Trojan-Clicker.HTML.IFrame.wq

[k3st1n]

Hello! Sometimes when I open some page Kaspersky Antivirus 2009 block some internet link:

20.10.2008 18:27:27 hXXp://web.hyj008.info/index.htm Firefox Запрещено: Trojan-Clicker.HTML.IFrame.wq

I have used ATF-Cleaner.exe and Malwarebytes' Anti-Malware full scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:07:09, on 20.10.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Grabber2k\grabber2k.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Grabber2k] C:\Program Files\Grabber2k\grabber2k.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: C????????? ?????? ???-??????? - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Inlsaacnu a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Inlsaacnu a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Корпорация Майкрософт - C:\Windows\system32\DFSR.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6835 bytes

[katana]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Download and Run RSIT

• Please download Random's System Information Tool by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

[k3st1n]

I can't run it - AutoIt Error, Line-1: Error Subscript used with non-Array variable.

[katana]

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[k3st1n]

Log is here:

ComboFix 08-10-10.07 - Edgar 2008-10-26 20:02:25.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1251.7.1033.18.2109 [GMT 2:00]
Running from: C:\Users\Edgar\Desktop\ComboFix.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-23 19:50 . 2008-10-23 19:50 <DIR> d-------- C:\rsit
2008-10-18 16:33 . 2008-10-18 16:33 <DIR> d-------- C:\Users\All Users\KONAMI
2008-10-18 16:33 . 2008-10-18 16:33 <DIR> d-------- C:\ProgramData\KONAMI
2008-10-16 20:18 . 2008-09-18 07:09 3,601,464 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-10-16 20:18 . 2008-09-18 07:09 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-10-16 20:18 . 2008-09-18 04:16 2,032,640 --a------ C:\Windows\System32\win32k.sys
2008-10-16 20:18 . 2008-08-05 11:49 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-10-16 20:18 . 2008-08-05 11:49 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-10-16 20:18 . 2008-08-27 03:06 288,768 --a------ C:\Windows\System32\drivers\srv.sys
2008-10-16 20:18 . 2008-08-05 11:48 217,088 --a------ C:\Windows\System32\psisrndr.ax
2008-10-16 20:18 . 2008-08-05 11:48 177,664 --a------ C:\Windows\System32\mpg2splt.ax
2008-10-16 20:18 . 2008-08-05 11:48 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-10-16 20:17 . 2008-10-02 03:32 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-10-16 20:17 . 2008-10-02 05:49 827,392 --a------ C:\Windows\System32\wininet.dll
2008-10-14 19:21 . 2008-10-14 19:21 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-10-14 19:21 . 2008-10-14 19:21 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-10-14 19:21 . 2008-10-14 19:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-14 19:21 . 2008-09-09 23:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-10-14 19:21 . 2008-09-09 23:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-10-14 19:15 . 2008-10-23 20:06 <DIR> d-------- C:\HiJackThis
2008-10-13 18:26 . 2008-10-13 18:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-13 16:59 . 2000-05-26 23:00 1,388,544 --a------ C:\Windows\System32\temp.000
2008-10-13 16:58 . 2008-10-13 16:58 <DIR> d-------- C:\Program Files\ABB
2008-10-13 16:57 . 2008-10-13 16:57 <DIR> d-------- C:\Windows\Downloaded Installations
2008-10-09 19:37 . 2008-10-09 19:37 127,034 -r------- C:\Windows\bwUnin-8.1.1.50-8876480SL.exe
2008-10-09 19:35 . 2008-10-09 19:35 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-10-09 19:34 . 2008-10-09 19:34 <DIR> d-------- C:\Users\All Users\Logitech
2008-10-09 19:34 . 2008-10-09 19:34 <DIR> d-------- C:\ProgramData\Logitech
2008-10-09 19:34 . 2008-10-09 19:37 <DIR> d-------- C:\Program Files\Logitech
2008-10-09 19:34 . 2008-10-09 19:34 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-10-09 19:34 . 2007-04-23 03:00 163,840 --a------ C:\Windows\System32\kemutb.dll
2008-10-09 19:34 . 2007-04-23 03:00 135,168 --a------ C:\Windows\System32\KemUtil.dll
2008-10-09 19:34 . 2007-04-23 03:00 110,592 --a------ C:\Windows\System32\KemWnd.dll
2008-10-09 19:34 . 2007-04-23 03:00 69,632 --a------ C:\Windows\System32\KemXML.dll
2008-10-09 19:33 . 2008-10-09 19:33 <DIR> d-------- C:\Users\All Users\LogiShrd
