Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan - Please Check.


  • This topic is locked This topic is locked
21 replies to this topic

#1 hiralarious

hiralarious

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 02 March 2009 - 08:02 PM

I ran Avira today and it told me that it detected something called TR/Crypt.ULPM.gen and also something called TR/Crypt/XPACK.gen. I have been getting the latter for a few weeks and with this additional one I thought I may need something other than antivirus programs.
Here is my DDS log :


DDS (Ver_09-02-01.01) - NTFSx86
Run by Arshi Rizvi at 16:50:25.18 on Mon 03/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.245 [GMT -

8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\DKabcoms.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application

Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\sG7s6c4a.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Arshi Rizvi\Desktop\dds.scr
C:\Documents and Settings\Arshi Rizvi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program

files\askbardis\bar\bin\askBar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} -

c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} -

c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -

c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -

c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1

\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program

files\askbardis\bar\bin\askBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program

files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DKab1err] c:\program files\dell\printer software\errorapp\DKab1err.exe
uRun: [Aim6]
uRun: [Google Update] "c:\documents and settings\arshi rizvi\local

settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5

\AdobeUpdater.exe
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -

startup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device

support\bin\AppleSyncNotifier.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe

/AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft

works\WkDetect.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
StartupFolder: c:\docume~1\arshir~1\startm~1\programs\startup\wkcalrem.lnk -

c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
IE: &Define - c:\program files\common files\microsoft shared\reference 2001

\a\ERS_DEF.HTM
IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft

shared\reference 2001\a\ERS_ENC.HTM
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common

files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common

files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-

2FC0DE4A7897}
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader

5.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} -

hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!

\common\Yinsthelper.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -

hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} -

hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRIxyAr

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\arshir~1\applic~1

\mozilla\firefox\profiles\qtbpikt2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\arshi rizvi\local settings\application

data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312

\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys

[2008-11-28 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program

files\avira\antivir personaledition classic\sched.exe [2008-11-28 68865]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86

\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32

\drivers\LMIRfsDriver.sys [2008-7-21 47640]
R3 dkab_device;dkab_device;c:\windows\system32\dkabcoms.exe -service -->

c:\windows\system32\DKabcoms.exe -service [?]
RUnknown filar;filar; [x]
RUnknown filpp;filpp; [x]
RUnknown IMMDRV;IMMDRV; [x]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program

files\avira\antivir personaledition classic\avguard.exe [2008-11-28 151297]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition

classic\avgntflt.sys [2008-11-28 52032]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32

\drivers\mbamswissarmy.sys [2008-11-28 38496]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-03-02 07:08 31,232 a------- c:\windows\system32\uI4u3e1c.dll
2009-03-02 01:07 41,474 a------- C:\ARK76D.tmp
2009-03-02 01:07 0 a------- c:\windows\system32\sG7s6c4a.exe.a_a
2009-03-02 00:55 0 a------- c:\windows\system32\6r35G8cB.exe.a_a
2009-02-28 08:42 <DIR> --d----- c:\program files\a-squared Free
2009-02-28 08:35 <DIR> --d----- c:\docume~1\arshir~1\applic~1\FrostWire
2009-02-28 08:35 <DIR> --d----- c:\program files\FrostWire
2009-02-28 08:35 <DIR> --d----- c:\program files\AskBarDis
2009-02-28 08:22 <DIR> --d----- c:\program files\Autorun Eater
2009-02-28 08:06 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-24 15:48 <DIR> --d----- c:\program files\Filseclab
2009-02-24 15:48 <DIR> --d----- c:\program files\common files\Filseclab
2009-02-11 19:01 129 a------- c:\windows\system32\MRT.INI
2009-02-10 16:00 2,648 a------- c:\windows\system32\tmp.reg
2009-02-10 15:59 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-02-10 15:59 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-02-10 15:59 135,168 a------- c:\windows\system32\swreg.exe
2009-02-10 15:59 87,552 a------- c:\windows\system32\VACFix.exe
2009-02-10 15:59 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-02-10 15:59 82,432 a------- c:\windows\system32\404Fix.exe
2009-02-10 15:59 80,384 a------- c:\windows\system32\o4Patch.exe
2009-02-10 15:59 79,360 a------- c:\windows\system32\swxcacls.exe
2009-02-10 15:59 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-02-10 15:59 53,248 a------- c:\windows\system32\Process.exe
2009-02-10 15:59 51,200 a------- c:\windows\system32\dumphive.exe
2009-02-10 15:59 25,600 a------- c:\windows\system32\WS2Fix.exe
2009-02-02 19:19 <DIR> --d----- c:\program files\directx

==================== Find3M ====================

2009-03-01 04:07 8,722 a------- c:\docume~1\arshir~1\applic~1

\wklnhst.dat
2009-01-26 00:55 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-16 21:35 3,594,752 a------- c:\windows\system32

\dllcache\mshtml.dll
2008-12-30 00:50 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32

\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32

\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32

\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-04-14 10:36 60,968 a------- c:\documents and settings\arshi

rizvi\GoToAssistDownloadHelper.exe
2008-08-24 09:47 32,768 a--sh--- c:\windows\system32

\config\systemprofile\local settings\history\history.ie5

\mshist012008082420080825\index.dat

============= FINISH: 16:50:54.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:25 PM

