Is it heap41a virus

I am posting log file of HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:10 PM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\STacSV.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
C:\heap41a\svchost.exe
D:\Program Files\Softwin\BitDefender10\bdagent.exe
D:\WINDOWS\sttray.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\Administrator\Desktop\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
R3 - URLSearchHook: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
R3 - URLSearchHook: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - D:\PROGRA~1\REDIFF~2\tbu8\REDIFF~1.DLL
O3 - Toolbar: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O4 - HKLM\..\Run: [BDMCon] D:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "D:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O9 - Extra 'Tools' menuitem: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - D:\PROGRA~1\REDIFF~2\tbu8\redifftoolbar.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - D:\WINDOWS\system32\STacSV.exe

--
End of file - 5239 bytes


There is also a folder in C drive with name heap41a, containing 2 files:
std.txt and svchost.exe

contents of std.txt are :

; IMPORTANT INFO ABOUT GETTING STARTED: Lines that start with a
; semicolon, such as this one, are comments. They are not executed.

; This script has a special filename and path because it is automatically
; launched when you run the program directly. Also, any text file whose
; name ends in .ahk is associated with the program, which means that it
; can be launched simply by double-clicking it. You can have as many .ahk
; files as you want, located in any folder. You can also run more than
; one ahk file simultaneously and each will get its own tray icon.

; Please read the QUICK-START TUTORIAL near the top of the help file.
; It explains how to perform common automation tasks such as sending
; keystrokes and mouse clicks. It also explains how to use hotkeys.

; SAMPLE HOTKEYS: Below are two sample hotkeys. The first is Win+Z and it
; launches a web site in the default browser. The second is Control+Alt+N
; and it launches a new Notepad window (or activates an existing one). To
; try out these hotkeys, run AutoHotkey again, which will load this file.

#z::Run www.autohotkey.com

^!n::
IfWinExist Untitled - Notepad
WinActivate
else
Run Notepad
return


; Note: From now on whenever you run AutoHotkey directly, this script
; will be loaded. So feel free to customize it to suit your needs.



What to do now?

Last edited by pratima mishra on 4th February 2009, 10:19 am; edited 3 times in total

My antivirus icon from system tray is removed by this virus/trojan.
XP is not making thumbnail of picture files (jpg etc) files. When I am trying to open pictures by using "windows picture and fax viewer", a message is coming on screen "Error loading D:\windows\system32\shimgvw.dll Invalid access to memory location".....Where D is my windows drive(boot drive).

tryting to copy paste anything brings my system to hang

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
  O4 - HKLM\..\Policies\Explorer\Run: [status] present
  O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
  O4 - HKUS\S-1-5-19\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
  O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
  O4 - HKUS\S-1-5-20\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
  O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
  O4 - HKUS\S-1-5-18\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [msnsc] D:\WINDOWS\system32\msnsc.exe (User 'Default user')
  O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
  O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

log of Malware bytes

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/8/2009 5:20:22 PM
mbam-log-2009-02-08 (17-20-22).txt

Scan type: Quick Scan
Objects scanned: 54473
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xbtb00001.ietoolbar (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b36cb30a-6ed9-4c62-9a8a-7de9fa234608} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbbe1c1a-89f7-4af6-abd1-f8fbcfa47408} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbbe1c1a-89f7-4af6-abd1-f8fbcfa47408} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbbe1c1a-89f7-4af6-abd1-f8fbcfa47408} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb00001.ietoolbar.1 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb00001.xbtb00001 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb00001.xbtb00001.1 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Program Files\Rediff Toolbar\tbu8\redifftoolbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\msnsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

What to do next?

Please tell me, what should I do next?

