Help me and here is my hijack log

**Mohi212** · #1 6th Sep 2008, 00:54

hi . My computer is definitely infect by trojan, malware or spyware . whenever I open my computer, a balloon pops up from the taskbar saying that my computer is infected and suddenly all these ads pop up and keep on opening new ones . and i believe theses processes that i see in the task manager are respnsible

something like lssmon.exe , lssmgr.exe (may not exactly be the same) cuz when i close them the balloon disappears .

anyways, here is my hijack log, so Plz help me out .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:14 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Opera\opera.exe
E:\ALL THE SOFTWARES\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe ssvichosst.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program

Files\DAP\DAPBHO.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet

Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite

6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Layersecurity Servicemonitor] D:\WINDOWS\system32\LSSMON.EXE
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

/NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

/NoDialog (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download

Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download

Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download

Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} -

D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program

Files\Ares\chatServer.exe
O23 - Service: avast! Antivirus avast!SamSs (avast!SamSs) - Unknown owner -

D:\WINDOWS\system32\dllcaches.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - D:\Program Files\Sunbelt

Software\CounterSpy\SBCSSvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4603 bytes

**evilfantasy** · #2 6th Sep 2008, 01:26

Hello Mohi212. Welcome to CJ.

Disable Counterspy so it does not block the fixes we make.

Right click the tray icon and turn off Counterspy.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Layersecurity Servicemonitor] D:\WINDOWS\system32\LSSMON.EXE
O23 - Service: avast! Antivirus avast!SamSs (avast!SamSs) - Unknown owner - D:\WINDOWS\system32\dllcaches.exe

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code:

@ECHO OFF
sc stop avast!SamSs
sc delete avast!SamSs
exit

In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixservice.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy the text in the Code box below and paste it into Notepad.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Layersecurity Servicemonitor"=-

In Notepad go to File > Save as...

Next to File name: type fixme.reg Use the dropdown box next to Save as type: and select All files. Save it to the Desktop.

There should now be a file on the Desktop that looks like this

Double-click fixme.reg it and allow it to merge with the Registry.

You may not see anything happen but give it a few seconds or so to finish.

Now delete the fixme.reg file from the Desktop.

Restart the Computer.

----------

Now run a new HijackThis scan and post the log.

Important: When the log from HijackThis comes up in Notepad, before copying it, go to Format and click Word Wrap. Then copy and paste the log here.

**Mohi212** · #3 6th Sep 2008, 04:08

hey thanks for your help . but when i restarted the pc, the pop up are still opening and that balloon saying spyware detected . click here to install anti-virus is still appearing

Anyways, here is the hijack log after the restart .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:35 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\system32\wscntfy.exe
E:\ALL THE SOFTWARES\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe ssvichosst.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Layersecurity Servicemonitor] D:\WINDOWS\system32\LSSMON.EXE
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4384 bytes

**evilfantasy** · #4 6th Sep 2008, 08:41

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

**Mohi212** · #5 6th Sep 2008, 13:29

this result is of full scan . when i did the the quick scan it detect the an adware which i removed .

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

9/7/2008 2:21:54 AM
mbam-log-2008-09-07 (02-21-54).txt

Scan type: Full Scan (D:\|)
Objects scanned: 92811
Time elapsed: 38 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**evilfantasy** · #6 6th Sep 2008, 13:44

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

**Mohi212** · #7 7th Sep 2008, 02:17

here is the combo fix log . When after restarting, it was making the log, the those pop-ups and balloon appeared again .

here it is .

ComboFix 08-09-05.02 - Burhan 2008-09-07 13:40:43.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.24 [GMT 5:00]Running from: D:\Documents and Settings\Burhan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Burhan\Cookies\burhan@ad.yieldmanager[1].txt
D:\Documents and Settings\Burhan\Cookies\burhan@antispywaremaster[2].txt
D:\Documents and Settings\Burhan\Local Settings\Temporary Internet Files\descript.ion
D:\setup.exe
D:\WINDOWS\system32\autorun.ini
D:\WINDOWS\system32\avpo0.dll
D:\WINDOWS\system32\SCVHSOT.exe
D:\WINDOWS\system32\setting.ini
D:\WINDOWS\system32\spool.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CSNETMANAGERXP
-------\Legacy_SYSREST.SYS