2008-10-09 19:33 . 2008-10-09 19:33 <DIR> d-------- C:\ProgramData\LogiShrd
2008-10-05 18:24 . 2008-10-05 18:34 865 --a------ C:\Windows\disney.ini
2008-10-04 18:57 . 2008-10-04 18:57 <DIR> d-------- C:\Users\All Users\Stardock
2008-10-04 18:57 . 2008-10-04 18:57 <DIR> d-------- C:\ProgramData\Stardock
2008-10-04 16:53 . 2008-10-04 16:53 <DIR> d-------- C:\Users\All Users\Codemasters
2008-10-04 16:53 . 2008-10-04 16:53 <DIR> d-------- C:\ProgramData\Codemasters
2008-10-04 16:49 . 2008-04-28 14:53 805,400 -ra------ C:\Windows\System32\tmpBB4F.tmp
2008-10-03 16:48 . 2008-09-17 22:55 1,108,512 --a------ C:\Windows\System32\nvcpluir.dll
2008-10-03 16:47 . 2008-10-21 20:48 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-10-01 16:26 . 2008-10-01 16:26 <DIR> d-------- C:\Windows\Sun
2008-10-01 15:59 . 2008-10-01 15:59 <DIR> d-------- C:\Users\All Users\GRAW2
2008-10-01 15:59 . 2008-10-01 15:59 <DIR> d-------- C:\ProgramData\GRAW2
2008-10-01 15:56 . 2008-10-01 15:56 <DIR> d-------- C:\Windows\System32\AGEIA
2008-10-01 15:56 . 2008-10-01 15:56 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-10-01 15:55 . 2008-10-01 15:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-29 15:38 . 2008-09-29 15:38 <DIR> d-------- C:\Program Files\Bullzip
2008-09-29 15:38 . 2008-08-08 13:47 227,840 --a------ C:\Windows\System32\bzFlRdr.dll
2008-09-29 15:38 . 2008-09-05 05:29 193,024 --a------ C:\Windows\System32\bzpdf.dll
2008-09-29 15:38 . 2008-09-26 19:44 126,976 --a------ C:\Windows\System32\bzpdfc.dll
2008-09-29 15:38 . 2008-07-09 23:19 103,424 --a------ C:\Windows\System32\bzDCT.dll
2008-09-26 20:43 . 2008-10-18 21:41 512 --a------ C:\Windows\randseed.rnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 17:23 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-10-24 05:23 7,648,288 --sha-w C:\Windows\system32\drivers\fidbox.dat
2008-10-24 05:23 61,880 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-10-24 05:23 598,048 --sha-w C:\Windows\system32\drivers\fidbox2.dat
2008-10-24 05:23 4,172 --sha-w C:\Windows\system32\drivers\fidbox2.idx
2008-10-16 18:22 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-16 18:22 --------- d-----w C:\Program Files\Windows Mail
2008-10-14 17:12 --------- d-----w C:\Program Files\uTorrent
2008-10-14 17:12 --------- d-----w C:\Program Files\Steam
2008-10-14 17:12 --------- d-----w C:\Program Files\SpeedFan
2008-10-14 17:12 --------- d-----w C:\Program Files\Common Files\Steam
2008-10-09 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-04 14:50 444,952 ----a-w C:\Windows\System32\wrap_oal.dll
2008-10-04 14:50 109,080 ----a-w C:\Windows\System32\OpenAL32.dll
2008-10-04 14:50 --------- d-----w C:\Program Files\OpenAL
2008-10-03 14:52 --------- d-----w C:\ProgramData\NVIDIA
2008-10-01 13:55 --------- d-----w C:\ProgramData\Media Center Programs
2008-09-25 15:17 --------- d-----w C:\ProgramData\Xfire
2008-09-25 15:17 --------- d-----w C:\Program Files\Xfire
2008-09-18 00:41 42,320 ----a-w C:\Windows\System32\xfcodec.dll
2008-09-10 14:11 --------- d-----w C:\Program Files\scilab-42
2008-09-10 14:03 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-09-10 14:02 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-09-10 14:01 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-09-10 14:00 --------- d-----w C:\Program Files\Microsoft SDKs
2008-09-04 19:03 --------- d-----w C:\Program Files\Google
2008-09-04 19:03 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-09-03 20:18 --------- d-----w C:\Program Files\Microsoft Games
2008-09-03 11:40 278,728 ----a-w C:\Windows\system32\drivers\atksgt.sys
2008-09-03 11:40 25,416 ----a-w C:\Windows\system32\drivers\lirsgt.sys
2008-09-02 19:26 --------- d-----w C:\Program Files\Grabber2k
2008-09-02 09:56 --------- d-----w C:\Program Files\Regio
2008-09-01 17:31 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-09-01 14:27 --------- d-----w C:\ProgramData\Autodesk
2008-09-01 14:27 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-09-01 13:57 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-01 13:55 --------- d-----w C:\Program Files\Java
2008-09-01 13:53 --------- d-----w C:\Program Files\Common Files\Java
2008-09-01 13:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-01 13:19 --------- d-----w C:\Program Files\Autodesk
2008-09-01 11:50 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-01 11:36 --------- d-----w C:\Program Files\MSBuild