Here is DDS.txt :


DDS (Ver_09-02-01.01) - NTFSx86
Run by Pratima at 20:48:12.73 on Sun 02/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.653 [GMT 0:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\STacSV.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Softwin\BitDefender10\bdagent.exe
D:\WINDOWS\sttray.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Microsoft Office\Office12\WINWORD.EXE
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Documents and Settings\Pratima\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
uSearch Bar = hxxp://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
mSearchAssistant = hxxp://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
uURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~1\office12\GRA8E1~1.DLL
TB: {12F02779-6D88-4958-8AD3-83C12D86ADC7} - No File
uRun: [Yahoo! Pager] "d:\program files\yahoo!\messenger\ypager.exe" -quiet
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "d:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
mRun: [BDMCon] d:\progra~1\softwin\bitdef~1\bdmcon.exe
mRun: [BDAgent] "d:\program files\softwin\bitdefender10\bdagent.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IgfxTray] d:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe
mRun: [Persistence] d:\windows\system32\igfxpers.exe
mRun: [RoxioEngineUtility] "d:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "d:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [googletalk] d:\program files\google\google talk\googletalk.exe /autostart
mRun: [NeroFilterCheck] d:\program files\common files\nero\lib\NeroCheck.exe
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - d:\progra~1\yahoo!\messen~1\YPager.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\pratima\applic~1\mozilla\firefox\profiles\uybr3wdc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
d:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R3 abp470n5;abp470n5;\??\d:\windows\system32\drivers\jomifn.sys --> d:\windows\system32\drivers\jomifn.sys [?]
S2 hifka;Monitor Windows;d:\windows\system32\svchost.exe -k netsvcs [2006-1-13 14336]