Posted 16 March 2009 - 10:30 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 16 March 2009 - 07:21 PM

Another note : I set Avira to run everyday(or night...I can't remember anymore) but since I've last posted here it usually finds at least one trojan every time.
And I have't started a new thread on any other site(:



Logfile of random's system information tool 1.05 (written by random/random)
Run by Arshi Rizvi at 2009-03-16 17:14:08
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 121 GB (80%) free of 153 GB
Total RAM: 1013 MB (12% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14:10, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Arshi Rizvi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DKab1err] C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [dizekobiyi] Rundll32.exe "C:\WINDOWS\system32\gahamito.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [dizekobiyi] Rundll32.exe "C:\WINDOWS\system32\gahamito.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [dizekobiyi] Rundll32.exe "C:\WINDOWS\system32\gahamito.dll",s (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [84624232] rundll32.exe "C:\WINDOWS\system32\yihoriba.dll",b (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Arshi')
O4 - HKUS\S-1-5-18\..\Run: [dizekobiyi] Rundll32.exe "C:\WINDOWS\system32\gahamito.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [dizekobiyi] Rundll32.exe "C:\WINDOWS\system32\gahamito.dll",s (User 'Default user')
O4 - S-1-5-21-2278144967-4093246320-3965011656-1008 Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Asra')
O4 - S-1-5-21-2278144967-4093246320-3965011656-1008 User Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Asra')
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: zbotub.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10962 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2278144967-4093246320-3965011656-1006.job
C:\WINDOWS\tasks\zxnxgpof.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-09-08 279944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-02-20 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-14 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-09-08 279944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"ISUSPM Startup"=c:\progra~1\common~1\instal~1\update~1\isuspm.exe [2004-07-27 221184]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-03-06 177472]
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe [2006-06-04 749568]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe [2000-08-08 28739]
"%PROVIDERID%"=bin\sprtcmd.exe /P []
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-14 148888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"DKab1err"=C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe [2006-10-21 521112]
"Aim6"= []
"Google Update"=C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-31 133104]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
C:\WINDOWS\ALCMTR.EXE [2007-06-13 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2007-07-11 198704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
c:\dell\dsca.exe 3 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2007-06-13 162584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2007-06-13 142104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe [2007-06-13 138008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-08-17 1116920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2007-06-13 16132608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-03-14 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-03-14 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
C:\PROGRA~1\Google\GOOGLE~1\GOOGLE~1.EXE [2009-02-20 161776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Arshi Rizvi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2
"SPBBCSvc"=2
"SNDSrvc"=2
"SAVScan"=3
"NSCService"=3
"navapsvc"=3
"LiveUpdate"=3
"comHost"=3
"ccSetMgr"=2
"ccProxy"=2
"ccISPwdSvc"=3
"ccEvtMgr"=2
"Automatic LiveUpdate Scheduler"=2

C:\Documents and Settings\Arshi Rizvi\Start Menu\Programs\Startup
WKCALREM.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" zbotub.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-13 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-16 87352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\rqRIxyAr

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zayezeru.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\viyivifa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\vipukeyu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\veteduhu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\vejasoso.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\sinukavo.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\rihafebu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\mazihihe.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\lirufuro.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\janorazi.dll
2080-03-29 09:10:30 ----D---- C:\WINDOWS\WBEM
2080-03-29 09:10:29 ----D---- C:\WINDOWS\system32\en-US
2080-03-29 09:09:24 ----HDC---- C:\WINDOWS\ie7
2080-03-29 09:09:11 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2080-03-29 09:08:49 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2080-03-29 09:07:58 ----A---- C:\WINDOWS\system32\xmllite.dll
2080-03-29 09:04:27 ----D---- C:\4740f2d249a85333775053adacfe77b0
2009-03-16 17:14:08 ----D---- C:\rsit
2009-03-16 16:42:22 ----D---- C:\Program Files\iPod
2009-03-16 16:42:00 ----D---- C:\Program Files\iTunes
2009-03-16 16:42:00 ----D---- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 16:39:22 ----D---- C:\Program Files\QuickTime
2009-03-16 16:37:30 ----D---- C:\WINDOWS\LastGood
2009-03-14 21:11:13 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-03-14 18:26:05 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-14 18:26:05 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-14 18:26:05 ----A---- C:\WINDOWS\system32\java.exe
2009-03-08 14:15:47 ----D---- C:\VundoFix Backups
2009-03-06 17:05:26 ----D---- C:\Program Files\Common Files\PC Tools
2009-03-06 17:05:15 ----D---- C:\Program Files\Spyware Doctor
2009-03-05 20:58:53 ----ASH---- C:\WINDOWS\system32\tlwazw.dll
2009-03-05 08:58:30 ----ASH---- C:\WINDOWS\system32\fqdwwd.dll
2009-03-04 20:58:46 ----ASH---- C:\WINDOWS\system32\nzkudc.dll
2009-03-04 07:57:25 ----ASH---- C:\WINDOWS\system32\isehed.dll
2009-03-03 19:57:28 ----SH---- C:\WINDOWS\system32\ategizid.ini
2009-03-03 19:57:27 ----ASH---- C:\WINDOWS\system32\tsjoii.dll
2009-03-01 02:27:54 ----SHD---- C:\Config.Msi
2009-02-28 09:42:35 ----D---- C:\Program Files\a-squared Free
2009-02-28 09:35:40 ----D---- C:\Documents and Settings\Arshi Rizvi\Application Data\FrostWire
2009-02-28 09:35:23 ----D---- C:\Program Files\FrostWire
2009-02-28 09:35:23 ----D---- C:\Program Files\AskBarDis
2009-02-28 09:22:47 ----D---- C:\Program Files\Autorun Eater
2009-02-24 23:59:06 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-24 16:48:11 ----D---- C:\Program Files\Filseclab
2009-02-24 16:48:11 ----D---- C:\Program Files\Common Files\Filseclab