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-07 13:47 . 2008-09-07 13:47 <DIR> d--hs---- D:\FOUND.145
2008-09-06 13:10 . 2008-09-06 13:10 <DIR> d-------- D:\Program Files\XoftSpySE
2008-09-06 00:19 . 2008-09-06 00:19 <DIR> d--hs---- D:\FOUND.144
2008-09-05 23:07 . 2008-09-05 23:37 741,376 --a------ D:\WINDOWS\system32\msupd32.exe
2008-09-05 22:29 . 2008-09-05 23:37 741,376 --a------ D:\WINDOWS\system32\LSSMON.EXE
2008-09-05 22:29 . 2008-09-04 17:49 17,920 --a------ D:\WINDOWS\system32\LSASSMGR.EXE
2008-09-05 17:04 . 2008-09-05 22:41 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-09-05 17:04 . 2008-09-05 17:04 1,409 --a------ D:\WINDOWS\QTFont.for
2008-09-05 15:15 . 2008-09-07 13:48 0 --a------ D:\WINDOWS\system32\bsc32.dll
2008-09-05 15:14 . 2008-09-05 15:14 <DIR> d--hs---- D:\FOUND.143
2008-09-05 13:25 . 2008-09-05 13:25 <DIR> d--hs---- D:\FOUND.142
2008-09-05 00:39 . 2008-09-05 00:39 <DIR> d--hs---- D:\FOUND.141
2008-09-04 18:19 . 2008-09-04 18:19 <DIR> d-------- D:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-04 17:49 . 2008-09-05 23:37 741,376 --a------ D:\WINDOWS\divx32.dll
2008-09-04 17:49 . 2008-09-04 17:49 17,920 --a------ D:\WINDOWS\system32\srtsrv32.exe
2008-09-04 17:48 . 2008-09-05 12:40 741,376 --a------ D:\WINDOWS\system32\upd01.exe
2008-09-04 17:45 . 2008-09-04 17:45 <DIR> d--hs---- D:\FOUND.140
2008-09-04 07:11 . 2008-09-04 07:11 <DIR> d-------- D:\Documents and Settings\Burhan\Application Data\Yahoo!
2008-09-03 12:21 . 2008-09-03 12:21 <DIR> d--hs---- D:\FOUND.139
2008-09-01 20:51 . 2008-09-01 20:51 <DIR> d--hs---- D:\FOUND.138
2008-08-31 13:53 . 2008-08-31 13:53 <DIR> d--hs---- D:\FOUND.137
2008-08-28 23:04 . 2008-08-28 23:04 <DIR> d--hs---- D:\FOUND.136
2008-08-27 08:13 . 2008-08-27 08:13 <DIR> d--hs---- D:\FOUND.135
2008-08-27 00:54 . 2008-08-27 00:54 4,096 --a------ D:\WINDOWS\d3dx.dat
2008-08-26 10:33 . 2008-08-26 10:33 <DIR> d--hs---- D:\FOUND.134
2008-08-26 02:27 . 2008-08-26 02:27 <DIR> d--hs---- D:\FOUND.133
2008-08-26 01:07 . 2008-08-26 01:07 <DIR> d--hs---- D:\FOUND.132
2008-08-26 00:15 . 2008-08-26 00:15 <DIR> d--hs---- D:\FOUND.131
2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- D:\Program Files\Microsoft Encarta
2008-08-25 18:41 . 2008-08-25 18:41 <DIR> d--hs---- D:\FOUND.130
2008-08-25 17:09 . 2008-08-25 17:09 <DIR> d--hs---- D:\FOUND.129
2008-08-25 08:14 . 2008-08-25 08:14 <DIR> d--hs---- D:\FOUND.128
2008-08-25 06:09 . 2008-08-25 06:09 23,552 --a------ D:\Documents and Settings\Burhan\S87ekhV.exe
2008-08-25 06:00 . 2008-08-25 06:00 <DIR> d--hs---- D:\FOUND.127
2008-08-25 05:36 . 2008-08-25 05:36 <DIR> d--hs---- D:\FOUND.126
2008-08-24 23:36 . 2008-08-24 23:36 <DIR> d--hs---- D:\FOUND.125
2008-08-24 03:11 . 2008-08-24 03:11 <DIR> d--hs---- D:\FOUND.124
2008-08-23 12:06 . 2008-08-23 12:06 <DIR> d--hs---- D:\FOUND.123
2008-08-23 10:55 . 2008-08-23 10:55 <DIR> d--hs---- D:\FOUND.122
2008-08-23 08:38 . 2008-08-23 08:38 <DIR> d--hs---- D:\FOUND.121
2008-08-23 01:49 . 2008-08-23 01:49 <DIR> d--hs---- D:\FOUND.120
2008-08-22 18:20 . 2008-08-22 18:20 <DIR> d--hs---- D:\FOUND.119
2008-08-20 21:05 . 2008-08-20 21:05 <DIR> d-------- D:\spoolerlogs
2008-08-19 22:32 . 2008-08-19 22:32 <DIR> d--hs---- D:\FOUND.118
