Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Network, good; Internet, bad
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
please see my hijackthis log (New)

Reply  
Thread Tools
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
10-Jul-2008, 01:54 AM #1
Thumbs up please see my hijackthis log
Hi guyz, hows everything going.
I dont see anything wrong but there is something wrong with pc, its very very slow, which i wasnt before. Moreover i have started using firefox because it used to give vius alert messages and pop ups to virus scan sites on IE. It 2 days back, now IE is fine but computer is still very slow. Please check my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:20 AM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84D81F69-E513-409C-BA72-2B53D2383C57} - C:\WINDOWS\system32\yayxyATn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A50B2AF-3B2B-47DD-AECD-5D80A886F504} - C:\WINDOWS\system32\iifefFwu.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adia lhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcATlIy - efcATlIy.dll (file missing)
O20 - Winlogon Notify: efcDWOFv - efcDWOFv.dll (file missing)
O20 - Winlogon Notify: iifefFwu - C:\WINDOWS\SYSTEM32\iifefFwu.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 6031 bytes

PS: i am now a very old member of this site, you guyz are great, have been always so helpful. God bless you guyz for helping out so many ppl
__________________
www.BeautifulPakistan.com
Register for free to hide this ad!
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
12-Jul-2008, 05:03 AM #2
:O umm... guyz everythings ok?
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
12-Jul-2008, 11:41 PM #3
Sorry for the delay.

Its been a very busy week.


Welcome to TSG


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
13-Jul-2008, 03:28 AM #4
ComboFix 08-07-12.1 - user1 2008-07-13 9:56:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.655 [GMT 4:00]
Running from: C:\Documents and Settings\user1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\ADSTechnology
C:\Documents and Settings\All Users\Start Menu\Programs\ADSTechnology\ADSTechnology.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\ADSTechnology\Uninstall.lnk
C:\Documents and Settings\user1\Application Data\macromedia\Flash Player\#SharedObjects\6PJC6UN8\iforex.com
C:\Documents and Settings\user1\Application Data\macromedia\Flash Player\#SharedObjects\6PJC6UN8\iforex.com\Emerp\Events\flash_object.swf\use r_data.sol
C:\Documents and Settings\user1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\user1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\3913560.exe
C:\WINDOWS\system32\byXRhEuS.dll
C:\WINDOWS\system32\evdjysdo.ini
C:\WINDOWS\system32\flmvodpf.dll
C:\WINDOWS\system32\fpdovmlf.ini
C:\WINDOWS\system32\gaiwhnkx.dll
C:\WINDOWS\system32\iifefFwu.dll
C:\WINDOWS\system32\irjvcduy.ini
C:\WINDOWS\system32\jkkKeDuV.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nfdwpkvy.ini
C:\WINDOWS\system32\nTAyxyay.ini
C:\WINDOWS\system32\nTAyxyay.ini2
C:\WINDOWS\system32\opnLcbax.dll
C:\WINDOWS\system32\pmwflujw.ini
C:\WINDOWS\system32\sklrbrhg.ini
C:\WINDOWS\system32\urqPfeca.dll
C:\WINDOWS\system32\xknhwiag.ini
C:\WINDOWS\system32\yayxyATn.dll
C:\WINDOWS\system32\yvkpwdfn.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-13 to 2008-07-13 )))))))))))))))))))))))))))))))
.