======List of files/folders modified in the last 1 months======

2080-03-29 09:10:24 ----D---- C:\WINDOWS\Media
2009-03-16 17:13:58 ----D---- C:\WINDOWS\Prefetch
2009-03-16 16:43:19 ----SHD---- C:\WINDOWS\Installer
2009-03-16 16:42:45 ----D---- C:\WINDOWS\Temp
2009-03-16 16:42:42 ----D---- C:\WINDOWS\system32\drivers
2009-03-16 16:42:42 ----D---- C:\WINDOWS\system32
2009-03-16 16:42:41 ----HD---- C:\WINDOWS\inf
2009-03-16 16:42:40 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-16 16:42:22 ----D---- C:\Program Files
2009-03-16 16:42:21 ----D---- C:\Program Files\Common Files\Apple
2009-03-16 16:37:30 ----D---- C:\WINDOWS
2009-03-16 16:20:18 ----D---- C:\Program Files\Mozilla Firefox
2009-03-16 14:42:10 ----SD---- C:\WINDOWS\Tasks
2009-03-16 07:29:58 ----D---- C:\Documents and Settings\Arshi Rizvi\Application Data\U3
2009-03-16 07:28:18 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-03-16 04:00:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-15 16:48:31 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-14 21:11:28 ----D---- C:\Program Files\Adobe
2009-03-14 21:11:16 ----D---- C:\Documents and Settings\Arshi Rizvi\Application Data\Adobe
2009-03-14 21:11:16 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-14 21:11:13 ----D---- C:\Program Files\Common Files
2009-03-14 21:10:32 ----D---- C:\Program Files\Common Files\Adobe
2009-03-14 18:25:51 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-14 18:25:49 ----D---- C:\Program Files\Java
2009-03-14 14:43:30 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-14 13:32:21 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-11 02:17:10 ----D---- C:\Program Files\LogMeIn
2009-03-08 13:41:59 ----D---- C:\WINDOWS\network diagnostic
2009-03-06 17:45:37 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-28 10:18:57 ----D---- C:\Documents and Settings\Arshi Rizvi\Application Data\LimeWire
2009-02-28 09:32:52 ----D---- C:\Program Files\LimeWire
2009-02-28 09:03:06 ----HD---- C:\Program Files\InstallShield Installation Information
2009-02-24 23:59:09 ----SHD---- C:\WINDOWS\system32\dllcache
2009-02-24 23:18:31 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-11-28 75072]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 npkcrypt;npkcrypt; \??\C:\Nexon\MapleStory\npkcrypt.sys []
R2 Packet;Auto Internet Protocol; C:\WINDOWS\system32\DRIVERS\packet.sys [2006-12-18 12672]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-06-26 254872]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-13 5760096]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-13 4403712]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ARSHIR~1\LOCALS~1\Temp\catchme.sys []
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 npkcusb;npkcusb; \??\C:\Nexon\MapleStory\npkcusb.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 a2free;a-squared Free Service; C:\Program Files\a-squared Free\a2service.exe [2009-02-25 425080]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 hnmsvc;Advanced Networking Service; C:\Program Files\Dell Network Assistant\hnm_svc.exe [2007-05-25 112176]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-14 152984]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-07-11 202800]
R3 dkab_device;dkab_device; C:\WINDOWS\system32\DKabcoms.exe [2006-10-21 508824]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-20 182768]
S2 npkcmsvc;npkcmsvc; C:\Nexon\MapleStory\npkcmsvc.exe []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-07-18 72704]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-19 70656]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-16 116032]
S4 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-07-24 63040]

-----------------EOF-----------------

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:25 PM

Posted 17 March 2009 - 05:54 PM

Please download ComboFix.
Alternate Link 1
Alternate Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Double click on ComboFix and follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware.
    Click 'No' to exit.

  • Click Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
  • ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
  • ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post:
  • C:\ComboFix.txt (the log from ComboFix)
  • a new HijackThis log

