2009-04-15 11:09 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-16 07:32 . 2009-04-16 07:32 1915520 ----a-w- c:\documents and settings\Sachin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-04-15 19:02 . 2009-04-15 19:02 152576 ----a-w- c:\documents and settings\Sachin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 11:48 . 2009-04-15 11:18 16608 ----a-w- c:\windows\gdrv.sys
2009-04-15 11:06 . 2009-04-15 11:06 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-26 15:35 . 2009-04-03 13:24 210352 ----a-w- c:\windows\system32\idmmbc.dll
2004-08-03 14:26 . 2004-08-03 14:26 164824 --sh--r- c:\windows\system32\xreftpd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_16.59.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 17:03 . 2009-06-17 17:03 16384 c:\windows\Temp\Perflib_Perfdata_1f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"NetMeter"="d:\soft\NetMeter\NetMeter114beta_3.exe" [2009-01-28 297984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-15 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WinampAgent"="d:\soft\Winamp\New Folder\Winamp\winampa.exe" [2009-04-10 37888]
"SunJavaUpdateSched"="d:\soft\Jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-10-15 14864384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
In2Cable Login.lnk - c:\program files\In2Cable\CMAAClient.exe [2004-4-21 499712]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\soft\\Limewire\\New Folder\\LimeWire\\LimeWire.exe"=
"d:\\soft\\Opera\\New Folder\\Opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3373:TCP"= 3373:TCP:hlzqptka

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [4/20/2004 11:31 AM 42972]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/17/2009 12:04 AM 210216]
S2 gyfyqjeci;Universal Microsoft;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 7:56 PM 14336]
S2 zntphf;Image Shell;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 7:56 PM 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gyfyqjeci
zntphf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.in/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: Download all links with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2} = 203.192.198.7,203.192.195.18
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 22:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\Sachin\LOCALS~1\Temp\ASFWHide"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gyfyqjeci]
"ServiceDll"="c:\windows\system32\xreftpd.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zntphf]
"ServiceDll"="c:\windows\system32\xreftpd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):06,54,4b,0e,7a,13,98,c3,36,b4,0a,0c,b6,ad,6a,77,f8,5e,61,8d,f4,
c4,0a,23,25,79,a8,99,e0,50,9b,55,1a,96,5c,de,ad,8a,5f,4a,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6cc5b596-55bd-44a8-a092-d025a6e47e96}]
@Denied: (Full) (Everyone)
"Model"=dword:0000007c
"Therad"=dword:00000014
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1552)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2009-06-17 22:40
ComboFix-quarantined-files.txt 2009-06-17 17:10
ComboFix2.txt 2009-06-17 17:00

Pre-Run: 4,788,051,968 bytes free
Post-Run: 4,769,406,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

158

Edited by power333, 17 June 2009 - 12:47 PM.

#8 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 17 June 2009 - 04:42 PM

Hi, Busy day at work today, sorry for the delay. I am looking over your log and will be back in a bit

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#9 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 18 June 2009 - 02:15 AM

Hello,

I wasn't sure and had someone else look at this and it looks like you may be infected with Conflicker.

Go to this site
http://support.kaspe.../?qid=208279973

To remove the virus locally: <---Follow these instructions

KK_v3.4.7.zip <--Download this to your desktop

Create a new folder on your desktop and unzip KK_v3.4.7.zip into the new folder

Then Run this file KK.exe

When its done, close out the program, reboot and run GMER again and post the log

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#10 power333

New Member

Authentic Member
17 posts

Posted 18 June 2009 - 04:55 AM

I can't open the link you've posted, it's giving me an error message on both, Opera and IE. I even tried the copy and paste method. By the way, since yesterday I'm having another problem; none of the anti-virus softwares are able to Update themselves, they keep telling me that I should connect to the Internet, etc. even when I'm connected to it and browsing through Opera and IE. I've tried Avast, Avira and KasperSky, one after another and all of them are telling me the same thing that my Internet isn't working. The good news is that my Windows style change problem and the sound problems have ceased for the moment.

Edited by power333, 18 June 2009 - 04:59 AM.

