Help: browser keep being redirected to ecata.info

[gee_mel12]

hi there.

i really need help from this forum analysts regarding my mozilla browser. everytime i use google search engine, and when clicking on the link of the search result, instead of going to the supposed site, i got redirected to unrelated sites. E.g. when i search for 'bleach' in google and click on one of teh result, i'll be redirected to "http://ecata.info/rns/b-search/c-bleach/", then to "http://c.goclick.com/r?X=uEvgpteRndmYoczjrdUVodyZnCzlvUFeptmXnTaXnSzrmtURmtEWnDARmtqYoDeQnDIUndITntyGrvBuptaGuUFepteGue9tptaGuVa9mtATmCzvqTUQlDeV"
then to "http://www.megaclick.com/notfound/?lg=en&type=dns&tbtype=megaup&q=http://c.goclick.com/r?X=uEvgpteRndmYoczjrdUVodyZnCzlvUFeptmXnTaXnSzrmtURmtEWnDARmtqYoDeQnDIUndITntyGrvBuptaGuUFepteGue9tptaGuVa9mtATmCzvqTUQlDeV"

i need at least 3 times clicking on the link to get to the actual site.
i really need your help coz it really bothers me that sometimes the browser got directed to a porn site. i've run spyboat, but still the problem remained.
so, i run dss.exe and hijackthis on my comp and here're the logs:

Deckard's System Scanner v20071014.68
Run by user on 2007-12-03 19:01:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
32: 2007-12-03 11:01:46 UTC - RP1206 - Deckard's System Scanner Restore Point
31: 2007-12-03 01:32:14 UTC - RP1205 - System Checkpoint
30: 2007-12-01 18:30:51 UTC - RP1204 - System Checkpoint
29: 2007-11-30 1834 UTC - RP1203 - System Checkpoint
28: 2007-11-29 17:43:15 UTC - RP1202 - System Checkpoint


-- First Restore Point --
1: 2007-10-30 06:42:09 UTC - RP1175 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 240 MiB (512 MiB recommended).


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:51 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f331.mail.yahoo.com/ym/log...=225fimb8n7goo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1194841416932
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194841355664
O17 - HKLM\System\CCS\Services\Tcpip\..\{266843F6-4A3B-42F2-8377-715E03046743}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{31B1D999-38E0-407F-BB44-C3A546818602}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4926B89F-53C8-406E-8945-00E3C76E2B43}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE23DC7-DDE1-4C2E-8E6D-132D477006DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8283336E-3FFA-463C-BBAA-7DB6A55C5473}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{83831019-7DC0-45BC-BC11-B11638458A3F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF87E49-92B7-42DE-9CE1-EA6937A3DD85}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F677D66-28F7-4F76-8CB4-9423A90FFF73}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76C4941-3204-4DB8-8018-E9546428276A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.74
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O24 - Desktop Component 0: (no name) - http://www.coolbuddy.com/icon/mceleb/ico_incubas09.gif
O24 - Desktop Component 1: (no name) - http://www.coolbuddy.com/icon/mceleb/ico_incubas04.gif
O24 - Desktop Component 2: (no name) - http://www.coolbuddy.com/icon/mceleb/ico_incubas02.gif

--
End of file - 8554 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 65.ico,0
.cmd - cmdfile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 56.ico,0
.chm - chm.file - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 75.ico,0
.hlp - hlpfile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 75.ico,0
.inf - inffile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 56.ico,0
.ini - inifile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 56.ico,0
.js - unable to read key
.js - unable to read key
.reg - regfile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 56.ico,0
.reg - regfile - shell\open\command - "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 58.ico,0
.vbs - VBSFile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Khado\Khado Icon 56.ico,0