=============== Created Last 30 ================

2009-02-08 17:39 32,592 a------- d:\windows\system32\msonpmon.dll
2009-02-08 17:35 --d----- d:\windows\SHELLNEW
2009-02-08 17:13 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-02-08 17:13 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 17:13 --d----- d:\program files\Malwarebytes' Anti-Malware
2009-02-08 17:13 --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-08 17:06 --d----- d:\program files\Trend Micro
2009-02-04 16:17 --d----- d:\program files\Uniblue
2009-02-04 16:17 --d----- d:\docume~1\alluse~1\applic~1\DriverScanner
2009-02-04 16:13 -cd-h--- d:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-02-04 15:50 --d-h--- d:\windows\system32\GroupPolicy
2009-02-04 15:07 69 a------- d:\windows\NeroDigital.ini
2009-02-04 14:23 --d----- d:\program files\Nero
2009-02-04 14:23 --d----- d:\docume~1\alluse~1\applic~1\Nero
2009-02-03 01:02 --ds---- d:\documents and settings\pratima\UserData
2009-02-02 19:40 --d----- d:\documents and settings\Pratima
2009-01-30 17:27 --d----- d:\program files\Roxio
2009-01-30 17:15 --d----- d:\program files\Rediff Toolbar
2009-01-30 17:15 --d----- d:\program files\Rediff Bol
2009-01-30 17:15 --d----- d:\windows\system32\LogFiles
2009-01-30 17:11 2,309 a------- d:\windows\mozver.dat
2009-01-29 23:35 --d----- D:\My Music
2009-01-29 22:48 172,032 a----r-- d:\windows\system32\igfxres.dll
2009-01-29 16:19 --d----- d:\program files\Yahoo!
2009-01-29 16:07 171,776 a------- d:\windows\system32\drivers\kmixer.sys
2009-01-29 16:07 52,864 a------- d:\windows\system32\drivers\DMusic.sys
2009-01-29 16:07 54,272 a------- d:\windows\system32\drivers\swmidi.sys
2009-01-29 16:07 142,464 a------- d:\windows\system32\drivers\aec.sys
2009-01-29 16:07 6,400 a------- d:\windows\system32\drivers\splitter.sys
2009-01-29 16:04 --d----- d:\program files\Realtek
2009-01-29 16:02 2,944 a------- d:\windows\system32\drivers\drmkaud.sys
2009-01-29 16:02 60,800 a------- d:\windows\system32\drivers\sysaudio.sys
2009-01-29 16:02 7,552 a------- d:\windows\system32\drivers\MSKSSRV.sys
2009-01-29 16:02 4,992 a------- d:\windows\system32\drivers\MSPQM.sys
2009-01-29 16:02 5,376 a------- d:\windows\system32\drivers\MSPCLOCK.sys
2009-01-29 16:01 5,398,528 a----r-- d:\windows\system32\IDTSG.cpl
2009-01-29 16:01 2,187,264 a----r-- d:\windows\system32\stlang.dll
2009-01-29 16:01 475,136 a----r-- d:\windows\sttray.exe
2009-01-29 16:01 94,208 a----r-- d:\windows\system32\stacsv.exe
2009-01-29 16:01 145,920 a------- d:\windows\system32\drivers\portcls.sys
2009-01-29 16:01 130,048 a------- d:\windows\system32\ksproxy.ax
2009-01-29 16:01 60,288 a------- d:\windows\system32\drivers\drmk.sys
2009-01-29 16:01 4,096 a------- d:\windows\system32\ksuser.dll
2009-01-29 16:00 144,896 a----r-- d:\windows\system32\staco.dll
2009-01-29 16:00 1,222,840 a----r-- d:\windows\system32\drivers\sthda.sys
2009-01-29 16:00 270,336 a----r-- d:\windows\system32\stacapi.dll
2009-01-29 16:00 --d----- d:\program files\SigmaTel
