Bullguard Free Antivirus Forum

The original version of this page can be found at : http://forum.bullguard.com/forum/10/Help-to-remove-trojan-Download_62114.html

Posted By : shahintey - 5-11-2008 4:46

hijack this log file

Logfile of HijackThis v1.99.1
Scan saved at 8:34:34 AM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX05.156\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZK
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{053411F1-F25F-4FBA-AEC9-5EB18029DC22}: NameServer = 202.1.192.196,200.1.192.211
O17 - HKLM\System\CS1\Services\Tcpip\..\{053411F1-F25F-4FBA-AEC9-5EB18029DC22}: NameServer = 202.1.192.196,200.1.192.211
O17 - HKLM\System\CS2\Services\Tcpip\..\{053411F1-F25F-4FBA-AEC9-5EB18029DC22}: NameServer = 202.1.192.196,200.1.192.211
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS.0\system32\klogon.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.0\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\wpdshserviceobj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

antispyware log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:37:14 AM 5/11/2008

+ Scan result:

HKLM\SOFTWARE\Classes\Pugi.PugiObj -> Adware.ISTBar : Cleaned.
HKLM\SOFTWARE\Classes\Pugi.PugiObj.1 -> Adware.ISTBar : Cleaned.
HKLM\SOFTWARE\Classes\Pugi.PugiObj\CLSID -> Adware.ISTBar : Cleaned.
HKLM\SOFTWARE\Classes\Pugi.PugiObj\CurVer -> Adware.ISTBar : Cleaned.
C:\Documents and Settings\Admin\Local Settings\Temp\zfe2.exe -> Downloader.Zlob.lrz : Cleaned.
C:\Documents and Settings\Admin\Cookies\admin@atdmt.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Admin\Cookies\admin@search.msn.txt -> TrackingCookie.Msn : Cleaned.