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 17 March 2009 - 07:06 PM

ComboFix :
ComboFix 09-03-15.01 - Arshi Rizvi 2009-03-17 16:53:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.272 [GMT -7:00]
Running from: c:\documents and settings\Arshi Rizvi\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\ategizid.ini
c:\windows\system32\dumphive.exe
c:\windows\system32\fqdwwd.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\isehed.dll
c:\windows\system32\janorazi.dll
c:\windows\system32\lirufuro.dll
c:\windows\system32\nzkudc.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tlwazw.dll
c:\windows\system32\tmp.reg
c:\windows\system32\tsjoii.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vejasoso.dll
c:\windows\system32\vipukeyu.dll
c:\windows\system32\viyivifa.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://www.graboid.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2080-03-29 10:00 . 2080-03-29 10:00 268 --ah----- C:\sqmdata05.sqm
2080-03-29 10:00 . 2080-03-29 10:00 244 --ah----- C:\sqmnoopt05.sqm
2080-03-29 09:04 . 2080-03-29 09:04 <DIR> d-------- C:\4740f2d249a85333775053adacfe77b0
2080-03-28 22:00 . 2080-03-28 22:00 268 --ah----- C:\sqmdata04.sqm
2080-03-28 22:00 . 2080-03-28 22:00 244 --ah----- C:\sqmnoopt04.sqm
2080-03-28 13:09 . 2080-03-28 13:09 268 --ah----- C:\sqmdata03.sqm
2080-03-28 13:09 . 2080-03-28 13:09 244 --ah----- C:\sqmnoopt03.sqm
2080-03-28 10:25 . 2080-03-28 10:25 268 --ah----- C:\sqmdata02.sqm
2080-03-28 10:25 . 2080-03-28 10:25 244 --ah----- C:\sqmnoopt02.sqm
2009-03-16 17:14 . 2009-03-16 17:14 <DIR> d-------- C:\rsit
2009-03-16 16:42 . 2009-03-16 16:42 <DIR> d-------- c:\program files\iTunes
2009-03-16 16:42 . 2009-03-16 16:42 <DIR> d-------- c:\program files\iPod
2009-03-16 16:42 . 2009-03-16 16:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 16:39 . 2009-03-16 16:39 <DIR> d-------- c:\program files\QuickTime
2009-03-15 13:39 . 2009-03-15 13:39 <DIR> d-------- c:\documents and settings\Arshi\Application Data\acccore
2009-03-14 21:11 . 2009-03-14 21:11 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-14 18:26 . 2009-03-14 18:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-14 13:44 . 2009-03-14 13:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\acccore
2009-03-08 14:15 . 2009-03-08 14:15 <DIR> d-------- C:\VundoFix Backups
2009-03-08 13:57 . 2009-03-08 13:57 <DIR> d-------- c:\documents and settings\Arshi\Application Data\Malwarebytes
2009-03-06 17:05 . 2009-03-06 17:45 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-06 17:05 . 2009-03-06 17:45 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-28 09:42 . 2009-02-28 09:51 <DIR> d-------- c:\program files\a-squared Free
2009-02-28 09:35 . 2009-03-13 18:48 <DIR> d-------- c:\program files\FrostWire
2009-02-28 09:35 . 2009-02-28 09:35 <DIR> d-------- c:\program files\AskBarDis
2009-02-28 09:35 . 2009-03-13 23:21 <DIR> d-------- c:\documents and settings\Arshi Rizvi\Application Data\FrostWire
2009-02-28 09:22 . 2009-03-06 17:38 <DIR> d-------- c:\program files\Autorun Eater
2009-02-24 16:48 . 2009-02-24 16:48 <DIR> d-------- c:\program files\Filseclab
2009-02-24 16:48 . 2009-02-28 09:03 <DIR> d-------- c:\program files\Common Files\Filseclab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-16 23:42 --------- d-----w c:\program files\Common Files\Apple
2009-03-16 21:48 292 ----a-w c:\documents and settings\Asra\Application Data\wklnhst.dat
2009-03-16 14:29 --------- d-----w c:\documents and settings\Arshi Rizvi\Application Data\U3
2009-03-16 05:59 9,340 ----a-w c:\documents and settings\Arshi Rizvi\Application Data\wklnhst.dat
2009-03-15 04:10 --------- d-----w c:\program files\Common Files\Adobe
2009-03-15 01:25 --------- d-----w c:\program files\Java
2009-03-11 09:17 --------- d-----w c:\program files\LogMeIn
2009-03-07 00:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-28 17:18 --------- d-----w c:\documents and settings\Arshi Rizvi\Application Data\LimeWire
2009-02-28 16:32 --------- d-----w c:\program files\LimeWire
2009-02-28 16:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 03:08 --------- d-----w c:\documents and settings\Arshi Rizvi\Application Data\IGN_DLM
2009-02-11 00:37 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-11 00:00 --------- d-----w c:\program files\Google
2009-02-08 04:20 --------- d-----w c:\documents and settings\Asra\Application Data\Malwarebytes
2009-02-08 02:00 --------- d-----w c:\documents and settings\Asra\Application Data\Yahoo!
2009-02-03 03:19 --------- d-----w c:\program files\directx
2009-01-30 00:29 --------- d-----w c:\documents and settings\Asra\Application Data\Move Networks
2009-01-29 21:22 --------- d-----w c:\documents and settings\Asra\Application Data\acccore
2009-01-26 23:39 --------- d-----w c:\documents and settings\Asra\Application Data\Template
2009-01-26 09:33 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-26 09:33 --------- d-----w c:\documents and settings\Arshi Rizvi\Application Data\SUPERAntiSpyware.com
2008-04-14 18:36 60,968 ----a-w c:\documents and settings\Arshi Rizvi\GoToAssistDownloadHelper.exe
1601-01-01 00:12 11,264 --sha-w c:\windows\system32\rihafebu.dll
2008-08-24 17:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 23:08 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DKab1err"="c:\program files\Dell\Printer Software\ErrorApp\DKab1err.exe" [2006-10-21 521112]
"Google Update"="c:\documents and settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2006-06-04 749568]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