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.3500>
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.3500>
R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek MMKey>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S0 szkg - c:\windows\system32\drivers\szkg.sys (file missing)
S3 TSP - c:\windows\system32\drivers\klif.sys (file missing)
S3 USB-100 (Realtek RTL8150 USB 10/100 Fast Ethernet Adapter) - c:\windows\system32\drivers\rtl8150.sys <Not Verified; Realtek; Realtek 8150-series USB NIC>
S3 usbbus (LGE Mobile Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-28 22:32:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-03 19:03:26 0 d-------- C:\Program Files\Trend Micro
2007-11-26 13:46:33 0 d-------- C:\Program Files\EA GAMES
2007-11-26 13:29:15 0 dr-h----- C:\Documents and Settings\user\Recent
2007-11-25 16:00:52 0 d-------- C:\Program Files\uTorrent
2007-11-24 23:41:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 23:08:34 0 d-------- C:\Program Files\CCleaner
2007-11-24 22:43:12 0 d-------- C:\Program Files\Alwil Software
2007-11-23 18:09:04 0 d-------- C:\Program Files\Fox
2007-11-23 13:44:12 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-11-23 13:44:12 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-11-23 13:44:12 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-11-12 20:48:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-12 13:13:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-11 22:59:27 0 d-------- C:\Program Files\Kaspersky Lab
2007-11-11 22:59:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-11 22:49:31 0 d-------- C:\kav
2007-11-09 00:59:12 0 d-------- C:\Documents and Settings\user\Application Data\WinRAR


-- Find3M Report ---------------------------------------------------------------

2007-10-26 23:31:52 0 d-------- C:\Program Files\WIDCOMM
2007-10-17 18:49:42 0 d-------- C:\Program Files\opacity
2007-10-09 03:32:40 0 d-------- C:\Program Files\InterVideo
2007-10-09 03:21:30 0 d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-17 10:30:14 5 --a------ C:\WINDOWS\system32\SySMP3CutJoin.dat
2007-09-10 00:33:36 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/23/2003 10:34 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/23/2003 10:34 AM]
"SoundMan"="SOUNDMAN.EXE" [06/20/2003 07:55 PM C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [06/23/2003 10:35 AM C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [07/25/2002 04:49 AM]
"LManager"="C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE" [11/27/2003 01:16 AM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/28/2007 02:01 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 05:22 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 06:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [08/19/2005 02:49 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/17/2005 5:39:30 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 2:05:26 PM]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [5/12/2006 1:33:22 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdwjb.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll 12/06/2005 09:16 PM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2a8240-836d-11da-aa18-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- G:\Flash.10.Setup.exe
Open\command- G:\Flash.10.Setup.exe
Scan for Viruses\command- G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2a8242-836d-11da-aa18-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- G:\Flash.10.Setup.exe
Open\command- G:\Flash.10.Setup.exe
Scan for Viruses\command- G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a1e23e1-8c57-11d9-a7c8-000e350ab724}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PET32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5357ef30-02d3-11db-ab6e-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe msiexec.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55e831b0-0281-11dc-adb7-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5acc6570-af98-11db-acde-000e350ab724}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6584ad20-a17d-11db-acbe-000e350ab724}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{761c5710-441a-11dc-ae55-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- G:\Flash.10.Setup.exe
Open\command- G:\Flash.10.Setup.exe
Scan for Viruses\command- G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dbd3110-f3f1-11db-ad8b-000e350ab724}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dbd3116-f3f1-11db-ad8b-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98d8bf30-aaa3-11db-acd4-000e350ab724}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0d074e0-5a1d-11dc-ae9c-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- Flash.10.Setup.exe
Open\command- Flash.10.Setup.exe
Scan for Viruses\command- Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3d903b0-345d-11dc-ae2b-000e350ab724}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f976bcc0-5a0d-11dc-ae9b-000e350ab724}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- Flash.10.Setup.exe
Open\command- Flash.10.Setup.exe
Scan for Viruses\command- Scanner.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7517 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-03 19:05:39 ------------

Really appreciate the help given~

[Ried]

Hello gee_mel12,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[gee_mel12]

thanx a lot for replying!

i think i should inform u that i did pandascan on my laptop and it detected nothing. however, there's one more thing that is weird with my comp. there's a folder that closes due to error everytime i opened it or when i placed the cursor on it . and i can't seem to delete that particular folder. A window will appear and said explore.exe encountered some problem and need to close. but thanx to u, after i installed combofix and run it, the folder has been removed and i don't face the problem anymore :)

okie then, the combofix log and the new hijackthis log:

ComboFix 07-12-04.3 - user 2007-12-06 0:35:38.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.44 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kdwjb.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 23:45 . 2007-12-04 23:45 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-04 22:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-04 18:01 . 2007-12-04 18:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Grisoft
2007-12-04 18:00 . 2007-12-04 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 18:00 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 22:32 . 2007-12-03 22:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-03 22:32 . 2007-12-04 11:44 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-03 22:32 . 2007-12-04 11:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-03 22:32 . 2007-12-04 11:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-03 19:03 . 2007-12-03 19:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-03 19:00 . 2007-12-03 19:00 <DIR> d-------- C:\Deckard
2007-11-26 13:46 . 2007-11-26 13:46 <DIR> d-------- C:\Program Files\EA GAMES
2007-11-25 16:00 . 2007-11-25 16:00 <DIR> d-------- C:\Program Files\uTorrent
2007-11-24 23:41 . 2007-11-24 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 23:08 . 2007-11-24 23:08 <DIR> d-------- C:\Program Files\CCleaner
2007-11-24 22:43 . 2007-11-24 22:43 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-24 22:43 . 2003-03-19 05:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-11-24 22:43 . 2007-09-06 18:09 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-24 22:43 . 2004-01-09 18:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-11-24 22:43 . 2007-09-06 18:00 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-24 22:43 . 2007-09-06 18:05 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-24 22:43 . 2007-09-06 18:05 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-24 22:43 . 2007-09-06 18:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-24 22:43 . 2007-09-06 18:00 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-24 22:43 . 2007-09-06 18:03 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-23 18:09 . 2007-11-23 18:09 <DIR> d-------- C:\Program Files\Fox
2007-11-23 13:44 . 2007-11-24 14:39 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-11-23 13:44 . 2007-11-24 14:39 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-11-23 13:44 . 2007-11-24 14:39 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-11-12 20:49 . 2007-11-12 20:49 78,415 --a------ C:\WINDOWS\system32\drivers\klif.cab
2007-11-12 20:48 . 2007-11-12 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-12 13:13 . 2007-11-12 13:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 12:27 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-12 12:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-12 12:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-12 12:27 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-11 22:59 . 2007-11-11 22:59 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-11 22:59 . 2007-11-11 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-11 22:49 . 2007-11-11 22:49 <DIR> d-------- C:\kav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 15:31 --------- d-----w C:\Program Files\WIDCOMM
2007-10-17 10:49 --------- d-----w C:\Program Files\opacity
2007-10-08 19:32 --------- d-----w C:\Program Files\InterVideo
2007-10-08 19:21 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-09-09 16:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-12-07 06:48 19,456 ----a-w C:\Program Files\patch.exe
2006-09-11 06:54 13,447,680 ----a-w C:\Program Files\SPSS 15.0 for Windows Evaluation Version.msi
2006-09-11 06:03 2,094 ----a-w C:\Program Files\Setup.ini
2006-09-11 06:01 252 ----a-w C:\Program Files\v7temp.cab
2006-09-11 06:00 315 ----a-w C:\Program Files\Lopts.cab
2006-09-11 05:59 851,246 ----a-w C:\Program Files\Utl.cab
2006-09-11 05:58 466,423 ----a-w C:\Program Files\xd.cab
2006-09-10 11:32 8,864,916 ----a-w C:\Program Files\Chm.cab
2006-09-10 11:32 797,507 ----a-w C:\Program Files\Dat.cab
2006-09-10 11:32 573,777 ----a-w C:\Program Files\Bsc.cab
2006-09-10 11:32 2,916,387 ----a-w C:\Program Files\Common.cab
2006-09-10 11:32 101,700 ----a-w C:\Program Files\ClientAc.cab
2006-09-10 11:31 6,417,305 ----a-w C:\Program Files\SBB.cab
2006-09-10 11:31 108,698 ----a-w C:\Program Files\PdM.cab
2006-09-10 11:30 9,873 ----a-w C:\Program Files\Looks.cab
2006-09-10 11:30 326,750 ----a-w C:\Program Files\Local.cab
2006-09-10 11:30 23,231,538 ----a-w C:\Program Files\JRE.cab
2006-09-10 11:30 13,795 ----a-w C:\Program Files\Readme.cab
2006-09-10 11:29 55,739,932 ----a-w C:\Program Files\Bas.cab
2006-09-10 11:26 495,386 ----a-w C:\Program Files\CustID.cab
2006-09-10 11:26 455,490 ----a-w C:\Program Files\NetID.cab