Advertisements

Register to Remove

#11 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 18 June 2009 - 05:23 AM

OK, lets forget that for the moment.

Go to Start> Run and type in MRT and hit enter. This will start the Microsoft Malicious Software Removal Tool, let it run , let me know if it found and cleaned Conflcker.

Then do this.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Collect::

Collect::
c:\windows\system32\xreftpd.dll

NetSvc::
gyfyqjeci
zntphf

Driver::
gyfyqjeci
zntphf

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6cc5b596-55bd-44a8-a092-d025a6e47e96}]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#12 power333

New Member

Authentic Member
17 posts

Posted 18 June 2009 - 07:33 AM

MRT tool didn't work, I got an error on that. I've attached the Snapshot of the error.

COMBOFIX REPORT

ComboFix 09-06-16.05 - Sachin 06/18/2009 18:37.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.250 [GMT 5.5:30]
Running from: c:\documents and settings\Sachin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sachin\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xreftpd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GYFYQJECI
-------\Legacy_ZNTPHF
-------\Service_gyfyqjeci
-------\Service_zntphf

((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 05:01 . 2009-06-18 05:01 673032 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav6\7.0.0.119\updater.dll
2009-06-18 05:01 . 2009-06-18 05:01 110360 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav6\7.0.0.119\X86\kl1.sys
2009-06-18 05:01 . 2009-06-18 05:01 95496 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav6\7.0.0.119\diffs.dll
2009-06-18 05:01 . 2009-06-18 05:01 341256 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav6\7.0.0.119\ckahum.dll
2009-06-18 05:01 . 2009-06-18 05:01 186640 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav6\7.0.0.119\klif.sys
2009-06-18 05:00 . 2009-06-18 05:00 112144 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\X86\kl1.sys
2009-06-18 04:59 . 2009-06-18 05:00 682512 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\updater.dll
2009-06-18 04:59 . 2009-06-18 04:59 194320 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\klif.sys
2009-06-18 04:59 . 2009-06-18 04:59 150032 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\diffs.dll
2009-06-18 04:59 . 2009-06-18 04:59 342544 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP7\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\7.0.0.119\ckahum.dll
2009-06-17 19:25 . 2009-06-18 05:00 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-17 19:25 . 2009-06-18 05:00 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-17 19:24 . 2009-06-17 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-17 19:24 . 2009-06-18 13:11 670240 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-17 19:24 . 2009-06-18 13:11 1824 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-17 17:26 . 2009-06-17 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-17 06:56 . 2009-06-17 06:56 -------- d-----w- c:\documents and settings\Sachin\Application Data\FastStone
2009-06-17 05:44 . 2009-06-17 05:44 -------- d-----w- c:\documents and settings\Sachin\Application Data\Malwarebytes
2009-06-17 05:44 . 2009-05-26 07:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:44 . 2009-06-17 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-17 05:44 . 2009-05-26 07:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 07:29 . 2009-06-16 07:29 -------- d-----w- c:\documents and settings\Sachin\Local Settings\Application Data\Ashampoo
2009-06-16 06:42 . 2009-06-16 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-16 05:43 . 2009-06-16 05:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-15 18:48 . 2009-06-15 18:48 -------- d-----w- c:\program files\In2Cable
2009-06-15 12:05 . 2009-06-15 12:05 -------- d-----w- c:\program files\Trend Micro
2009-06-15 11:36 . 2009-06-15 11:36 -------- d-----w- c:\program files\ERUNT
2009-06-14 07:38 . 2009-06-14 07:39 152576 ----a-w- c:\documents and settings\Sachin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-13 15:26 . 2005-09-16 22:14 157184 ------r- c:\windows\system32\RtlCPAPI.dll
2009-06-13 15:24 . 2005-05-04 02:43 69632 ------r- c:\windows\Alcmtr.exe
2009-06-06 14:58 . 2009-06-06 14:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\PC Suite
2009-06-03 14:11 . 2009-06-03 14:12 61440 ----a-r- c:\documents and settings\Sachin\Application Data\Microsoft\Installer\{04DB4871-BC1D-44BF-AADB-47326365EB8C}\ARPPRODUCTICON.exe