c:\documents and settings\Arshi Rizvi\Start Menu\Programs\Startup\
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2006-06-04 21504]

c:\documents and settings\Asra\Start Menu\Programs\Startup\
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2006-06-04 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 21:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= zbotub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Arshi Rizvi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Arshi Rizvi\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-06-12 15:28 266497 c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-07-11 06:15 198704 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-06-13 18:21 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-06-13 18:21 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 14:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2008-07-24 19:46 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 15:23 118784 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-06-13 18:21 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 07:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 11:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-14 12:58 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2007-06-13 19:41 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-06-13 19:41 16132608 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-21 47640]
R3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-03-17 c:\windows\Tasks\At1.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At10.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At11.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At12.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At13.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At14.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At15.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At16.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At17.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At18.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At19.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At2.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At20.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At21.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At22.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At23.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At24.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At25.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At26.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At27.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At28.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At29.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At3.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At30.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At31.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At32.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At33.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At34.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At35.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At36.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At37.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At38.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At39.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At4.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At40.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At41.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At42.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At43.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At44.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At45.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At46.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At47.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At48.job
- c:\windows\system32\sG7s6c4a.exe []

2009-03-17 c:\windows\Tasks\At5.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At6.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At7.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At8.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\At9.job
- c:\windows\system32\6r35G8cB.exe []

2009-03-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-20 18:25]

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2278144967-4093246320-3965011656-1006.job
- c:\documents and settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-31 23:02]

2009-03-17 c:\windows\Tasks\zxnxgpof.job
- c:\windows\system32\nnnmlIxW.dll []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-%PROVIDERID% - bin\sprtcmd.exe
HKU-Default-Run-dizekobiyi - c:\windows\system32\gahamito.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-dscactivate - c:\dell\dsca.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
FF - ProfilePath - c:\documents and settings\Arshi Rizvi\Application Data\Mozilla\Firefox\Profiles\qtbpikt2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 16:57:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\DKabcoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-17 17:00:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-18 00:00:29

Pre-Run: 128,311,767,040 bytes free
Post-Run: 129,562,808,320 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

393 --- E O F --- 2009-02-25 06:59:13

HJT( I hope you don't mind.. I just used the actual one since I have that sitting on my comp and it was easier to find XD )
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:10, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DKab1err] C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: zbotub.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9028 bytes


NOTE : Sorry I didn't post this before but sometimes my internet also randomly stops working... and then after a few moments I look at my DSL box and see it turn on and off. I don't really mind, but in case it actually means anything.. then.... now you know :D

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:25 PM

Posted 18 March 2009 - 09:41 AM

Step 1

askBar.dll (Ask Toolbar) process can be removed to free up resources without compromising system performance. http://vil.nai.com/vil/content/v_146646.htm

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

It is advised that you uninstall this program to protect your privacy and computer security and to free up necessary resources. To uninstall the AskToolbar.
  • Click Start > Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Ask Toolbar , click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
  • Using Windows Explorer (Windows key+e), search for the Ask Toolbar folder. If the program folder is still there, select/highlight the Ask Toolbar folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
  • Close Windows Explorer.
There is a Video showing how to uninstall a program (Grinler) detailing how to add or remove program in Windows for those who find a visual aid appealing.Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

Step 2
  • Please download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to C:\SDFix.
  • Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • When your computer restarts, the Fixtool will run again to complete the removal process.
  • When Finished is displayed, press any key to end the script and load your desktop icons.
  • After the desktop icons load, the SDFix report will open on screen and save into the SDFix folder as Report.txt. Report.txt will also be copied to Clipboard.
  • Paste the contents of the Report.txt with a new HijackThis log in your next reply.
  • If needed, see SDFix ReadMe.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 18 March 2009 - 06:55 PM

I just finished the first step but I ran into some problems. I deleted the program from the add/delete programs in control panel but when I tried doing Windows Explorer part it kept saying 'Cannot delete askba.dll: access is denied. Make sure teh disk is not full or write-protected and that the file is not currently in use'
Also, I could not find those HJT items.

I'll post again when I do the second stop..in about 15 minutes or so.

#8 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 18 March 2009 - 07:29 PM

Here's my report :

SDFix: Version 1.240
Run by Arshi Rizvi on Wed 03/18/2009 at 17:11

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 17:17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 4 Mar 2009 84,992 A.SH. --- "C:\WINDOWS\system32\mazihihe.dll"
--- 11,264 A.SH. --- "C:\WINDOWS\system32\rihafebu.dll"
Thu 5 Mar 2009 84,992 A.SH. --- "C:\WINDOWS\system32\sinukavo.dll"
Wed 4 Mar 2009 84,992 A.SH. --- "C:\WINDOWS\system32\veteduhu.dll"
Thu 5 Mar 2009 84,992 A.SH. --- "C:\WINDOWS\system32\zayezeru.dll"
Mon 25 Feb 2008 3,489,792 A..H. --- "C:\Documents and Settings\Arshi Rizvi\Application Data\U3\temp\Launchpad Removal.exe"
Fri 4 Jul 2008 17,516 ...H. --- "C:\Documents and Settings\All Users\Application Data\Launcher\Launcher\1.0.0.0\BITCA5.tmp"
Sat 15 Mar 2008 8 A..H. --- "C:\Documents and Settings\Arshi Rizvi\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 15 Mar 2008 8 A..H. --- "C:\Documents and Settings\Arshi Rizvi\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 15 Mar 2008 8 A..H. --- "C:\Documents and Settings\Arshi Rizvi\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 15 Mar 2008 8 A..H. --- "C:\Documents and Settings\Arshi Rizvi\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 17 Jul 2008 8 A..H. --- "C:\Documents and Settings\Asra\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 17 Jul 2008 8 A..H. --- "C:\Documents and Settings\Asra\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 17 Jul 2008 8 A..H. --- "C:\Documents and Settings\Asra\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 17 Jul 2008 8 A..H. --- "C:\Documents and Settings\Asra\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