2008-09-01 11:36 --------- d-----w C:\Program Files\Microsoft Works
2008-09-01 11:35 --------- d-----w C:\Program Files\Microsoft.NET
2008-09-01 11:33 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-09-01 08:50 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-01 08:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-01 07:58 --------- d-----w C:\Program Files\Windows Sidebar
2008-09-01 07:58 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-09-01 07:58 --------- d-----w C:\Program Files\Windows Journal
2008-09-01 07:58 --------- d-----w C:\Program Files\Windows Defender
2008-09-01 07:58 --------- d-----w C:\Program Files\Windows Collaboration
2008-09-01 07:58 --------- d-----w C:\Program Files\Windows Calendar
2008-08-31 21:20 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-08-31 21:20 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-08-31 21:20 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-08-31 20:59 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-31 20:55 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-31 20:43 --------- d-----w C:\Program Files\Winamp
2008-08-31 20:42 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-08-31 20:22 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-31 20:22 --------- d-----w C:\Program Files\Windows Live
2008-08-31 20:18 --------- d-----w C:\ProgramData\WLInstaller
2008-08-31 20:01 96,976 ----a-w C:\Windows\system32\drivers\klin.dat
2008-08-31 19:58 87,855 ----a-w C:\Windows\system32\drivers\klick.dat
2008-08-31 19:57 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-31 19:56 --------- d-----w C:\ProgramData\Kaspersky Lab Setup Files
2008-08-31 19:44 174 --sha-w C:\Program Files\desktop.ini
2008-08-31 19:29 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-08-31 19:29 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-08-31 19:07 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-08-31 19:07 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-08-31 18:55 --------- d-----w C:\Program Files\Realtek
2008-08-31 18:53 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-08-31 18:53 315,392 ----a-w C:\Windows\HideWin.exe
2008-08-31 18:49 --------- d-----w C:\Program Files\Intel
2008-08-29 17:18 2,302,017 ----a-w C:\Windows\System32\GPhotos.scr
2008-08-02 03:26 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-07-31 07:41 68,616 ----a-w C:\Windows\System32\XAPOFX1_1.dll
2008-07-31 07:41 238,088 ----a-w C:\Windows\System32\xactengine3_2.dll
2008-07-31 07:40 509,448 ----a-w C:\Windows\System32\XAudio2_2.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 28,160 ----a-w C:\Windows\System32\Apphlpdm.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-31 01:13 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-07-29 17:21 218,376 ----a-w C:\Windows\System32\klogon.dll
2008-07-27 18:03 96,760 ----a-w C:\Windows\System32\dfshim.dll
2008-07-27 18:03 83,968 ----a-w C:\Windows\System32\mscories.dll
2008-07-27 18:03 41,984 ----a-w C:\Windows\System32\netfxperf.dll
2008-07-27 18:03 282,112 ----a-w C:\Windows\System32\mscoree.dll
2008-07-27 18:03 158,720 ----a-w C:\Windows\System32\mscorier.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Grabber2k"="C:\Program Files\Grabber2k\grabber2k.exe" [2001-06-24 505856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2008-09-17 612896]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-09-17 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-06 C:\Windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\Windows\KHALMNPR.Exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-09 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-10-09 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3247666344-3749088440-2375680368-1000]
"EnableNotificationsRef"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{942F20C8-CA5E-4EBF-9604-B2EC3805E77F}C:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 2009\\russian\\setup.exe"= UDP:C:\programdata\kaspersky lab setup files\kaspersky anti-virus 2009\russian\setup.exe:Программа установки Антивируса Касперского 2009
"UDP Query User{AD0C0B90-359C-49D6-A81B-649719C57D7C}C:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 2009\\russian\\setup.exe"= TCP:C:\programdata\kaspersky lab setup files\kaspersky anti-virus 2009\russian\setup.exe:Программа установки Антивируса Касперского 2009