2008-07-11 20:29 . 2008-07-12 09:19 <DIR> d-------- C:\Documents and Settings\user1\Application Data\Apple Computer
2008-07-11 20:28 . 2008-07-11 20:28 <DIR> d-------- C:\Program Files\iPod
2008-07-11 20:27 . 2008-07-11 20:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-11 20:26 . 2008-07-12 10:57 <DIR> d-------- C:\Program Files\Bonjour
2008-07-11 20:24 . 2008-07-11 20:26 <DIR> d-------- C:\Program Files\QuickTime
2008-07-11 20:23 . 2008-07-12 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-11 20:22 . 2008-07-11 20:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-11 20:21 . 2008-07-11 20:21 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-11 20:21 . 2008-07-11 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-07 16:07 . 2008-07-10 12:32 <DIR> d-------- C:\Azhar
2008-07-07 16:06 . 2008-07-07 16:06 244 --ah----- C:\sqmnoopt01.sqm
2008-07-07 16:06 . 2008-07-07 16:06 232 --ah----- C:\sqmdata01.sqm
2008-07-07 09:11 . 2008-07-07 09:12 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-07 08:23 . 2008-07-07 08:23 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-07 08:23 . 2008-07-07 08:23 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-07 07:54 . 2008-07-13 10:05 1,458,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-07 07:54 . 2008-07-13 10:05 344,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-07 07:54 . 2008-07-13 10:05 14,572 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-07 07:54 . 2008-07-13 10:05 4,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-06 09:47 . 2008-07-06 09:47 <DIR> d-------- C:\Program Files\Easy Video Splitter
2008-07-06 00:04 . 2008-07-06 00:05 <DIR> d-------- C:\Program Files\eMule
2008-07-06 00:04 . 2008-07-06 00:04 <DIR> d-------- C:\Documents and Settings\user1\Application Data\eMule
2008-07-05 07:52 . 2008-07-05 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 07:51 . 2008-07-05 07:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 07:51 . 2008-07-05 07:51 <DIR> d-------- C:\Documents and Settings\user1\Application Data\SUPERAntiSpyware.com
2008-07-05 03:33 . 2008-07-05 03:34 <DIR> d-------- C:\Program Files\Access Remote PC 4.9
2008-07-03 17:00 . 2008-07-04 22:53 <DIR> d-------- C:\Program Files\HDD Regenerator
2008-07-03 07:55 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-03 07:47 . 2008-07-13 06:16 <DIR> d-------- C:\updates
2008-07-02 17:24 . 2008-07-02 17:24 <DIR> d-------- C:\Program Files\MagicISO
2008-07-02 09:36 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2008-07-02 09:14 . 2008-07-07 08:21 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-02 06:57 . 2008-07-02 06:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-02 06:53 . 2008-07-02 06:53 20,480 --a------ C:\WINDOWS\system32\f_win32.dll
2008-07-02 06:52 . 2008-07-02 06:52 20,480 --a------ C:\WINDOWS\system32\om_win32.dll
2008-07-02 06:50 . 2008-07-02 06:50 20,480 --a------ C:\WINDOWS\system32\f_view.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 06:04 --------- d-----w C:\Documents and Settings\user1\Application Data\uTorrent
2008-07-13 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 03:22 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-13 03:16 --------- d-----w C:\Program Files\Alcohol 120
2008-07-07 05:55 --------- d-----w C:\Program Files\mIRC
2008-07-05 03:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 20:41 --------- d-----w C:\Program Files\Media Player Classic
2008-07-03 01:54 --------- d-----w C:\Program Files\Common Files\Real
2008-07-02 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-02 03:10 --------- d-----w C:\Program Files\Yahoo!
2008-07-01 22:56 --------- d-----w C:\Documents and Settings\user1\Application Data\Yahoo!
2008-07-01 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-22 17:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 17:03 --------- d-----w C:\Program Files\IGC
2008-05-22 09:56 --------- d-----w C:\Program Files\CallBuddy
2008-05-13 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-25 14:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

------- Sigcheck -------

2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 01:14 359040 c1783498edb152656303b5d5bcabd86c C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 09:26 7700480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 18:58 282624 C:\WINDOWS\sttray.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Usman\\Usman\\utorrent.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"C:\\Program Files\\GCC2U\\gccfone.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Prg\\PdfEditor\\PDFEdit.exe"=
"E:\\Usman\\Usman\\torrent.exe"=
"F:\\Prg\\Quake\\glquake.exe"=
"F:\\Prg\\Unreal Tournament\\System\\UnrealTournament.exe"=
"F:\\Prg\\Painkiller\\Bin\\Painkiller.exe"=
"C:\\Program Files\\VPN SIPLink\\SIPLink.exe"=
"C:\\Program Files\\VPN SIPLink\\vtc.exe"=
"C:\\Program Files\\TheIPWorld\\TheIPWorld.exe"=
"C:\\Program Files\\TheIPWorld\\vtc.exe"=
"C:\\Program Files\\DXBCalls\\DXBCalls.exe"=
"C:\\Program Files\\DXBCalls\\vtc.exe"=
"C:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\user1\\My Documents\\My Received Files\\New Folder\\utorrent.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\CallBuddy\\CallBuddy.exe"=
"C:\\Program Files\\Access Remote PC 4.9\\rpcsetup.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{2b004866-3fee-11dc-b2d1-0019d149c024}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6a1ee689-9a9f-11dc-9a6f-0019d149c024}]
\Shell\Auto\command - fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c1ad9c6f-3dc8-11dc-932f-0019d149c024}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
- - - - ORPHANS REMOVED - - - -

Notify-efcATlIy - efcATlIy.dll
Notify-efcDWOFv - efcDWOFv.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 10:08:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-13 10:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-13 06:14:28

Pre-Run: 20,713,160,704 bytes free
Post-Run: 22,153,371,648 bytes free

201


________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:24 AM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 5211 bytes
__________________
www.BeautifulPakistan.com
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
13-Jul-2008, 08:49 AM #5
Download the attached file CFScript.txt to your Desktop




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!