HJT :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26:19, on 3/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DKab1err] C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: zbotub.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8738 bytes

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:25 PM

Posted 19 March 2009 - 06:33 AM

  • Download and save SmitFraudFix to your desktop.
  • Boot into Safe Mode safely (without networking support !) [list]
  • If your computer is running, shut down Windows, then turn the power off.
  • Wait 30 seconds, then turn the computer on, and begin tapping the F8 key (if this doesn't work try the F5 key).
  • The Windows Advanced Options Menu appears.
  • Select Safe Mode using the up/down arrow keys.
  • Click Enter.
  • Log on with an account with administrator privileges, usually your own account (NOT the account named Administrator).
  • If you cannot boot into safe mode using this method, it is important that you let me know.
    Do not attempt to boot into Safe Mode using MSCONFIG
    If you do so, you may be unable to boot your computer or your computer may enter a "Safe Mode Boot Loop".
  • An infected computer is not stable. By using the /SAFEBOOT option in MSCONFIG, you are altering your Boot.ini file to make it boot ONLY in Safe Mode. If your computer fails to boot into Safe Mode, as it may well do, then you will be left in a position where your computer will not boot at all or your computer will enter a Safe Mode Boot Loop.
  • Because your Safe Mode Registry Entries have been damaged by your computer infection, your computer cannot boot into Safe Mode or is in a Safe Mode Boot Loop. You cannot boot to Normal Mode (because of the alterations you made to your Boot.ini file), so now you are left with a computer that will not boot into Safe Mode or Normal Mode or will be in a Safe Mode Boot Loop. This is not a situation you want to be in.
  • Do not use the BOOTSAFE option in Super Anti-Spyware or use BOOTSAFE by SUPERAdBlocker. Both of these do the same thing as MSCONFIG.
    If F8/F5 doesn't work, TELL ME!
  • There are tools we can use to repair your faulty Safe Mode condition, but these can only be used so long as you are able to boot your computer.
[*] When the desktop appears, double click on the SmitfraudFix.exe on your desktop.
[*] After the credits screen, you will see a menu. Select the option number 2, which is ‘Clean (safe mode recommended)’, and then press Enter to delete infect files.
[*] SmitFraudFix will begin cleaning your computer and take a series of cleanup processes. When the process is over, it will automatically begin the Disk Cleanup program.
[*] After the program is complete, you will be prompted with the message Registry cleaning - Do you want to clean the registry. Answer Y (Yes) and hit Enter.
[*] Reboot your computer.
[*] SmitFraudFix will now check if wininet.dll is infected. SmitFraudFix will ask you whether to replace the infected file (if there is any) Replace infected file? Answer by typing Y (Yes) and hit Enter.
[*] Reboot your computer to complete the cleaning process.
[*] After reboot, a Notepad screen may appear containing a log of all the files removed from your computer. If it does not appear, a file will be created called rapport.txt in the root of your drive, (Local Disk C:).
[*] Restart your computer in Safe Mode (See Step 2).
[*] Go to C:\Windows\Temp, click Edit, click Select All, press DELETE, and then click Yes to confirm that you want all the items to go to the Recycle Bin.
[*] Go to C:\Documents and Settings\
  • \Local Settings\Temp, click Edit, click Select All, press DELETE, and then click Yes to confirm that you want all the items to go to the Recycle Bin.
  • Reboot your computer back to Normal Mode. Go to Windows Update and download all critical updates.
Please post the log from SmitFraudFix (rapport.txt) and a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 21 March 2009 - 05:07 PM

I don't think SmitFraud did step 8. Also, the log came while I was still in safemode. I was unable to do step 12 as well, but I did do 13.
Oh, also I think SmitFraud deleted my Microsoft Works or something.. is it possible that I can get it back? I have a lot of stuff on Work files that I can no longer view because of that.
I just came home and Avira was running. It found Vundo, Spy.Agent, and Monder. Here are my logs from HJT and SmitFraud.
SmitFraudFix v2.405

Scan done at 16:23:53.04, Thu 03/19/2009
Run from C:\Documents and Settings\Arshi Rizvi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CF7C9641-94BA-4890-AE3F-DA585396808F}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CF7C9641-94BA-4890-AE3F-DA585396808F}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CF7C9641-94BA-4890-AE3F-DA585396808F}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

HJT :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06:28, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DKab1err] C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [dizekobiyi] Rundll32.exe "C:\WINDOWS\system32\gahamito.dll",s (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1008\..\Run: [84624232] rundll32.exe "C:\WINDOWS\system32\yihoriba.dll",b (User 'Asra')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Arshi')
O4 - S-1-5-21-2278144967-4093246320-3965011656-1008 Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Asra')
O4 - S-1-5-21-2278144967-4093246320-3965011656-1008 User Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Asra')
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: zbotub.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10227 bytes