2009-01-29 15:58 204,800 a----r-- d:\windows\system32\igfxCoIn_v4785.dll
2009-01-29 15:58 176,128 a----r-- d:\windows\system32\igfxrsky.lrc
2009-01-29 15:58 172,032 a----r-- d:\windows\system32\igfxrslv.lrc
2009-01-29 15:58 5,700,096 a----r-- d:\windows\system32\drivers\igxpmp32.sys
2009-01-29 15:58 2,555,904 a------- d:\windows\system32\igxpdx32.dll
2009-01-29 15:58 1,612,576 a------- d:\windows\system32\igxpdv32.dll
2009-01-29 15:58 149,504 a------- d:\windows\system32\igxpgd32.dll
2009-01-29 15:58 57,344 a------- d:\windows\system32\igxprd32.dll
2009-01-29 15:58 --d----- d:\windows\system32\ReinstallBackups
2009-01-29 15:57 319,456 a----r-- d:\windows\system32\difxapi.dll
2009-01-29 15:57 121,232 a----r-- d:\windows\system32\IScrNBR.bmp
2009-01-29 15:57 121,232 a----r-- d:\windows\system32\IScrNB.bmp
2009-01-29 15:57 --d----- d:\windows\system32\Lang
2009-01-29 15:57 393,216 a----r-- d:\windows\system32\igxpun.exe
2009-01-29 15:57 --d----- D:\Intel
2009-01-29 15:55 --d----- d:\windows\system32\Tools
2009-01-29 15:53 4,864 a----r-- d:\windows\system32\drivers\PortIo.sys
2009-01-29 15:30 81,984 a------- d:\windows\system32\bdod.bin
2009-01-29 15:26 --d----- d:\program files\Softwin
2009-01-29 15:26 --d----- d:\docume~1\alluse~1\applic~1\BitDefender
2009-01-29 15:26 --d----- d:\program files\common files\Softwin
2009-01-29 15:09 --ds---- d:\windows\system32\Microsoft
2009-01-29 15:09 8,192 a------- d:\windows\REGLOCS.OLD
2009-01-29 14:54 2,577 a------- d:\windows\system32\CONFIG.NT
2009-01-29 14:54 0 a------- d:\windows\control.ini
2009-01-29 14:54 23,392 a------- d:\windows\system32\nscompat.tlb
2009-01-29 14:54 16,832 a------- d:\windows\system32\amcompat.tlb
2009-01-29 14:54 316,640 a------- d:\windows\WMSysPr9.prx
2009-01-29 14:53 --dsh--- d:\documents and settings\all users\DRM
2009-01-29 14:53 488 a---hr-- d:\windows\system32\WindowsLogon.manifest
2009-01-29 14:53 488 a---hr-- d:\windows\system32\logonui.exe.manifest
2009-01-29 14:53 --ds---- d:\windows\Downloaded Program Files
2009-01-29 14:53 --d--r-- d:\windows\Offline Web Pages
2009-01-29 14:53 749 a---hr-- d:\windows\WindowsShell.Manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\wuaucpl.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\sapi.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\nwc.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\ncpa.cpl.manifest
2009-01-29 14:53 749 a---hr-- d:\windows\system32\cdplayer.exe.manifest
2009-01-29 14:53 --d-h--- d:\program files\WindowsUpdate
2009-01-29 14:53 --d----- d:\program files\Online Services
2009-01-29 14:53 --d----- d:\windows\system32\DirectX
2009-01-29 14:52 --d----- d:\program files\common files\MSSoap
2009-01-29 14:51 --d----- d:\program files\Unlocker
2009-01-29 14:48 --d----- d:\program files\MSN Messenger
2009-01-29 14:47 --d----- d:\program files\Windows NT
2009-01-29 14:43 --d----- d:\program files\common files\ODBC
2009-01-29 14:43 --d--r-- d:\documents and settings\all users\Documents