::Report end

Combofix log

ComboFix 08-05-09.1 - Admin 2008-05-11 8:19:02.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.805 [GMT -7:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\FunWebProducts
C:\Documents and Settings\Admin\Favorites\Online Security Test.url
C:\Documents and Settings\All Users.WINDOWS.0\Desktop\Online Security Guide.url
C:\Documents and Settings\All Users.WINDOWS.0\Desktop\Security Troubleshooting.url
C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\ADSTechnology
C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\ADSTechnology\ADSTechnology.lnk
C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\ADSTechnology\Uninstall.lnk
C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Security Troubleshooting.url
C:\Program Files\ActivationManager
C:\Program Files\ActivationManager\Uninstall.exe
C:\Program Files\ADSTechnology
C:\Program Files\ADSTechnology\ADSTechnology.dll
C:\Program Files\ADSTechnology\ADSTechnology.exe
C:\Program Files\ADSTechnology\Uninstall.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\16E95256.urr
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\11D67780.bin
C:\Program Files\MyWebSearch\bar\Cache\11D67D5C.bin
C:\Program Files\MyWebSearch\bar\Cache\11D680B8.bin
C:\Program Files\MyWebSearch\bar\Cache\11D684EE.bin
C:\Program Files\MyWebSearch\bar\Cache\11D69559.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\NetProject
C:\Program Files\NetProject\ot.ico
C:\Program Files\NetProject\sbmdl.dll
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\ts.ico
C:\WINDOWS.0\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 08:07 . 2008-05-11 08:07 <DIR> d-------- C:\VundoFix Backups
2008-05-11 05:06 . 2008-05-11 05:06 <DIR> d-------- C:\Program Files\CCleaner
2008-05-11 03:22 . 2008-05-11 03:26 664 --a------ C:\WINDOWS.0\system32\d3d9caps.dat
2008-05-10 02:41 . 2008-05-11 06:56 69 --a------ C:\WINDOWS.0\NeroDigital.ini
2008-05-07 13:35 . 2005-09-05 02:40 10,752 --a------ C:\WINDOWS.0\system32\ImageDrive.cpl
2008-05-07 13:33 . 2008-05-07 13:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ahead
2008-05-07 13:31 . 2008-05-07 13:31 0 --a------ C:\WINDOWS.0\Irremote.ini
2008-05-06 06:34 . 2008-05-11 05:55 <DIR> d-------- C:\Program Files\!!!ti
2008-05-05 13:41 . 2008-05-05 13:41 <DIR> d-------- C:\Program Files\Sun
2008-05-05 13:40 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS.0\system32\javacpl.cpl
2008-05-04 08:24 . 2008-05-04 08:32 <DIR> d-------- C:\Program Files\FitWorkout 2.2
2008-04-26 12:04 . 2008-04-27 07:54 <DIR> d-------- C:\WINDOWS.0\system32\717305
2008-04-24 02:16 . 2008-05-11 07:53 54,156 --ah----- C:\WINDOWS.0\QTFont.qfn
2008-04-24 02:16 . 2008-04-24 02:16 1,409 --a------ C:\WINDOWS.0\QTFont.for
2008-04-23 11:20 . 2008-04-23 11:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-23 11:20 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS.0\system32\drivers\usbaapl.sys
2008-04-23 10:13 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS.0\system32\ptpusd.dll
2008-04-23 10:13 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS.0\system32\drivers\usbscan.sys
2008-04-23 10:13 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS.0\system32\ptpusb.dll
2008-04-23 10:06 . 2008-05-11 05:52 <DIR> d-------- C:\Program Files\iLiberty
2008-04-18 06:40 . 2008-04-18 06:40 <DIR> d-------- C:\Program Files\AsesoftNet iToolbar
2008-04-17 00:02 . 2008-04-17 00:02 <DIR> d-------- C:\Program Files\satellitepc
2008-04-15 03:15 . 2007-06-25 23:06 1,104,896 --------- C:\WINDOWS.0\system32\dllcache\msxml3.dll
2008-04-15 03:15 . 2007-06-13 03:23 1,033,216 --------- C:\WINDOWS.0\system32\dllcache\explorer.exe
2008-04-15 03:14 . 2008-03-19 02:40 1,845,888 --------- C:\WINDOWS.0\system32\dllcache\win32k.sys
2008-04-15 03:14 . 2007-10-30 10:20 360,064 --------- C:\WINDOWS.0\system32\dllcache\tcpip.sys
2008-04-15 03:14 . 2007-12-18 02:51 179,584 --------- C:\WINDOWS.0\system32\dllcache\mrxdav.sys
2008-04-15 03:13 . 2007-10-29 15:35 1,287,680 --------- C:\WINDOWS.0\system32\dllcache\quartz.dll
2008-04-15 03:13 . 2007-11-07 02:50 727,040 --------- C:\WINDOWS.0\system32\dllcache\lsasrv.dll
2008-04-15 03:13 . 2007-08-20 23:25 683,520 --------- C:\WINDOWS.0\system32\dllcache\inetcomm.dll