2008-08-19 22:12 . 2008-08-19 22:12 <DIR> d--hs---- D:\FOUND.117
2008-08-19 16:13 . 2008-08-19 16:13 <DIR> d--hs---- D:\FOUND.116
2008-08-18 03:50 . 2008-08-18 03:51 108 --a------ D:\Documents and Settings\Burhan\Application Data\netstat.bat
2008-08-17 09:54 . 2008-08-17 09:54 <DIR> d--hs---- D:\FOUND.115
2008-08-13 02:42 . 2008-08-13 02:42 <DIR> d--hs---- D:\FOUND.114
2008-08-12 16:17 . 2008-08-12 16:17 <DIR> d--hs---- D:\FOUND.113
2008-08-11 13:37 . 2008-09-05 22:31 0 --a------ D:\WINDOWS\system32\sc02.sc
2008-08-11 13:33 . 2008-08-11 13:33 <DIR> d--hs---- D:\FOUND.112
2008-08-11 10:55 . 2008-08-11 10:55 857,037 --a------ D:\WINDOWS\system32\CSRLT.EXE
2008-08-11 10:55 . 2008-08-11 10:55 857,037 --a------ D:\WINDOWS\MSBLT.EXE
2008-08-09 02:36 . 2008-08-09 02:36 <DIR> d--hs---- D:\FOUND.111
2008-08-08 21:17 . 2008-08-08 21:17 <DIR> d--hs---- D:\FOUND.110
2008-08-08 16:54 . 2008-08-08 16:54 <DIR> d--hs---- D:\FOUND.109
2008-08-08 02:35 . 2008-08-08 02:35 <DIR> d-------- D:\Documents and Settings\Burhan\Application Data\GlarySoft
2008-08-08 02:20 . 2008-08-08 02:20 <DIR> d-------- D:\Program Files\Glary Registry Repair
2008-08-08 00:18 . 2008-08-08 00:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-07 20:27 . 2008-08-07 20:27 <DIR> d-------- D:\Program Files\Internet Download Manager
2008-08-07 20:27 . 2008-08-07 20:27 <DIR> d-------- D:\Documents and Settings\Burhan\Application Data\IDM
2008-08-07 14:01 . 2008-08-07 14:01 <DIR> d--hs---- D:\FOUND.108
2008-08-07 01:26 . 2008-08-07 01:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-01 19:16 38,528 ----a-w D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-01 19:16 17,200 ----a-w D:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 22:08 109,150 ----a-w D:\WINDOWS\system32\drivers\b88b9e8e.sys
2008-08-04 16:05 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 16:05 --------- d-----w D:\Documents and Settings\Burhan\Application Data\Malwarebytes
2008-08-04 16:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 16:24 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
2008-07-30 16:24 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
2008-07-29 22:43 --------- d-----w D:\Documents and Settings\All Users\Application Data\ACD Systems
2008-07-29 22:42 --------- d-----w D:\Program Files\Common Files\ACD Systems
2008-07-29 22:42 --------- d-----w D:\Program Files\ACD Systems
2008-07-21 16:50 --------- d-----w D:\Documents and Settings\Burhan\Application Data\uTorrent
2008-07-21 11:05 --------- d-----w D:\Program Files\uTorrent
2008-07-19 19:28 --------- d-----w D:\Documents and Settings\Burhan\Application Data\DMCache
2008-07-19 10:00 --------- d-----w D:\Program Files\Common Files\L&H
2008-07-17 13:32 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-17 01:11 --------- d-----w D:\Program Files\Ares
2008-07-16 23:15 --------- d-----w D:\Program Files\AdVantage
2008-07-09 22:08 41,984 --sh--r D:\WINDOWS\system32\dllcaches.exe
2008-06-27 21:05 33,576 ----a-w D:\Documents and Settings\Burhan\Application Data\GDIPFONTCACHEV1.DAT
2008-06-22 15:33 7,680 ----a-w D:\WINDOWS\system32\ff_vfw.dll
2008-06-22 15:33 60,273 ----a-w D:\WINDOWS\system32\pthreadGC2.dll
.