==================== Find3M ====================

2009-02-04 16:09 86,327 a------- d:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-29 16:04 315,392 a------- d:\windows\HideWin.exe
2009-01-29 14:51 21,640 a------- d:\windows\system32\emptyregdb.dat
2006-01-13 01:58 164,228 a--shr-- d:\windows\system32\ffofhj.dll

============= FINISH: 20:48:20.03 ===============


Now what?

Here the text of combofix in two parts as it is showing the message is too big


ComboFix 09-02-07.01 - Pratima 2009-02-08 21:29:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.683 [GMT 0:00]
Running from: d:\documents and settings\Pratima\Desktop\Combo-Fix.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\autorun.inf
H:\cayiah.cmd
H:\tdgscr.pif

.
((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 17:39 . 2006-10-26 19:56 32,592 --a------ d:\windows\system32\msonpmon.dll
2009-02-08 17:38 . 2009-02-08 17:38 d-------- d:\program files\MSBuild
2009-02-08 17:38 . 2009-02-08 17:38 d-------- d:\program files\Microsoft Works
2009-02-08 17:35 . 2009-02-08 17:38 d-------- d:\windows\SHELLNEW
2009-02-08 17:34 . 2009-02-08 17:34 dr-h----- D:\MSOCache
2009-02-08 17:34 . 2009-02-08 17:39 d-------- d:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-08 17:13 . 2009-02-08 17:13 d-------- d:\program files\Malwarebytes' Anti-Malware
2009-02-08 17:13 . 2009-02-08 17:13 d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-08 17:13 . 2009-02-08 17:13 d-------- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-08 17:13 . 2009-01-14 16:11 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 17:13 . 2009-01-14 16:11 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-02-08 17:06 . 2009-02-08 17:06 d-------- d:\program files\Trend Micro
2009-02-04 16:17 . 2009-02-04 16:17 d-------- d:\program files\Uniblue
2009-02-04 16:17 . 2009-02-04 16:20 d-------- d:\documents and settings\All Users\Application Data\DriverScanner
2009-02-04 16:17 . 2009-02-04 16:17 d-------- d:\documents and settings\Administrator\Application Data\Uniblue
2009-02-04 16:13 . 2009-02-04 16:17 d--h-c--- d:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-02-04 15:50 . 2009-02-04 15:50 d--h----- d:\windows\system32\GroupPolicy
2009-02-04 15:07 . 2009-02-08 17:35 69 --a------ d:\windows\NeroDigital.ini
2009-02-04 14:29 . 2009-02-04 14:29 d-------- d:\documents and settings\Administrator\Application Data\Nero
2009-02-04 14:23 . 2009-02-04 14:23 d-------- d:\program files\Nero
2009-02-04 14:23 . 2009-02-04 14:25 d-------- d:\program files\Common Files\Nero
2009-02-04 14:23 . 2009-02-04 14:23 d-------- d:\documents and settings\All Users\Application Data\Nero
2009-02-03 01:02 . 2009-02-03 01:02 d---s---- d:\documents and settings\Pratima\UserData
2009-02-02 19:40 . 2009-02-08 21:24 d-------- d:\documents and settings\Pratima
2009-02-02 19:31 . 2009-02-02 19:31 d---s---- d:\documents and settings\Alok\UserData
2009-01-31 08:37 . 2009-02-07 23:00 d-------- d:\documents and settings\Alok
2009-01-30 20:34 . 2009-01-30 20:34 d-------- d:\program files\Google
2009-01-30 17:27 . 2009-01-30 17:27 d-------- d:\program files\Roxio
2009-01-30 17:27 . 2009-01-30 17:27 d-------- d:\program files\Common Files\Roxio Shared
2009-01-30 17:18 . 2009-01-30 17:18 d-------- d:\documents and settings\Administrator\Application Data\Rediff.com
2009-01-30 17:15 . 2009-01-30 17:15 d-------- d:\windows\system32\LogFiles
2009-01-30 17:15 . 2009-01-30 17:15 d-------- d:\program files\Rediff Toolbar
2009-01-30 17:15 . 2009-01-30 17:15 d-------- d:\program files\Rediff Bol
2009-01-30 17:11 . 2009-01-30 17:11 2,309 --a------ d:\windows\mozver.dat
2009-01-30 17:11 . 2009-01-30 17:11 0 --a------ d:\windows\nsreg.dat
2009-01-29 23:35 . 2009-01-29 23:35 d-------- D:\My Music
2009-01-29 23:15 . 2009-01-29 23:15 d---s---- d:\documents and settings\Anurag\UserData
2009-01-29 22:48 . 2009-02-08 17:01 d-------- d:\documents and settings\Anurag
2009-01-29 22:48 . 2007-02-26 02:33 172,032 -ra------ d:\windows\system32\igfxres.dll
2009-01-29 16:19 . 2009-01-29 16:19 d-------- d:\program files\Yahoo!
2009-01-29 16:07 . 2006-01-06 15:53 171,776 --a------ d:\windows\system32\drivers\kmixer.sys
2009-01-29 16:07 . 2006-01-06 15:53 142,464 --a------ d:\windows\system32\drivers\aec.sys
