Suspected Malware Infestation

Nariman · Feb 23, 2005

Am using WinXP Pro SP1 along with AVG7 Free Edition, Spybot Search & Destroy, AdAware, SpySweeper, SpywareBlaster, Microsoft AntiSpyware Beta.
Have scanned for virus with online Panda Activescan, RAV Antivirus, Symantec and Housecall. Everything clear.
I suspect my system is somehow infected with some malware because :

a) Can delete all but one or two TMP file like ~DF1572, ~DFF186 in C:\Documents and Settings\username\Local Settings\Temp
On trying to delete get message "...is in use by another application and cannot be accessed." .
Even after using GiPo@MoveOnBoot at the next boot new files crop up
Even after deleting in Safe Mode on rebooting new files crop up.

Need expert help to solve my problem.

Nariman

cheetah · Feb 23, 2005

Try some file monitoring software like Process Explorer,Process Viewer,Task killer and kill all the programs which u think are using these files.

Or try WhoLockMe tool to find which programing has been using this file.
Search the post named WholockMe it has been posted by Dexter once.I am unable to find it.In this post u can find the link to WholockMe application.

saROMan · Feb 23, 2005

bro there is no harm in these files.....it seems that these files are used by ur Browser/firewall etc...i too was worried..bout it..but they r harmless ....do 1 thing...d/c ur net , close any apps like browser/av etc..and u can delete them .....

swatkat · Feb 23, 2005

some apps like Antivirus, Firewall put some files in Temp folder, and as these programs r constantly running in background, these files r in use, so u cant delete them....
yes, u can use software WhoLockMe to find out which apps r using that file....

do u have any firewall (especially Kaspersky AntiHacker)?i think these fies r of Firewalls?

enoonmai · Feb 23, 2005

Your temp folder WILL keep seeing new files, thats a given. Everytime your computer works and runs software, all temporary files used by the software will run in the Temp folder. You can safely delete all of the temp files in the folder, but it will not allow you to delete some files if they're currently in use by a running application or the file is being used by Windows as a temporary store. This is perfectly normal and not anything to worry about. Just download HJT from here,

*www.majorgeeks.com/download3155.html

run it and post the log it creates back here. We'll tell you if theres any problem with the computer.

NOTE: Make sure you've got Spybot's TeaTimer protection running at all times. If none of these software detect spyware, its possible that you dont have any. Don't get too paranoid.

Nariman · Feb 25, 2005

Hello enoonmai.
Here is my HJT Log :
By the way, on other systems usuing WinXP I could easily delete all the .TMP files in the Temp folder.

Logfile of HijackThis v1.98.2
Scan saved at 5:18:48 PM, on 02/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\dap\DAP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
F:\Download\VX2 & msg118.dll\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.sify.com/bbhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.sify.com/bbhome
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\dap\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\dap\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\dap\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - *components.viewpoint.com/MTSInstal...known&unknown&*gameboy.com/sp/vp/content.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - *go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - *security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (MINICLIPTOOLBAR) - *www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - *security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - *www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - *download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - *www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - *www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - *ds1.downloadtech.net/cn1060/pcpowerscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFE6409-26A5-4755-BC1A-4762AA3AD71E}: NameServer = 172.16.1.1,202.9.145.6,202.9.136.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA814FDF-87A7-4DF7-8985-76A21C406377}: NameServer = 202.144.115.4,202.144.66.6,202.9.136.6

Nariman

vijaythefool · Feb 25, 2005

How do u use allt he spy wares and anti viruses together !

wonder thinking abt ur pc performance .

just keep spooky sites away and u will surely demand a smooth pc .

Anti viruses really sucks

kl_ravi · Feb 25, 2005

Logfile of HijackThis v1.98.2 - Possibly out of date
C:\WINDOWS\system32\ssoftsrv.exe - Unknown
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.sify.com/bbhome - Possibly nasty
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.sify.com/bbhome - Possibly nasty
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - *components.viewpoint.com/MTSInstal...nunknownhttp://gameboy.com/sp/vp/content.html - Possibly nasty
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (MINICLIPTOOLBAR) - *www.miniclip.com/toolbar/minicliptoolbar.cab - Nasty
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - *www.nick.com/common/groove/gx/GrooveAX27.cab - Possibly nasty
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - *ds1.downloadtech.net/cn1060/pcpowerscan.cab - Possibly nasty
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFE6409-26A5-4755-BC1A-4762AA3AD71E}: NameServer = 172.16.1.1,202.9.145.6,202.9.136.6 - Possibly nasty
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA814FDF-87A7-4DF7-8985-76A21C406377}: NameServer = 202.144.115.4,202.144.66.6,202.9.136.6 - Possibly nasty

swatkat · Feb 25, 2005

Nariman said:
Hello enoonmai.
Here is my HJT Log :
By the way, on other systems usuing WinXP I could easily delete all the .TMP files in the Temp folder.