2008-04-15 03:13 . 2008-02-19 23:52 282,624 --------- C:\WINDOWS.0\system32\dllcache\gdi32.dll
2008-04-15 03:12 . 2007-12-04 11:38 550,912 --------- C:\WINDOWS.0\system32\dllcache\oleaut32.dll
2008-04-15 03:12 . 2008-02-19 22:19 147,968 --------- C:\WINDOWS.0\system32\dllcache\dnsapi.dll
2008-04-15 03:12 . 2008-02-20 11:49 45,568 --------- C:\WINDOWS.0\system32\dllcache\dnsrslvr.dll
2008-04-15 03:02 . 2008-04-15 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-15 03:02 . 2004-08-03 15:00 221,184 --a------ C:\WINDOWS.0\system32\wmpns.dll
2008-04-15 01:51 . 2007-10-25 20:34 8,460,288 --------- C:\WINDOWS.0\system32\dllcache\shell32.dll
2008-04-15 01:51 . 2007-07-06 05:46 660,992 --------- C:\WINDOWS.0\system32\dllcache\mqqm.dll
2008-04-15 01:51 . 2007-07-06 05:46 471,552 --------- C:\WINDOWS.0\system32\dllcache\mqutil.dll
2008-04-15 01:51 . 2007-07-06 05:46 177,152 --------- C:\WINDOWS.0\system32\dllcache\mqrt.dll
2008-04-15 01:51 . 2007-07-06 05:46 138,240 --------- C:\WINDOWS.0\system32\dllcache\mqad.dll
2008-04-15 01:51 . 2007-07-06 05:46 95,744 --------- C:\WINDOWS.0\system32\dllcache\mqsec.dll
2008-04-15 01:51 . 2007-07-06 03:05 72,960 --------- C:\WINDOWS.0\system32\dllcache\mqac.sys
2008-04-15 01:51 . 2007-07-06 05:46 48,640 --------- C:\WINDOWS.0\system32\dllcache\mqupgrd.dll
2008-04-15 01:51 . 2007-07-06 05:46 47,104 --------- C:\WINDOWS.0\system32\dllcache\mqdscli.dll
2008-04-15 01:51 . 2007-07-06 05:46 16,896 --------- C:\WINDOWS.0\system32\dllcache\mqise.dll
2008-04-15 01:24 . 2008-04-15 01:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\nView_Profiles
2008-04-15 00:48 . 2007-07-09 06:16 582,656 --------- C:\WINDOWS.0\system32\dllcache\rpcrt4.dll
2008-04-14 09:18 . 2008-05-10 04:04 <DIR> d-------- C:\Downloads
2008-04-14 07:58 . 2008-04-16 03:04 <DIR> d--h----- C:\WINDOWS.0\$hf_mig$
2008-04-14 07:52 . 2008-03-01 06:03 6,067,712 --------- C:\WINDOWS.0\system32\dllcache\ieframe.dll
2008-04-14 07:52 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS.0\system32\dllcache\ieapfltr.dat
2008-04-14 07:52 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS.0\system32\dllcache\ieframe.dll.mui
2008-04-14 07:52 . 2008-03-01 06:03 459,264 --------- C:\WINDOWS.0\system32\dllcache\msfeeds.dll
2008-04-14 07:52 . 2008-03-01 06:03 383,488 --------- C:\WINDOWS.0\system32\dllcache\ieapfltr.dll
2008-04-14 07:52 . 2008-03-01 06:03 267,776 --------- C:\WINDOWS.0\system32\dllcache\iertutil.dll
2008-04-14 07:52 . 2008-03-01 06:03 63,488 --------- C:\WINDOWS.0\system32\dllcache\icardie.dll
2008-04-14 07:52 . 2008-03-01 06:03 52,224 --------- C:\WINDOWS.0\system32\dllcache\msfeedsbs.dll
2008-04-14 07:52 . 2008-02-22 02:39 13,824 --------- C:\WINDOWS.0\system32\dllcache\ieudinit.exe
2008-04-14 07:39 . 2008-04-14 07:39 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-14 07:01 . 2008-05-11 08:14 <DIR> d-------- C:\Program Files\FlashGet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 15:14 41,492 --sha-w C:\WINDOWS.0\system32\drivers\fidbox2.idx
2008-05-11 15:14 366,368 --sha-w C:\WINDOWS.0\system32\drivers\fidbox2.dat
2008-05-11 15:14 189,908 --sha-w C:\WINDOWS.0\system32\drivers\fidbox.idx
2008-05-11 15:14 16,140,576 --sha-w C:\WINDOWS.0\system32\drivers\fidbox.dat
2008-05-11 14:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab
2008-05-11 13:25 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2008-05-11 12:53 --------- d-----w C:\Program Files\Real
2008-05-11 12:52 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-11 05:29 --------- d-----w C:\Program Files\Windows Live
2008-05-06 20:30 --------- d-----w C:\Documents and Settings\Admin\Application Data\dvdcss
2008-05-05 20:40 --------- d-----w C:\Program Files\Java
2008-05-05 14:49 --------- d-----w C:\Program Files\Apple Software Update
2008-04-24 09:09 --------- d-----w C:\Program Files\iTunes
2008-04-24 09:09 --------- d-----w C:\Program Files\iPod
2008-04-24 05:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer
2008-04-23 18:23 --------- d-----w C:\Program Files\Bonjour
2008-04-23 18:22 --------- d-----w C:\Program Files\QuickTime
2008-04-17 18:26 96,645 ----a-w C:\WINDOWS.0\system32\drivers\klin.dat
2008-04-17 18:26 87,941 ----a-w C:\WINDOWS.0\system32\drivers\klick.dat
2008-04-15 20:35 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-15 20:35 --------- d-----w C:\Program Files\Windows Live Favorites