2009-01-29 16:07 . 2006-01-06 15:53 54,272 --a------ d:\windows\system32\drivers\swmidi.sys
2009-01-29 16:07 . 2006-01-06 15:53 52,864 --a------ d:\windows\system32\drivers\DMusic.sys
2009-01-29 16:07 . 2006-01-06 15:53 6,400 --a------ d:\windows\system32\drivers\splitter.sys
2009-01-29 16:04 . 2009-01-29 16:04 d-------- d:\program files\Realtek
2009-01-29 16:02 . 2006-01-06 15:53 60,800 --a------ d:\windows\system32\drivers\sysaudio.sys
2009-01-29 16:02 . 2006-01-06 15:53 7,552 --a------ d:\windows\system32\drivers\MSKSSRV.sys
2009-01-29 16:02 . 2006-01-06 15:53 5,376 --a------ d:\windows\system32\drivers\MSPCLOCK.sys
2009-01-29 16:02 . 2006-01-06 15:53 4,992 --a------ d:\windows\system32\drivers\MSPQM.sys
2009-01-29 16:02 . 2006-01-06 15:53 2,944 --a------ d:\windows\system32\drivers\drmkaud.sys
2009-01-29 16:01 . 2007-05-07 03:15 5,398,528 -ra------ d:\windows\system32\IDTSG.cpl
2009-01-29 16:01 . 2007-05-06 09:10 2,187,264 -ra------ d:\windows\system32\stlang.dll
2009-01-29 16:01 . 2007-05-06 09:10 475,136 -ra------ d:\windows\sttray.exe
2009-01-29 16:01 . 2006-01-06 15:53 145,920 --a------ d:\windows\system32\drivers\portcls.sys
2009-01-29 16:01 . 2006-01-06 15:53 130,048 --a------ d:\windows\system32\ksproxy.ax
2009-01-29 16:01 . 2007-05-06 09:11 94,208 -ra------ d:\windows\system32\stacsv.exe
2009-01-29 16:01 . 2006-01-06 15:53 60,288 --a------ d:\windows\system32\drivers\drmk.sys
2009-01-29 16:01 . 2006-01-06 15:53 4,096 --a------ d:\windows\system32\ksuser.dll
2009-01-29 16:00 . 2009-01-29 16:00 d-------- d:\program files\SigmaTel
2009-01-29 16:00 . 2009-01-29 16:04 d--h----- d:\program files\InstallShield Installation Information
2009-01-29 16:00 . 2007-05-06 09:12 1,222,840 -ra------ d:\windows\system32\drivers\sthda.sys
2009-01-29 16:00 . 2007-05-06 09:11 270,336 -ra------ d:\windows\system32\stacapi.dll
2009-01-29 16:00 . 2007-05-06 09:11 144,896 -ra------ d:\windows\system32\staco.dll
2009-01-29 15:58 . 2007-02-26 03:59 5,700,096 -ra------ d:\windows\system32\drivers\igxpmp32.sys
2009-01-29 15:58 . 2007-02-26 03:59 2,555,904 --a------ d:\windows\system32\igxpdx32.dll
2009-01-29 15:58 . 2007-02-26 03:58 1,612,576 --a------ d:\windows\system32\igxpdv32.dll
2009-01-29 15:58 . 2007-02-26 04:34 204,800 -ra------ d:\windows\system32\igfxCoIn_v4785.dll
2009-01-29 15:58 . 2007-02-26 02:36 176,128 -ra------ d:\windows\system32\igfxrsky.lrc
2009-01-29 15:58 . 2007-02-26 02:36 172,032 -ra------ d:\windows\system32\igfxrslv.lrc
2009-01-29 15:58 . 2007-02-26 03:58 149,504 --a------ d:\windows\system32\igxpgd32.dll
2009-01-29 15:58 . 2007-02-26 03:58 57,344 --a------ d:\windows\system32\igxprd32.dll
2009-01-29 15:57 . 2009-01-29 15:57 d-------- d:\windows\system32\Lang
2009-01-29 15:57 . 2009-01-29 15:57 d----c--- d:\windows\system32\DRVSTORE
2009-01-29 15:57 . 2009-01-29 15:57 d-------- d:\program files\Intel
2009-01-29 15:57 . 2009-01-29 15:57 d-------- D:\Intel
2009-01-29 15:57 . 2007-03-02 06:23 393,216 -ra------ d:\windows\system32\igxpun.exe
2009-01-29 15:57 . 2006-11-10 00:25 319,456 -ra------ d:\windows\system32\difxapi.dll
2009-01-29 15:57 . 2006-01-23 02:29 121,232 -ra------ d:\windows\system32\IScrNBR.bmp
2009-01-29 15:57 . 2006-01-23 02:29 121,232 -ra------ d:\windows\system32\IScrNB.bmp
2009-01-29 15:55 . 2009-01-29 15:56 d-------- d:\windows\system32\Tools
2009-01-29 15:55 . 2009-01-30 17:27 d-------- d:\program files\Common Files\InstallShield
2009-01-29 15:53 . 2006-12-26 12:31 4,864 -ra------ d:\windows\system32\drivers\PortIo.sys
2009-01-29 15:30 . 2009-01-30 17:15 81,984 --a------ d:\windows\system32\bdod.bin
2009-01-29 15:26 . 2009-01-29 15:26 d-------- d:\program files\Common Files\Softwin
2009-01-29 15:26 . 2009-02-08 21:24 d-------- d:\documents and settings\All Users\Application Data\BitDefender
2009-01-29 15:09 . 2009-01-29 15:09 d---s---- d:\windows\system32\Microsoft
2009-01-29 15:09 . 2009-01-29 15:09 d--hs---- d:\documents and settings\LocalService
2009-01-29 15:09 . 2009-02-08 17:53 d-------- d:\documents and settings\Administrator
2009-01-29 15:09 . 2009-01-29 15:09 8,192 --a------ d:\windows\REGLOCS.OLD
2009-01-29 15:08 . 2009-01-29 15:08 d--hs---- d:\documents and settings\NetworkService