"{239E2649-C6DA-488E-9A8A-5E40A9A4B3B2}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{50264C2D-F0C9-43BA-84EC-769791FEF90C}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{5D9DC173-6D13-49CE-B813-9F3D190C20D4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{3CE1F937-C20E-4EDC-96C5-7E7A9DC19571}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{EE46D700-F0F3-4081-8DD9-DF11B7AA4AB1}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{5CD804C4-A296-4DDA-A62F-D4C16C6A3D88}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{831C6297-7A9F-4866-9044-521D73077073}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{264756CC-2E5B-48FF-87D0-D69DA1C69189}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{886B183D-47B6-4E7F-AFB8-A7FAC0BE8F8D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{260E3595-E70E-4590-BB6A-4304486C0F3F}"= UDP:C:\Games\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{E1AB872C-84D0-4104-BC19-B14693E39042}"= TCP:C:\Games\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"TCP Query User{3E7C9E38-3C5E-4BDD-8DF3-CB1109EEBDB4}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{11198036-7125-4E2E-8D41-8BA555DF5D1D}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
"{095C44C3-F4A0-4694-8027-27269A9A0B21}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{CF1E8EC7-C2EF-4AA1-8474-169E3B3D79A8}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{11149C5E-E36F-456D-AE07-CFB78C60AE35}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{43EED5FE-E5B2-462F-9038-C5DA0BA2C9CF}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0B2C4B51-F5EC-473A-903C-304055FFFC56}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{B0A0664D-6783-478A-9F9C-D2ABDCC231AA}C:\\program files\\steam\\steamapps\\k3st1n\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\k3st1n\counter-strike source\hl2.exe:hl2
"UDP Query User{852764E3-3E44-4B36-ACD1-3491E91F801D}C:\\program files\\steam\\steamapps\\k3st1n\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\k3st1n\counter-strike source\hl2.exe:hl2
"TCP Query User{E6A0ACEB-B651-47C4-A5B2-D03DF78763F4}C:\\program files\\steam\\steamapps\\k3st1n\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\k3st1n\counter-strike source\hl2.exe:hl2
"UDP Query User{23E90B51-9270-44D6-BBD9-2B4D44C5BBC1}C:\\program files\\steam\\steamapps\\k3st1n\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\k3st1n\counter-strike source\hl2.exe:hl2
"TCP Query User{D533F9D6-2184-48B8-B18F-70BA9D0B3088}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{448DDE1B-F29D-42CB-B4B6-42833B86B8C3}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{F0A98D85-E51A-4892-9B84-DB18BEF605EA}"= UDP:C:\Games\THE SETTLERS - Sanoaan cglascc\base\bin\Settlers6.exe:THE SETTLERS - Sanoaan cglascc
"{FB62B12B-4309-4CC0-9C9E-F71061D7EE6C}"= TCP:C:\Games\THE SETTLERS - Sanoaan cglascc\base\bin\Settlers6.exe:THE SETTLERS - Sanoaan cglascc
"{CFE28CD9-F736-4A7D-A2ED-9CA8E197B1B2}"= UDP:C:\Games\Ghost Recon Advanced Warfighter 2\graw2.exe:Ghost Recon Advanced Warfighter® 2
"{11E6D58F-151D-4050-BEA8-971556EA5815}"= TCP:C:\Games\Ghost Recon Advanced Warfighter 2\graw2.exe:Ghost Recon Advanced Warfighter® 2
"{43AAF56E-A6E4-4429-93DD-D955F058546F}"= UDP:C:\Games\Ghost Recon Advanced Warfighter 2\graw2_dedicated.exe:Ghost Recon Advanced Warfighter® 2 Dedicated Server
"{AF056F43-AF03-47B2-B227-2082054B16CF}"= TCP:C:\Games\Ghost Recon Advanced Warfighter 2\graw2_dedicated.exe:Ghost Recon Advanced Warfighter® 2 Dedicated Server
"{9F0C73ED-85BA-45F9-BE4B-EDACC027CA3C}"= UDP:C:\Games\Codemasters\GRID\GRID.exe:GRID
"{8EE37CE7-51F5-4610-9EC5-F37BC5A40C9F}"= TCP:C:\Games\Codemasters\GRID\GRID.exe:GRID
"{91BA3B39-731D-4E3F-84D3-84A4F0221CE7}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{D7C01BAF-837A-49C7-87D1-5766AEB4D097}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{17E9D88F-AC4E-4BC8-A72A-11B9102A5132}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{0FE1E82A-DBCB-45C8-A605-D2905F5828D0}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{60407856-35D8-4EDB-BD76-05E471EF1CA8}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{2B1AB68A-DF79-4CCE-BE4D-EC7C6DDFB80C}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{8CEE6266-155C-42EC-BCCF-5BF502BAFA93}"= UDP:C:\Games\KONAMI\Pro Evolution Soccer 2009\pes2009.exe:Pro Evolution Soccer 2009
"{02344FB4-D8B0-4041-B7EF-9E876BAA4E95}"= TCP:C:\Games\KONAMI\Pro Evolution Soccer 2009\pes2009.exe:Pro Evolution Soccer 2009