==========================================



At some point you had an autorun worm infection and some removerable media is infected. I need you to plug in all of your Removable Media devices.


1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
14-Jul-2008, 02:39 AM #6
thankyou for Flashdrive disinfector and looking into my pc's prb

ComboFix 08-07-12.1 - user1 2008-07-14 9:30:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.714 [GMT 4:00]
Running from: C:\Documents and Settings\user1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
H:\MicrosoftPowerPoint.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-14 09:22 . 2008-07-14 09:22 <DIR> d-------- C:\Program Files\Sothink Web Video Downloader
2008-07-11 20:29 . 2008-07-12 09:19 <DIR> d-------- C:\Documents and Settings\user1\Application Data\Apple Computer
2008-07-11 20:28 . 2008-07-11 20:28 <DIR> d-------- C:\Program Files\iPod
2008-07-11 20:27 . 2008-07-11 20:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-11 20:26 . 2008-07-12 10:57 <DIR> d-------- C:\Program Files\Bonjour
2008-07-11 20:24 . 2008-07-11 20:26 <DIR> d-------- C:\Program Files\QuickTime
2008-07-11 20:23 . 2008-07-12 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-11 20:22 . 2008-07-11 20:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-11 20:21 . 2008-07-11 20:21 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-11 20:21 . 2008-07-11 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-07 16:07 . 2008-07-10 12:32 <DIR> d-------- C:\Azhar
2008-07-07 16:06 . 2008-07-07 16:06 244 --ah----- C:\sqmnoopt01.sqm
2008-07-07 16:06 . 2008-07-07 16:06 232 --ah----- C:\sqmdata01.sqm
2008-07-07 09:11 . 2008-07-07 09:12 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-07 08:23 . 2008-07-07 08:23 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-07 08:23 . 2008-07-07 08:23 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-07 07:54 . 2008-07-14 07:06 1,526,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-07 07:54 . 2008-07-14 02:58 352,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-07 07:54 . 2008-07-14 07:06 15,104 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-07 07:54 . 2008-07-14 02:58 4,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-06 09:47 . 2008-07-06 09:47 <DIR> d-------- C:\Program Files\Easy Video Splitter
2008-07-06 00:04 . 2008-07-06 00:05 <DIR> d-------- C:\Program Files\eMule
2008-07-06 00:04 . 2008-07-06 00:04 <DIR> d-------- C:\Documents and Settings\user1\Application Data\eMule
2008-07-05 07:52 . 2008-07-05 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 07:51 . 2008-07-05 07:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 07:51 . 2008-07-05 07:51 <DIR> d-------- C:\Documents and Settings\user1\Application Data\SUPERAntiSpyware.com
2008-07-05 03:33 . 2008-07-05 03:34 <DIR> d-------- C:\Program Files\Access Remote PC 4.9
2008-07-03 17:00 . 2008-07-04 22:53 <DIR> d-------- C:\Program Files\HDD Regenerator
2008-07-03 07:55 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-03 07:47 . 2008-07-13 06:16 <DIR> d-------- C:\updates
2008-07-02 17:24 . 2008-07-02 17:24 <DIR> d-------- C:\Program Files\MagicISO
2008-07-02 09:36 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2008-07-02 09:14 . 2008-07-07 08:21 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-02 06:57 . 2008-07-02 06:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-02 06:53 . 2008-07-02 06:53 20,480 --a------ C:\WINDOWS\system32\f_win32.dll
2008-07-02 06:52 . 2008-07-02 06:52 20,480 --a------ C:\WINDOWS\system32\om_win32.dll
2008-07-02 06:50 . 2008-07-02 06:50 20,480 --a------ C:\WINDOWS\system32\f_view.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 05:27 --------- d-----w C:\Documents and Settings\user1\Application Data\uTorrent
2008-07-13 06:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 03:22 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-13 03:16 --------- d-----w C:\Program Files\Alcohol 120
2008-07-07 05:55 --------- d-----w C:\Program Files\mIRC
2008-07-05 03:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 20:41 --------- d-----w C:\Program Files\Media Player Classic
2008-07-03 01:54 --------- d-----w C:\Program Files\Common Files\Real
2008-07-02 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-02 03:10 --------- d-----w C:\Program Files\Yahoo!
2008-07-01 22:56 --------- d-----w C:\Documents and Settings\user1\Application Data\Yahoo!
2008-07-01 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-22 17:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 17:03 --------- d-----w C:\Program Files\IGC
2008-05-22 09:56 --------- d-----w C:\Program Files\CallBuddy
2008-04-25 14:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