2006-09-10 11:26 455,484 ----a-w C:\Program Files\VirtID.cab
2006-09-10 11:26 30,260,916 ----a-w C:\Program Files\Tut.cab
2006-09-10 11:26 3,029,874 ----a-w C:\Program Files\Sys.cab
2006-09-10 11:25 10,566,539 ----a-w C:\Program Files\Syn.cab
2006-09-10 11:07 8,237,172 ----a-w C:\Program Files\Map.cab
2006-09-10 11:07 7,034 ----a-w C:\Program Files\ESD.cab
2006-09-10 11:07 385,507 ----a-w C:\Program Files\Net.cab
2006-09-10 11:07 262,144 ----a-w C:\Program Files\setup.exe
2006-06-01 01:51 62,960 ----a-w C:\Program Files\setup.bmp
2006-01-12 15:14 92,828,160 ----a-w C:\Program Files\Fireworks8-en.exe
2005-11-13 19:26 1,001,472 ----a-w C:\Program Files\ISScript1150.Msi
2005-11-13 15:49 5,693 ----a-w C:\Program Files\0x0409.ini
2005-11-13 15:44 2,584,848 ----a-w C:\Program Files\WindowsInstaller-KB893803-x86.exe
2004-08-12 08:43 31,384 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2003-03-21 05:45 250,544 ----a-w C:\Program Files\Common Files\keyhelp.ocx
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-01 14:34 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-06-01 14:34 56 --sh--r C:\WINDOWS\system32\802EA058DA.sys
2006-12-18 09:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012006121820061219\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-06-23 10:34]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-06-23 10:34]
"SoundMan"="SOUNDMAN.EXE" [2003-06-20 19:55 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-23 10:35 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-07-25 04:49]
"LManager"="C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE" [2003-11-27 01:16]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-28 14:01]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 18:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 14:05:26]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-06 21:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2006-10-20 15:34 163576 --a------ C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
S3 UMSSSTOR;C-Media Storage;C:\WINDOWS\system32\DRIVERS\UMSS.SYS
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2a8240-836d-11da-aa18-000e350ab724}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - G:\Flash.10.Setup.exe
\Shell\Open\command - G:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2a8242-836d-11da-aa18-000e350ab724}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - G:\Flash.10.Setup.exe
\Shell\Open\command - G:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{761c5710-441a-11dc-ae55-000e350ab724}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - G:\Flash.10.Setup.exe
\Shell\Open\command - G:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0d074e0-5a1d-11dc-ae9c-000e350ab724}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - Flash.10.Setup.exe
\Shell\Open\command - Flash.10.Setup.exe
\Shell\Scan for Viruses\command - Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3d903b0-345d-11dc-ae2b-000e350ab724}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f976bcc0-5a0d-11dc-ae9b-000e350ab724}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - Flash.10.Setup.exe
\Shell\Open\command - Flash.10.Setup.exe
\Shell\Scan for Viruses\command - Scanner.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 00:50:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-06 0:55:05 - machine was rebooted
.
--- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:59 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f331.mail.yahoo.com/ym/log...=225fimb8n7goo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1194841416932
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194841355664
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{266843F6-4A3B-42F2-8377-715E03046743}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{31B1D999-38E0-407F-BB44-C3A546818602}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4926B89F-53C8-406E-8945-00E3C76E2B43}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE23DC7-DDE1-4C2E-8E6D-132D477006DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8283336E-3FFA-463C-BBAA-7DB6A55C5473}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{83831019-7DC0-45BC-BC11-B11638458A3F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF87E49-92B7-42DE-9CE1-EA6937A3DD85}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F677D66-28F7-4F76-8CB4-9423A90FFF73}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76C4941-3204-4DB8-8018-E9546428276A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O24 - Desktop Component 0: (no name) - http://www.coolbuddy.com/icon/mceleb/ico_incubas09.gif
O24 - Desktop Component 1: (no name) - http://www.coolbuddy.com/icon/mceleb/ico_incubas04.gif
O24 - Desktop Component 2: (no name) - http://www.coolbuddy.com/icon/mceleb/ico_incubas02.gif