2009-05-22 19:31 . 2009-05-22 19:31 -------- d-----w- c:\documents and settings\Sachin\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 13:11 . 2009-06-17 19:24 2264 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-18 13:11 . 2009-06-17 19:24 14180 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-18 05:01 . 2007-04-28 11:21 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM5.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM4.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM3.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM2.dll
2009-06-01 08:24 . 2009-04-29 07:31 28672 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\NP_IDM1.dll
2009-05-21 06:03 . 2009-04-15 19:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-19 08:29 . 2009-05-19 08:29 -------- d-----w- c:\program files\Paltalk Messenger
2009-05-03 09:01 . 2009-05-03 09:01 -------- d-----w- c:\documents and settings\Sachin\Application Data\Nokia Multimedia Player
2009-05-03 08:58 . 2009-05-03 08:58 -------- d-----w- c:\documents and settings\Sachin\Application Data\Nokia
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\DIFX
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\documents and settings\Sachin\Application Data\PC Suite
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-05-03 08:51 . 2009-05-03 08:51 -------- d-----w- c:\program files\Common Files\PCSuite
2009-05-03 08:48 . 2009-05-03 08:48 -------- d-----w- c:\program files\Nokia
2009-05-03 08:48 . 2009-05-03 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-29 07:18 . 2009-04-29 07:18 198064 ----a-w- c:\documents and settings\Sachin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-04-29 07:15 . 2009-04-29 07:15 -------- d-----w- c:\documents and settings\Sachin\Application Data\IDM
2009-04-25 08:50 . 2009-04-15 11:16 68456 ----a-w- c:\documents and settings\Sachin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 15:09 . 2009-04-23 15:09 -------- d-----w- c:\documents and settings\Sachin\Application Data\Winamp
2009-04-22 07:54 . 2009-04-22 07:55 138512 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-22 07:53 . 2009-04-22 07:54 201440 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-04-22 07:53 . 2009-04-22 07:53 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-04-16 08:18 . 2009-04-15 11:09 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-16 07:32 . 2009-04-16 07:32 1915520 ----a-w- c:\documents and settings\Sachin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-04-15 19:02 . 2009-04-15 19:02 152576 ----a-w- c:\documents and settings\Sachin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 11:48 . 2009-04-15 11:18 16608 ----a-w- c:\windows\gdrv.sys
2009-04-15 11:06 . 2009-04-15 11:06 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-26 15:35 . 2009-04-03 13:24 210352 ----a-w- c:\windows\system32\idmmbc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_16.59.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-18 13:12 . 2009-06-18 13:12 16384 c:\windows\Temp\Perflib_Perfdata_634.dat
+ 2007-06-28 07:20 . 2007-06-28 07:20 22457 c:\windows\system32\drivers\klop.dat
+ 2007-04-04 09:28 . 2007-04-04 09:28 24344 c:\windows\system32\drivers\klim5.sys
+ 2009-04-15 11:15 . 2009-06-18 04:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-15 11:15 . 2009-06-16 09:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-15 11:15 . 2009-06-18 04:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-15 11:15 . 2009-06-16 09:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-15 11:15 . 2009-06-18 04:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-15 11:15 . 2009-06-16 09:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-06-28 07:21 . 2007-06-28 07:21 206088 c:\windows\system32\klogon.dll
+ 2007-06-27 12:01 . 2009-06-18 05:01 194320 c:\windows\system32\drivers\klif.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"NetMeter"="d:\soft\NetMeter\NetMeter114beta_3.exe" [2009-01-28 297984]
"SpybotSD TeaTimer"="d:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-15 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WinampAgent"="d:\soft\Winamp\New Folder\Winamp\winampa.exe" [2009-04-10 37888]
"SunJavaUpdateSched"="d:\soft\Jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-10-15 14864384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
In2Cable Login.lnk - c:\program files\In2Cable\CMAAClient.exe [2004-4-21 499712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\soft\KASPER~1\NEWFOL~2\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\soft\\Limewire\\New Folder\\LimeWire\\LimeWire.exe"=
"d:\\soft\\Opera\\New Folder\\Opera.exe"=
"c:\\Program Files\\In2Cable\\CMAAClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3373:TCP"= 3373:TCP:hlzqptka