2008-04-15 20:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\WLInstaller
2008-04-15 10:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft Help
2008-04-14 14:42 --------- d-----w C:\Program Files\Opera
2008-04-11 00:32 --------- d-----w C:\Program Files\Zoom Player
2008-04-10 08:53 --------- d-----w C:\Program Files\MSN Messenger
2008-04-10 08:42 --------- d-----w C:\Program Files\DIFX
2008-04-02 03:55 --------- d-----w C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-04-02 03:15 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Grisoft
2008-04-02 03:09 --------- d-----w C:\Documents and Settings\Admin\Application Data\Grisoft
2008-03-26 02:36 --------- d-----w C:\Program Files\ImTOO
2008-03-23 05:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Apple
2008-03-23 01:44 --------- d-----w C:\Documents and Settings\Admin\Application Data\vlc
2008-03-22 06:54 9,480 ----a-w C:\WINDOWS.0\system32\icardres.dll
2008-03-22 06:54 83,968 ----a-w C:\WINDOWS.0\system32\infocardapi.dll
2008-03-22 06:54 556,296 ----a-w C:\WINDOWS.0\system32\icardagt.exe
2008-03-22 06:54 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-22 06:52 32,768 ----a-w C:\WINDOWS.0\system32\netfxperf.dll
2008-03-22 06:52 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-22 06:46 --------- d-----w C:\Program Files\Common Files\Java
2008-03-22 06:42 --------- d-----w C:\Program Files\DivX
2008-03-22 06:22 --------- d-----w C:\Documents and Settings\Admin\Application Data\Thunderbird
2008-03-22 06:22 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback
2008-03-22 04:47 --------- d-----w C:\Program Files\Styler
2008-03-22 04:47 --------- d-----w C:\Documents and Settings\Admin\Application Data\Styler
2008-03-22 04:39 --------- d-----w C:\Program Files\RocketDock
2008-03-22 04:34 --------- d-----w C:\Program Files\Tiger System Preferences v2
2008-03-22 04:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-21 18:52 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab Setup Files
2008-03-21 18:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Apple Computer
2008-03-21 18:50 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Skype
2008-03-21 18:03 --------- d-----w C:\Program Files\Kaspersky Lab
2008-03-21 18:03 --------- d-----w C:\Program Files\Accent Xpress
2008-03-21 18:00 --------- d-----w C:\Program Files\MSBuild
2008-03-21 14:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 14:35 --------- d-----w C:\Program Files\CyberLink
2008-03-21 14:32 --------- d-----w C:\Documents and Settings\shaheen\Application Data\Skype
2008-03-21 11:09 --------- d-----w C:\Documents and Settings\shaheen\Application Data\skypePM
2008-03-20 15:58 --------- d-----w C:\Documents and Settings\shaheen\Application Data\Ashampoo
2008-03-20 15:57 --------- d-----w C:\Program Files\Ashampoo
2008-03-20 14:36 --------- d-----w C:\Documents and Settings\shaheen\Application Data\Ahead
2008-03-20 12:11 --------- d-----w C:\Program Files\Steganos Security Suite 2007
2008-03-20 12:08 --------- d-----w C:\Program Files\DEKSI Network Inventory
2008-03-20 12:01 --------- d-----w C:\Program Files\XviD
2008-03-20 12:00 --------- d-----w C:\Program Files\Apex
2008-03-20 11:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 20:31 --------- d-----w C:\Documents and Settings\shaheen\Application Data\dvdcss
2008-03-19 17:50 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-19 17:43 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS.0\system32\win32k.sys
2008-03-14 08:42 --------- d-----w C:\Documents and Settings\shaheen\Application Data\Apple Computer
2008-03-13 13:07 --------- d-----w C:\Documents and Settings\shaheen\Application Data\Lavasoft
2008-03-13 12:55 --------- d-----w C:\Program Files\Nero
2008-03-13 12:55 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-04 19:33 7,680 ----a-w C:\WINDOWS.0\system32\ff_vfw.dll
2008-02-22 09:40 625,664 ------w C:\WINDOWS.0\system32\dllcache\iexplore.exe
2008-02-22 09:39 70,656 ------w C:\WINDOWS.0\system32\dllcache\ie4uinit.exe
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS.0\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS.0\system32\gdi32.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS.0\system32\dllcache\ieakui.dll
.