--
End of file - 8107 bytes

[gee_mel12]

oh, one more thing. after combofix produced its log, spyboat S&D pops up asking if i should allow the registry keys that have been changed. should i?

[Ried]

Yes, you should have allowed Spybot to 'allow' the changes. Better yet, let's disable it for the duration of this cleaning so we don't have to worry about it again.

Open Spybot Search & Destroy.

• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.
• See this link for a tutorial

Also, on the last run as I omitted the instructions for you to insert your flash drive. We have more to do.

------------

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Insert your flash drive, or whatever us usually your G: drive

---------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/199394-help-browser-keep-being-redirected-ecata-info-post1197175.html#post1197175

Collect::
G:\Flash.10.Setup.exe
G:\Scanner.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2a8240-836d-11da-aa18-000e350ab724}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2a8242-836d-11da-aa18-000e350ab724}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{761c5710-441a-11dc-ae55-000e350ab724}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0d074e0-5a1d-11dc-ae9c-000e350ab724}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3d903b0-345d-11dc-ae2b-000e350ab724}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f976bcc0-5a0d-11dc-ae9b-000e350ab724}]

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

Please post the C:\ComboFix.txt in your next reply.

[gee_mel12]

it's weird. after comboxfix finishes running, there's no message box or browser opened whatsoever. i only got the log for combofix. when my comp restarted (i.e combofix automatically reboot it), avast and spyboat are also started since these programs are set to launch during start up. is that what had caused combofix to not able to open the message box and the browser?