Logfile of HijackThis v1.98.2
Scan saved at 5:18:48 PM, on 02/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\dap\DAP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
F:\Download\VX2 & msg118.dll\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.sify.com/bbhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *www.sify.com/bbhome
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\dap\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\dap\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\dap\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - *components.viewpoint.com/MTSInstal...known&unknown&*gameboy.com/sp/vp/content.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - *go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - *security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (MINICLIPTOOLBAR) - *www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - *security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - *www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - *download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - *www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - *www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - *ds1.downloadtech.net/cn1060/pcpowerscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BFE6409-26A5-4755-BC1A-4762AA3AD71E}: NameServer = 172.16.1.1,202.9.145.6,202.9.136.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA814FDF-87A7-4DF7-8985-76A21C406377}: NameServer = 202.144.115.4,202.144.66.6,202.9.136.6
Nariman

Uninstall these softwares, if u find them in Add/Remove Programs:-
1]Advanced Search bar
2]Miniclip toolbar
3]ViewPoint
Above programs r classified as Adwares/Spywares....

ssoftsrv.exe is a file related to Crytainer LE, Free Encryption software, u can leave it as it is.
Now, Check the red entry in the HJT and click Fix.

Restart in Safe Mode, and delete these files (use Search feature of Windows to find the files):-
1]Toolbar.dll
and also delete the folder containing Toolbar.dll.....do not delete the folder if it's a Windows default Folder.........

download and run CCleaner.....
*www.ccleaner.com/

enoonmai · Feb 25, 2005

There you go, follow everything swatkat has said and you should be OK. BTW, is it just me? I find it very funny that you have all these anti-spyware programs installed but still face this problem.
Make sure you update Spybot's signature library often and make sure you open the Spybot program and click the "Immunize" button to block all known bad products. Also, make sure you dont turn off the TeaTimer program and when it asks you to install/confirm a major registry change and you dont know what the program/change is, be safe and click the "Deny Change" button.

Nariman · Feb 26, 2005

Thanks enoomai & swatkat.
Will do so and get back as soon as connective to my home computer is established within the next few days.
At presenr accessing the net from a friend's computer.
Nariman

dIgItaL_BrAt · Feb 27, 2005

yaar,those files which u r unable to delete r not a spyware infection,but are being used by Windows so don't worry.

Nariman · Mar 7, 2005

Hi Guys.
Thanks for sticking by me.
Have done as suggested but no go.
You must be wondering whyI am insisting on deleting the .TMP files.
Well, while installing "PRO REVOLTION SOCCER DEMO VER2" frpm a DVD as well as one downloaded, after the whole thing finished I would get message "ERROR 1628 - Failed to complete installation."
On checking up ERROR 1628 at *consumer.installshield.com/kb.asp?id=Q108464 one of the reasons for this message may also occur if a file in tht Temp directory is conflicting with the files being used by the installation while it is being run. It suggested to fix this delete the entire contents of the Temp directory.
Any way to cut a long story short I had one of my software acquaintance over yesterday and explained my problem.
In no time he solved my problem. What he did I could not follow as he was very fast. Any way he also insalled SP2 and thereafter the program installed without any hassel.
Any way one thing you guys said that I need not worry about theses .TMP files is correct.
My acquaintance confirmed this.
So thanks a lot guys oncemore for sting with me.
Nariman

Suspected Malware Infestation

Nariman

Journeyman

cheetah

In the zone

saROMan

QA Juggler

swatkat

Technomancer

enoonmai

Cyborg Agent

Nariman

Journeyman

vijaythefool

In the zone

kl_ravi

Journeyman

swatkat

Technomancer

enoonmai

Cyborg Agent

Nariman

Journeyman

dIgItaL_BrAt

Cyborg Agent

Nariman

Journeyman