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\Windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2008-07-09 20496]
R3 EMVSCARD;EMVSCARD;C:\Windows\system32\Drivers\EMVSCARD.sys [2006-12-19 20736]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-10-09 87288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a6cc738-779f-11dd-a09b-00508db5cc0b}]
\shell\AutoRun\command - J:\autorun.exe

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Edgar\AppData\Roaming\Mozilla\Firefox\Profiles\gkezaxgi.default\
FF -: plugin - C:\Program Files\Google\Picasa3\npPicasa3.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 20:03:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Edgar\AppData\Roaming\Microsoft\Windows\Cookies\edgar@mail.google[1].txt 253 bytes


**************************************************************************
.
Completion time: 2008-10-26 20:06:57
ComboFix-quarantined-files.txt 2008-10-26 18:05:53

Pre-Run: 96*217*997*312 байт свободно
Post-Run: 96,426,631,168 байт свободно

274 --- E O F --- 2008-10-26 17:30:05

[katana]

Information



REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

utorrent


Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW. along with any other P2P program/s

Post back a new HijackThis, so we can continue cleaning your pc.



----------------------------------------------------------- ----------------------------------------------------------- -----------------------------------------------------------

ComboFix 08-10-10.07 - Edgar 2008-10-26

The Combofix log you posted is from an old version of ComboFix




Installed Programs

Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

[katana]

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm).
A valid, working link to the closed topic is required.