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [4/20/2004 11:31 AM 42972]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/17/2009 12:04 AM 210216]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/4/2007 2:58 PM 24344]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.in/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: Download all links with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - d:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2} = 203.192.198.7,203.192.195.18
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 18:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\Sachin\LOCALS~1\Temp\ASFWHide"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
d:\soft\KasperSky\New Folder2\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1060)
d:\soft\KasperSky\New Folder2\dnsq.dll
d:\soft\KasperSky\New Folder2\miscr3.dll

- - - - - - - > 'explorer.exe'(288)
c:\program files\McAfee\SiteAdvisor\saHook.dll
d:\soft\KasperSky\New Folder2\miscr3.dll
d:\soft\KasperSky\New Folder2\scrchpg.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
d:\soft\KasperSky\New Folder2\avp.exe
d:\soft\Jre6\bin\jqs.exe
c:\program files\NOKIA\NOKIA PC SUITE 6\LAUNCH~1.EXE
c:\windows\SYSTEM32\PNKBSTRA.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-18 18:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 13:17
ComboFix2.txt 2009-06-17 17:10
ComboFix3.txt 2009-06-17 17:00

Pre-Run: 4,335,869,952 bytes free
Post-Run: 4,311,531,520 bytes free

201

NEW HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:26 PM, on 6/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\soft\Winamp\New Folder\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\soft\Jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\soft\NetMeter\NetMeter114beta_3.exe
D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\In2Cable\CMAAClient.exe
D:\soft\KasperSky\New Folder2\avp.exe
D:\soft\Jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\soft\Jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\soft\Jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\soft\Winamp\New Folder\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\soft\Jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "D:\soft\KasperSky\New Folder2\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] D:\soft\NetMeter\NetMeter114beta_3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: In2Cable Login.lnk = C:\Program Files\In2Cable\CMAAClient.exe
O8 - Extra context menu item: Download all links with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\soft\KasperSky\New Folder2\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2}: NameServer = 203.192.198.7,203.192.195.18
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: D:\soft\KASPER~1\NEWFOL~2\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - D:\soft\KasperSky\New Folder2\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\soft\Jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6977 bytes

Attached Thumbnails

#13 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 18 June 2009 - 10:13 AM

Hi,

There are a couple of entries on your Combofix log that I need to look into, in the meantime run GMER again and post the NEW log please.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#14 power333

New Member

Authentic Member
17 posts

Posted 18 June 2009 - 12:15 PM

I couldn't post GMER report directly, it said it was too long so I'm attaching it as a file.

NEW HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:01 PM, on 6/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\soft\Winamp\New Folder\Winamp\winampa.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\soft\Jre6\bin\jusched.exe
D:\soft\KasperSky\New Folder2\avp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\soft\NetMeter\NetMeter114beta_3.exe
D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\In2Cable\CMAAClient.exe
D:\soft\KasperSky\New Folder2\avp.exe
D:\soft\Jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\soft\Jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\soft\Jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\soft\Winamp\New Folder\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\soft\Jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "D:\soft\KasperSky\New Folder2\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] D:\soft\NetMeter\NetMeter114beta_3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\soft\Spybot\New Folder\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: In2Cable Login.lnk = C:\Program Files\In2Cable\CMAAClient.exe
O8 - Extra context menu item: Add to Anti-Banner - D:\soft\KasperSky\New Folder2\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\soft\Internet Download Manager\New Folder\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\soft\KasperSky\New Folder2\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\soft\Spybot\NEWFOL~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4695D1-F431-4C59-A0E7-5E5BFEC65BC2}: NameServer = 203.192.198.7,203.192.195.18
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: D:\soft\KASPER~1\NEWFOL~2\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - D:\soft\KasperSky\New Folder2\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\soft\Jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7118 bytes

Attached Files

GMER_REPORT.txt 407.61KB 341 downloads

Edited by power333, 18 June 2009 - 12:38 PM.

#15 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 18 June 2009 - 02:52 PM

The rootkit is gone :thumbup:

How are things running now?

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

Body Background

skin color theme