#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:25 PM

Posted 23 March 2009 - 10:49 AM

Step 1
  • Please download Smitrem to your desktop.
  • Double-click on the SmitRem.exe file on your desktop.
  • Install the files to a SmitRem folder on your desktop, then restart the computer in Safe Mode to ensure files will be removed properly.
  • Double-click on the SmitRem folder on your desktop and then double-click on RunThis.bat to start the procedure.
  • Read through and follow the instructions on each screen, pressing the space bar to proceed.
  • Press any key to see the next screen.
  • SmitRem will remove temporary files as well, press any key to proceed.
  • Close All Windows and press any key.
    • It will run a Spyaxe removal procedure when you press any key to continue
    • It will try to detect WinHound when you press any key.
    • It will try to remove SpywareStrike when you continue.
    • It will cleanup any other bad files it has in its database.
    • It will run the Disk Cleanup Wizard to remove temporary files.
  • SmitRem is now finished with its cleanup, restart your computer in Normal Mode or continue with any other spyware/adware removal procedures in Safe Mode and then Restart.
Step 2

Please download a-squared Free.
  • Follow all the instructions given by the installer.
  • Once installed, the a-squared Updater will automatically start. Downloading updates will take some time.
  • Please go to Start > Programs > a-squared Free and click a-squared StartCenter.
  • Click Scan your computer for malware infections.
  • Make sure all three setting options are checked. Click Scan selected folders. The scan will start.
  • Click Save HTML-Report. Save the report to somewhere convenient for you to remember the location such as your desktop.
  • If malware is found, click the button Remove Selected Malware.
  • Please post the log from a-squared Free and a new HijackThis log.
To continue to use a-squared Free, you will need to use the a-squared Updator to manually update the program. Click Security Status > Update Now. The a-squared Free program contains only the basic scanner. Background Guard, Automatic Updates, Scheduled Scans and HiJackFree are only available with the a-squared Anti-Malware ("pay for use") software.

Step 3

Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 27 March 2009 - 11:23 PM

Sorry it's taken me so long to reply.. I've been too busy lately. D:

Anyway, I'm doing step 2 right now.. but I just wanted to let you know that I did still need your help... I'll try posting the logs in a few hrs. :]

Sorry it's taken me so long to reply.. I've been too busy lately. D:

Anyway, I'm doing step 2 right now.. but I just wanted to let you know that I did still need your help... I'll try posting the logs in a few hrs. :]

#13 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 28 March 2009 - 12:25 PM

a_squared :
a-squared Free - Version 4.0
Last update: 3/27/2009 8:25:39 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 3/27/2009 8:33:26 PM

Key: HKEY_USERS\S-1-5-21-2278144967-4093246320-3965011656-1006\software\kazaa detected: Trace.Registry.KaZaA!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@247realmedia[1].txt detected: Trace.TrackingCookie.247realmedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@2o7[2].txt detected: Trace.TrackingCookie.2o7!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@adserver.71i[2].txt detected: Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@adserver.adtechus[1].txt detected: Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@advertising[1].txt detected: Trace.TrackingCookie.advertising!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@clickbank[1].txt detected: Trace.TrackingCookie.clickbank!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@hitbox[2].txt detected: Trace.TrackingCookie.hitbox!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@media6degrees[1].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@mediaplex[1].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@realmedia[1].txt detected: Trace.TrackingCookie.realmedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@rubiconproject[1].txt detected: Trace.TrackingCookie.rub!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@statse.webtrendslive[2].txt detected: Trace.TrackingCookie.statse.webtrendslive!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@trafficmp[2].txt detected: Trace.TrackingCookie.trafficmp!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@247realmedia[2].txt detected: Trace.TrackingCookie.247realmedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@atdmt[2].txt detected: Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@bs.serving-sys[1].txt detected: Trace.TrackingCookie.bs.serving-sys!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@burstnet[2].txt detected: Trace.TrackingCookie.burstnet!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@casalemedia[2].txt detected: Trace.TrackingCookie.casalemedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@doubleclick[1].txt detected: Trace.TrackingCookie.doubleclick!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@fastclick[1].txt detected: Trace.TrackingCookie.fastclick!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@media6degrees[2].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@mediaplex[1].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@questionmarket[1].txt detected: Trace.TrackingCookie.questionmarket!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@realmedia[1].txt detected: Trace.TrackingCookie.realmedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@rubiconproject[2].txt detected: Trace.TrackingCookie.rub!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@serving-sys[1].txt detected: Trace.TrackingCookie.serving-sys!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@specificclick[2].txt detected: Trace.TrackingCookie.specificclick!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@statcounter[1].txt detected: Trace.TrackingCookie.statcounter!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@trafficmp[2].txt detected: Trace.TrackingCookie.trafficmp!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@tribalfusion[1].txt detected: Trace.TrackingCookie.tribalfusion!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@zedo[1].txt detected: Trace.TrackingCookie.zedo!A2
C:\Documents and Settings\Arshi Rizvi\Application Data\Mozilla\Firefox\Profiles\qtbpikt2.default\cookies.sqlite:1237612236781250 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Arshi Rizvi\Desktop\Scanning Programs\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f!A2
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP62\A0006735.dll detected: Trojan.Win32.Monderb!IK
C:\WINDOWS\system32\zayezeru.dll detected: Trojan.Win32.Conhook!IK