------- Sigcheck -------

2004-08-03 21:14 359040 1745b00fc1141404b28f4b94f69a8871 D:\WINDOWS\system32\drivers\tcpip.sys
2004-08-03 21:14 359040 1745b00fc1141404b28f4b94f69a8871 D:\WINDOWS\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624]
"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"googletalk"="D:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"Layersecurity Servicemonitor"="D:\WINDOWS\system32\LSSMON.EXE" [2008-09-05 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\firefox.exe]
"Debugger"=D:\Program Files\Mozilla Firefox\firefoxe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=D:\Program Files\Internet Explorer\iexplor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spoolsv.exe]
"Debugger"=D:\WINDOWS\system32\spool.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Ares\\Ares.exe"=
"D:\\Program Files\\AIM\\aim.exe"=
"D:\\Program Files\\Messenger\\MSMSGS.EXE"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\NetMeeting\\conf.exe"=
"D:\\Program Files\\Opera\\Opera.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5000:TCP"= 5000:TCP:AresChatServer

R2 dmsmbios;dmsmbios;D:\WINDOWS\system32\dmsmbios.sys [2001-05-31 16480]
R3 XIRLINK;IBM PC Camera;D:\WINDOWS\system32\DRIVERS\C-itnt.sys [1999-10-19 435655]
S0 SBHR;SBHR;D:\WINDOWS\system32\drivers\sbhr.sys [ ]
S1 b88b9e8e;b88b9e8e;D:\WINDOWS\system32\drivers\b88b 9e8e.sys [2008-08-05 109150]
S3 AvFlt;Antivirus Filter Driver;D:\WINDOWS\system32\drivers\av5flt.sys [ ]
S3 SBRE;SBRE;D:\WINDOWS\system32\drivers\SBREdrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7bd71c60-e76a-11dc-a790-00065b298742}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9dd929e0-69d0-11dd-a9b5-00065b298742}]
\Shell\AutoRun\command - H:\ntde1ect.com
\Shell\explore\Command - H:\ntde1ect.com
\Shell\open\Command - H:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{def7f600-a9a1-11dc-a733-00065b298742}]
\Shell\AutoRun\command - H:\ntde1ect.com
\Shell\explore\Command - H:\ntde1ect.com
\Shell\open\Command - H:\ntde1ect.com
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Burhan\Application Data\Mozilla\Firefox\Profiles\419o3i2e.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations (Beta) -------
.
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 13:48:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

D:\Program Files\Internet Explorer\iexplor.exe [492] 0xFF7A8620
D:\WINDOWS\system32\LSASSMGR.EXE [1872] 0xFF832D60
D:\WINDOWS\system32\LSASSMGR.EXE [524] 0xFF8FD600

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Internet Explorer\iexplore.exe
.
************************************************** ************************
.
Completion time: 2008-09-07 13:52:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-07 08:51:54

Pre-Run: 253,583,360 bytes free
Post-Run: 537,141,248 bytes free

216

here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:52 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\taskmgr.exe
E:\ALL THE SOFTWARES\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Layersecurity Servicemonitor] D:\WINDOWS\system32\LSSMON.EXE
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4350 bytes