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 20:54 --------- d-----w d:\program files\Common Files\Adobe
2009-01-29 16:04 315,392 ----a-w d:\windows\HideWin.exe
2009-01-29 14:51 --------- d-----w d:\program files\Unlocker
2009-01-29 14:48 --------- d-----w d:\program files\MSN Messenger
2009-01-30 17:11 61,038 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2009-01-30 17:11 49,256 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2009-01-30 17:11 166,000 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
2006-01-13 01:58 164,228 --sha-r d:\windows\system32\ffofhj.dll
.

------- Sigcheck -------

2006-01-13 02:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 d:\windows\system32\drivers\tcpip.sys

2006-01-13 01:46 1075200 2deaca71a7fd77205f59d48d76b2f565 d:\windows\explorer.exe

2006-01-13 01:45 193816 0e6e611ff38eaa736d76a490df6558f8 d:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="d:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-19 3158016]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-15 202024]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2006-01-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2007-02-26 204800]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2007-02-26 229376]
"Persistence"="d:\windows\system32\igfxpers.exe" [2007-02-26 200704]
"RoxioEngineUtility"="d:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 135168]
"RoxioDragToDisc"="d:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-01-09 937984]
"googletalk"="d:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3817472]
"NeroFilterCheck"="d:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 226864]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SigmatelSysTrayApp"="sttray.exe" [2007-05-06 d:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="d:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\WINDOWS\\system32\\regsvr32.exe"=
"d:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\WINDOWS\\system32\\wuauclt.exe"=
"d:\\WINDOWS\\system32\\hkcmd.exe"=
"d:\\WINDOWS\\sttray.exe"=
"d:\\WINDOWS\\system32\\igfxtray.exe"=
"d:\\WINDOWS\\system32\\igfxpers.exe"=
"d:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE"=
"d:\\WINDOWS\\system32\\igfxsrvc.exe"=
"d:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"d:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"d:\\Program Files\\Common Files\\Nero\\Lib\\NeroCheck.exe"=
"d:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\WINDOWS\\system32\\msiexec.exe"=
"d:\\WINDOWS\\system32\\cscript.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1518:TCP"= 1518:TCP:laqvrppt

R3 abp470n5;abp470n5;\??\d:\windows\system32\drivers\jomifn.sys --> d:\windows\system32\drivers\jomifn.sys [?]
S2 hifka;Monitor Windows;d:\windows\system32\svchost.exe -k netsvcs [2006-01-13 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hifka

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{218e72aa-ee17-11dd-8a34-001921442997}]
\shELL\AutOPlay\cOMmaNd - H:\hsgeyo.cmd
\shELL\AutoRun\command - H:\hsgeyo.cmd
\shELL\eXpLorE\CommaNd - H:\hsgeyo.cmd
\shELL\oPeN\commAnd - H:\hsgeyo.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{877b89c8-f161-11dd-8a51-001921442997}]
\Shell\AutoRun\command - H:\dsncb.exe
\Shell\Explore\Command - H:\dsncb.exe
\Shell\Open\Command - H:\dsncb.exe
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Pratima\Application Data\Mozilla\Firefox\Profiles\uybr3wdc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 21:32:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hifka]
"ServiceDll"="d:\windows\system32\ffofhj.dll"
.
Completion time: 2009-02-08 21:34:32 - machine was rebooted
Ok.

ComboFix-quarantined-files.txt 2009-02-08 21:34:31

Pre-Run: 23,459,414,016 bytes free
Post-Run: 23,473,340,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(4)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

241

Now what to do?

Format.
You have an infection called sality, it's a file infector.
There is nothing we can do now, formatting is the only option.

DO NOT backup any .exe or .scr

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.