------- Sigcheck -------

2007-10-13 20:44 2182144 a09c144d8d5a460b8ebfa56f913715d2 C:\WINDOWS.0\system32\ntkrnlpa.exe

2007-10-13 20:38 2302464 465e3e1178812be755634457f4a778bf C:\WINDOWS.0\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-03 15:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-09-03 03:18 94208]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-04-23 09:19 1189104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2005-12-14 15:51 7323648]
"nwiz"="nwiz.exe" [2005-12-14 15:51 1519616 C:\WINDOWS.0\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 18:23 15961088 C:\WINDOWS.0\RTHDCPL.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 12:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 00:51 218376]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-04-01 20:15 6731312]
"Flashget"="C:\Program Files\FlashGet\FlashGet.exe" [2007-09-25 01:10 2007088]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NeroFilterCheck"="C:\WINDOWS.0\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS.0\system32\CTFMON.EXE" [2004-08-03 15:00 15360]

C:\Documents and Settings\shaheen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 08:24:54 98632]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 08:24:54 98632]
Styler.lnk - C:\Documents and Settings\Admin\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-03-21 21:41:06 15086]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 23:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS.0\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS.0\system32\DRIVERS\klim5.sys [2007-04-04 02:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - fun.exe
\Shell\explore\Command - fun.exe
\Shell\open\Command - fun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - fun.exe
\Shell\explore\Command - fun.exe
\Shell\open\Command - fun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{368e2449-093a-11dd-918b-0016ec8cbe30}]
\Shell\AutoRun\command - MntDrCore.exe
\Shell\Open\command - MntDrCore.exe
\Shell\Open With...\command - MntDrCore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7eedcf68-f76b-11dc-b336-0016ec8cbe30}]
\Shell\AutoRun\command - MntDrCore.exe
\Shell\Open\command - MntDrCore.exe
\Shell\Open With...\command - MntDrCore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9044b031-1e8d-11dd-8d5b-0016ec8cbe30}]
\Shell\AutoRun\command - fun.exe
\Shell\explore\Command - fun.exe
\Shell\open\Command - fun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9044b033-1e8d-11dd-8d5b-0016ec8cbe30}]
\Shell\AutoRun\command - fun.exe
\Shell\explore\Command - fun.exe
\Shell\open\Command - fun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3b22faf-0293-11dd-9183-0016ec8cbe30}]
\Shell\Auto\command - N:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS.0\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 14:49:31 C:\WINDOWS.0\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-11 14:22:01 C:\WINDOWS.0\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 08:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-11 8:24:04
ComboFix-quarantined-files.txt 2008-05-11 15:23:38

Pre-Run: 59,620,769,792 bytes free
Post-Run: 66,873,708,544 bytes free

328 --- E O F --- 2008-04-17 08:34:17

Posted By : Touch - 5-12-2008 6:12

Hello

cool

Please download http://siri.urz.free.fr/Fix/SmitfraudFix.exe (by S!Ri)

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (normally C:), and launch from there.

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, normally C:\rapport.txt

Post a fresh hijackthis log with rapport txt, and tell how your computer are behaving

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

process.exe is detected by some antivirus programs as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Main: Antivirus | Antivirus Download | Buy Antivirus | Antivirus Info | Antivirus Support | Affiliates | Antivirus News | Press Releases | Virus Information

Others: Antivirus Software | Free Antivirus Download | Free Firewall | Online Backup | Computer Virus | Virus Scan

Copyright ©2001-2006 BullGuard Ltd., All rights reserved. Legal Terms & Privacy Policy

Need Support? Write to:

| Forum Help Manual

Download free trial version of Bullguard