**evilfantasy** · #8 7th Sep 2008, 11:16

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
D:\FOUND.145
D:\FOUND.144
D:\WINDOWS\system32\msupd32.exe
D:\WINDOWS\system32\LSSMON.EXE
D:\WINDOWS\system32\LSASSMGR.EXE
D:\WINDOWS\system32\bsc32.dll
D:\FOUND.143
D:\FOUND.142
D:\FOUND.141
D:\WINDOWS\system32\srtsrv32.exe
D:\WINDOWS\system32\upd01.exe
D:\FOUND.140D:\FOUND.139
D:\FOUND.138
D:\FOUND.137
D:\FOUND.136
D:\FOUND.135
D:\FOUND.134
D:\FOUND.133
D:\FOUND.132
D:\FOUND.131
D:\FOUND.130
D:\FOUND.129
D:\FOUND.128
D:\Documents and Settings\Burhan\S87ekhV.exe
D:\FOUND.127
D:\FOUND.126
D:\FOUND.125
D:\FOUND.124
D:\FOUND.123
D:\FOUND.122
D:\FOUND.121
D:\FOUND.120
D:\FOUND.119
D:\spoolerlogs
D:\FOUND.118
D:\FOUND.117
D:\FOUND.116
D:\Documents and Settings\Burhan\Application Data\netstat.bat
D:\FOUND.115
D:\FOUND.114
D:\FOUND.113
D:\WINDOWS\system32\sc02.sc
D:\FOUND.112
D:\WINDOWS\system32\CSRLT.EXE
D:\WINDOWS\MSBLT.EXE
D:\FOUND.111
D:\FOUND.110
D:\FOUND.109
D:\FOUND.108
D:\Program Files\Internet Explorer\iexplor.exe
D:\WINDOWS\system32\LSASSMGR.EXE
D:\WINDOWS\system32\LSASSMGR.EXE

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Layersecurity Servicemonitor"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spoolsv.exe]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bd71c60-e76a-11dc-a790-00065b298742}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dd929e0-69d0-11dd-a9b5-00065b298742}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{def7f600-a9a1-11dc-a733-00065b298742}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

**Mohi212** · #9 8th Sep 2008, 06:45

I am sorry man but the Combofix result file was 725 kb so wasnt able to paste it over here and so had to upload it in .zip . hope thats okay .

**evilfantasy** · #10 8th Sep 2008, 07:14

Download OTMoveIt2 by OldTimer

Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

Code:

[kill explorer]
D:\FOUND.145
D:\FOUND.144
D:\FOUND.143
D:\FOUND.142
D:\FOUND.141
D:\FOUND.140
D:\FOUND.139
D:\FOUND.138
D:\FOUND.137
D:\FOUND.136
D:\FOUND.135
D:\FOUND.134
D:\FOUND.133
D:\FOUND.132
D:\FOUND.131
D:\FOUND.130
D:\FOUND.129
D:\FOUND.128
D:\FOUND.127
D:\FOUND.126
D:\FOUND.125
D:\FOUND.124
D:\FOUND.123
D:\FOUND.122
D:\FOUND.121
D:\FOUND.120
D:\FOUND.119
D:\spoolerlogs
D:\FOUND.118
D:\FOUND.117
D:\FOUND.116
D:\FOUND.115
D:\FOUND.114
D:\FOUND.113
D:\FOUND.112
D:\FOUND.111
D:\FOUND.110
D:\FOUND.109
D:\FOUND.108
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTMoveIt2

----------

Also let me know how things are now.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hijack this log	carpious	Virus, Spyware & Security	17	28th Jun 2008 02:21
Hijack this, erm, log	d0od	Virus, Spyware & Security	3	25th Jun 2008 08:22
Hijack log	madcows7	Virus, Spyware & Security	11	29th Feb 2008 20:34
Hijack this log	packofqtips	Virus, Spyware & Security	1	26th Dec 2007 17:57
My HiJack Log!! Help Please!	Aliveamongdead	Virus, Spyware & Security	4	19th Dec 2007 12:52