Scanned

Files: 184338
Traces: 679302
Cookies: 900
Processes: 43

Found

Files: 3
Traces: 1
Cookies: 36
Processes: 0
Registry keys: 0

Scan end: 3/27/2009 9:42:30 PM
Scan time: 1:09:04

C:\WINDOWS\system32\zayezeru.dll Deleted Trojan.Win32.Conhook!IK
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP62\A0006735.dll Deleted Trojan.Win32.Monderb!IK
C:\Documents and Settings\Arshi Rizvi\Desktop\Scanning Programs\SmitfraudFix\Reboot.exe Deleted Riskware.RiskTool.Win32.Reboot.f!A2
C:\Documents and Settings\Arshi Rizvi\Application Data\Mozilla\Firefox\Profiles\qtbpikt2.default\cookies.sqlite:1237612236781250 Deleted Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@zedo[1].txt Deleted Trace.TrackingCookie.zedo!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@tribalfusion[1].txt Deleted Trace.TrackingCookie.tribalfusion!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@statcounter[1].txt Deleted Trace.TrackingCookie.statcounter!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@specificclick[2].txt Deleted Trace.TrackingCookie.specificclick!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@serving-sys[1].txt Deleted Trace.TrackingCookie.serving-sys!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@questionmarket[1].txt Deleted Trace.TrackingCookie.questionmarket!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@fastclick[1].txt Deleted Trace.TrackingCookie.fastclick!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@doubleclick[1].txt Deleted Trace.TrackingCookie.doubleclick!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@casalemedia[2].txt Deleted Trace.TrackingCookie.casalemedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@burstnet[2].txt Deleted Trace.TrackingCookie.burstnet!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@bs.serving-sys[1].txt Deleted Trace.TrackingCookie.bs.serving-sys!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@atdmt[2].txt Deleted Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@trafficmp[2].txt Deleted Trace.TrackingCookie.trafficmp!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@trafficmp[2].txt Deleted Trace.TrackingCookie.trafficmp!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@statse.webtrendslive[2].txt Deleted Trace.TrackingCookie.statse.webtrendslive!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@rubiconproject[1].txt Deleted Trace.TrackingCookie.rub!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@rubiconproject[2].txt Deleted Trace.TrackingCookie.rub!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@realmedia[1].txt Deleted Trace.TrackingCookie.realmedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@realmedia[1].txt Deleted Trace.TrackingCookie.realmedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@media6degrees[1].txt Deleted Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@mediaplex[1].txt Deleted Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@media6degrees[2].txt Deleted Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@mediaplex[1].txt Deleted Trace.TrackingCookie.media!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@hitbox[2].txt Deleted Trace.TrackingCookie.hitbox!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@clickbank[1].txt Deleted Trace.TrackingCookie.clickbank!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@advertising[1].txt Deleted Trace.TrackingCookie.advertising!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@adserver.71i[2].txt Deleted Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@adserver.adtechus[1].txt Deleted Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@2o7[2].txt Deleted Trace.TrackingCookie.2o7!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\arshi_rizvi@247realmedia[1].txt Deleted Trace.TrackingCookie.247realmedia!A2
C:\Documents and Settings\Arshi Rizvi\Cookies\system@247realmedia[2].txt Deleted Trace.TrackingCookie.247realmedia!A2
Key: HKEY_USERS\S-1-5-21-2278144967-4093246320-3965011656-1006\software\kazaa Deleted Trace.Registry.KaZaA!A2

Deleted

Files: 3
Traces: 1
Cookies: 32

HJT :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:16, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\A-SQUARED FREE\A2FREE.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\winlogon.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DKab1err] C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Arshi')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1011\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Arshi')
O4 - HKUS\S-1-5-21-2278144967-4093246320-3965011656-1011\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Arshi')
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: zbotub.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9732 bytes

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:25 PM

Posted 28 March 2009 - 03:46 PM

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  • Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  • Double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 hiralarious

hiralarious
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 28 March 2009 - 05:25 PM

Malwarebytes :

Malwarebytes' Anti-Malware 1.35
Database version: 1911
Windows 5.1.2600 Service Pack 3

3/28/2009 3:18:16 PM
mbam-log-2009-03-28 (15-18-16).txt

Scan type: Quick Scan
Objects scanned: 90880
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Asra\Start Menu\Programs\Antivirus 2010 (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Asra\Start Menu\Programs\Antivirus 2010\Antivirus 2010.lnk (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Asra\Start Menu\Programs\Antivirus 2010\Uninstall.lnk (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.


HJT :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23:20, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DKab1err] C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: zbotub.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9431 bytes



Malwarebytes :

Malwarebytes' Anti-Malware 1.35
Database version: 1911
Windows 5.1.2600 Service Pack 3

3/28/2009 3:18:16 PM
mbam-log-2009-03-28 (15-18-16).txt

Scan type: Quick Scan
Objects scanned: 90880
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Asra\Start Menu\Programs\Antivirus 2010 (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Asra\Start Menu\Programs\Antivirus 2010\Antivirus 2010.lnk (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Asra\Start Menu\Programs\Antivirus 2010\Uninstall.lnk (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.


HJT :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23:20, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DKab1err] C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Arshi Rizvi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: zbotub.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9431 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users