------- Sigcheck -------

2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 01:14 359040 c1783498edb152656303b5d5bcabd86c C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 09:26 7700480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 18:58 282624 C:\WINDOWS\sttray.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Usman\\Usman\\utorrent.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"C:\\Program Files\\GCC2U\\gccfone.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Prg\\PdfEditor\\PDFEdit.exe"=
"E:\\Usman\\Usman\\torrent.exe"=
"F:\\Prg\\Quake\\glquake.exe"=
"F:\\Prg\\Unreal Tournament\\System\\UnrealTournament.exe"=
"F:\\Prg\\Painkiller\\Bin\\Painkiller.exe"=
"C:\\Program Files\\VPN SIPLink\\SIPLink.exe"=
"C:\\Program Files\\VPN SIPLink\\vtc.exe"=
"C:\\Program Files\\TheIPWorld\\TheIPWorld.exe"=
"C:\\Program Files\\TheIPWorld\\vtc.exe"=
"C:\\Program Files\\DXBCalls\\DXBCalls.exe"=
"C:\\Program Files\\DXBCalls\\vtc.exe"=
"C:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\user1\\My Documents\\My Received Files\\New Folder\\utorrent.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\CallBuddy\\CallBuddy.exe"=
"C:\\Program Files\\Access Remote PC 4.9\\rpcsetup.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 09:32:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-14 9:35:33
ComboFix-quarantined-files.txt 2008-07-14 05:34:30
ComboFix2.txt 2008-07-13 06:14:39

Pre-Run: 21,418,819,584 bytes free
Post-Run: 21,416,132,608 bytes free

149




____________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:13 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{37BD7A9C-3740-4419-AA06-DC9F8B7520F5}: NameServer = 213.42.20.20,195.229.241.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 4894 bytes
__________________
www.BeautifulPakistan.com
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
14-Jul-2008, 07:03 AM #7
Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.


How is everything running??
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
15-Jul-2008, 12:40 AM #8
Malwarebytes' Anti-Malware 1.20
Database version: 950
Windows 5.1.2600 Service Pack 2

7:34:31 AM 7/15/2008
mbam-log-7-15-2008 (07-34-31).txt

Scan type: Quick Scan
Objects scanned: 38860
Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_________________________________________

hmm... okay i think i need to rephrase few words.
PC is still slow, i mean i have 3.4GHz intel processor but it takes ages to start pc, like PIII. when i copy anything in hard drive or perform heavy work CPU Usage bar in task manager never goes above 54%, it always gets stucked there at 54%. I have 1GB Ram and 3.4GHz. Plz tell me this cpu usage should be how much and should it go above 54% if its doing heavy work :O
__________________
www.BeautifulPakistan.com
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
15-Jul-2008, 12:49 AM #9
Go to Start ---> Run ---> Type chkdsk volume:/c

Note::
If one or more files are open you may receive the following error

Quote:
Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts? (Y/N)
select Y and you computer will restart and the disk will be check at reboot.

Let me know if it finds any errors on the disk. For instance bad sectors.
__________________
Microsoft Valuable Professional Consumer--Security 2007-2010
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
15-Jul-2008, 08:03 AM #10
when i clicked to run this command, the command prompt window opened for 1sec and then it just closed.
sjpritch25's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 9,113 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
16-Jul-2008, 06:38 AM #11
okay

go to Start---> Run ---> Type cmd. Windows command prompt will open.

Type chkdsk volume:/c followed by Enter. You may be asked to run the scan at boot up and select Y for yes.

Let me know if you are still having problems.
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
16-Jul-2008, 07:13 AM #12
its saying "The drive, the path, or the filename is not valid"
i repeated the above points several times but the result remained same.
entity's Avatar
Member with 166 posts.
  
Join Date: Jul 2004
Experience: call me comp. worm
16-Jul-2008, 07:39 PM #13
ok i just figured out that i had to type chkdsk c:
i just typed it and its running
will tell you if it gets bad sectors

edit: so i was able to run chkdsk without any prbs.
Last edited by entity; 17-Jul-2008 at 01:38 AM..
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:06 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.