ComboFix 07-12-04.3 - user 2007-12-06 13:17:24.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.70 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-04 23:45 . 2007-12-04 23:45 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-04 22:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-04 18:01 . 2007-12-04 18:01 <DIR> d-------- C:\Documents and Settings\user\Application Data\Grisoft
2007-12-04 18:00 . 2007-12-04 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 18:00 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 22:32 . 2007-12-03 22:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-03 22:32 . 2007-12-04 11:44 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-03 22:32 . 2007-12-04 11:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-03 22:32 . 2007-12-04 11:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-03 19:03 . 2007-12-03 19:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-03 19:00 . 2007-12-03 19:00 <DIR> d-------- C:\Deckard
2007-11-26 13:46 . 2007-11-26 13:46 <DIR> d-------- C:\Program Files\EA GAMES
2007-11-25 16:00 . 2007-11-25 16:00 <DIR> d-------- C:\Program Files\uTorrent
2007-11-24 23:41 . 2007-11-24 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-24 23:08 . 2007-11-24 23:08 <DIR> d-------- C:\Program Files\CCleaner
2007-11-24 22:43 . 2007-11-24 22:43 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-24 22:43 . 2003-03-19 05:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-11-24 22:43 . 2007-09-06 18:09 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-24 22:43 . 2004-01-09 18:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-11-24 22:43 . 2007-09-06 18:00 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-24 22:43 . 2007-09-06 18:05 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-24 22:43 . 2007-09-06 18:05 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-24 22:43 . 2007-09-06 18:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-24 22:43 . 2007-09-06 18:00 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-24 22:43 . 2007-09-06 18:03 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-23 18:09 . 2007-11-23 18:09 <DIR> d-------- C:\Program Files\Fox
2007-11-23 13:44 . 2007-11-24 14:39 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-11-23 13:44 . 2007-11-24 14:39 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-11-23 13:44 . 2007-11-24 14:39 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-11-12 20:49 . 2007-11-12 20:49 78,415 --a------ C:\WINDOWS\system32\drivers\klif.cab
2007-11-12 20:48 . 2007-11-12 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-12 13:13 . 2007-11-12 13:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 12:27 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-12 12:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-12 12:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-12 12:27 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-11 22:59 . 2007-11-11 22:59 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-11 22:59 . 2007-11-11 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-11 22:49 . 2007-11-11 22:49 <DIR> d-------- C:\kav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 15:31 --------- d-----w C:\Program Files\WIDCOMM
2007-10-17 10:49 --------- d-----w C:\Program Files\opacity
2007-10-08 19:32 --------- d-----w C:\Program Files\InterVideo
2007-10-08 19:21 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-09-09 16:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-12-07 06:48 19,456 ----a-w C:\Program Files\patch.exe
2006-09-11 06:54 13,447,680 ----a-w C:\Program Files\SPSS 15.0 for Windows Evaluation Version.msi
2006-09-11 06:03 2,094 ----a-w C:\Program Files\Setup.ini
2006-09-11 06:01 252 ----a-w C:\Program Files\v7temp.cab
2006-09-11 06:00 315 ----a-w C:\Program Files\Lopts.cab
2006-09-11 05:59 851,246 ----a-w C:\Program Files\Utl.cab
2006-09-11 05:58 466,423 ----a-w C:\Program Files\xd.cab
2006-09-10 11:32 8,864,916 ----a-w C:\Program Files\Chm.cab
2006-09-10 11:32 797,507 ----a-w C:\Program Files\Dat.cab
2006-09-10 11:32 573,777 ----a-w C:\Program Files\Bsc.cab
2006-09-10 11:32 2,916,387 ----a-w C:\Program Files\Common.cab
2006-09-10 11:32 101,700 ----a-w C:\Program Files\ClientAc.cab
2006-09-10 11:31 6,417,305 ----a-w C:\Program Files\SBB.cab
2006-09-10 11:31 108,698 ----a-w C:\Program Files\PdM.cab
2006-09-10 11:30 9,873 ----a-w C:\Program Files\Looks.cab
2006-09-10 11:30 326,750 ----a-w C:\Program Files\Local.cab
2006-09-10 11:30 23,231,538 ----a-w C:\Program Files\JRE.cab
2006-09-10 11:30 13,795 ----a-w C:\Program Files\Readme.cab
2006-09-10 11:29 55,739,932 ----a-w C:\Program Files\Bas.cab
2006-09-10 11:26 495,386 ----a-w C:\Program Files\CustID.cab
2006-09-10 11:26 455,490 ----a-w C:\Program Files\NetID.cab
2006-09-10 11:26 455,484 ----a-w C:\Program Files\VirtID.cab
2006-09-10 11:26 30,260,916 ----a-w C:\Program Files\Tut.cab
2006-09-10 11:26 3,029,874 ----a-w C:\Program Files\Sys.cab
2006-09-10 11:25 10,566,539 ----a-w C:\Program Files\Syn.cab
2006-09-10 11:07 8,237,172 ----a-w C:\Program Files\Map.cab
2006-09-10 11:07 7,034 ----a-w C:\Program Files\ESD.cab
2006-09-10 11:07 385,507 ----a-w C:\Program Files\Net.cab
2006-09-10 11:07 262,144 ----a-w C:\Program Files\setup.exe
2006-06-01 01:51 62,960 ----a-w C:\Program Files\setup.bmp
2006-01-12 15:14 92,828,160 ----a-w C:\Program Files\Fireworks8-en.exe
2005-11-13 19:26 1,001,472 ----a-w C:\Program Files\ISScript1150.Msi
2005-11-13 15:49 5,693 ----a-w C:\Program Files\0x0409.ini
2005-11-13 15:44 2,584,848 ----a-w C:\Program Files\WindowsInstaller-KB893803-x86.exe
2004-08-12 08:43 31,384 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2003-03-21 05:45 250,544 ----a-w C:\Program Files\Common Files\keyhelp.ocx
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-01 14:34 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-06-01 14:34 56 --sh--r C:\WINDOWS\system32\802EA058DA.sys
2006-12-18 09:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012006121820061219\index.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-06_ 0.52.10.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\ERDNT\subs\F3M\ERDNT.EXE
- 2007-12-05 12:46:44 40,664 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-05 16:53:44 40,664 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-05 12:46:44 312,946 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-05 16:53:44 312,946 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-06 05:23:02 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-06-23 10:34]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-06-23 10:34]
"SoundMan"="SOUNDMAN.EXE" [2003-06-20 19:55 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-23 10:35 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-07-25 04:49]
"LManager"="C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE" [2003-11-27 01:16]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-05-28 14:01]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 18:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 14:05:26]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-06 21:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2006-10-20 15:34 163576 --a------ C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
S3 UMSSSTOR;C-Media Storage;C:\WINDOWS\system32\DRIVERS\UMSS.SYS
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 13:23:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-06 13:29:40 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-06 00:55
.
--- E O F ---

[Ried]

Did you have the G: drive inserted while running the CFScript?

[gee_mel12]

yes, i inserted the mp3/usb and checked in 'my computer' folder if it's the G: drive. then, i move the CFScript to the ComboFix.exe and combofix was running as usual. i also closed all antivirus and anti spyware prog before doing the above...

[Ried]

Good, then that means those files were no longer on the drive.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[gee_mel12]

i googled just now and checked on the search results, and they directed at the supposed site thank u very muchh!
i hv installed mcafee siteadvisor, spyware blaster and iespyad as suggested. again, thanx a lot for ur time and assistance, bless u. and yeah, this thread is considered resolved~

[Ried]

You're welcome, gee_mel12. Surf safely.